date:20040514

Title: OT: Research Question









Pay is
important, obviously, but Im now more interested in the overall strength
of the company I work for, and a good stream of challenging projects to work
on. I dont know what the median age is of the folks on this list, but I
suspect its probably at least a little younger than me (42) 
maybe Im completely wrong though. Id be interested in knowing
that. The reason I bring up age is that Im no longer interested in
jumping around from one company to another. I like where I am, our management
is among the most respected in our industry, and what little politics I do endure,
my immediate boss does a great job of shielding me from.



So what do
I want now?




 Challenging
 work (variety)
 Recognition
 Training
 to keep an edge (formal [classroom] and informal [this list is a major
 resource])
 Opportunity to play with new things (new to me that is, e.g.
 Linux - I dont want to get pigeon-holed)
 Competitive
 pay
 Plenty
 of time off to play with my Triumph




If I could
change one thing about work life, it would be NO MORE CUBICLES ;-)



Mark

RE: [ActiveDir] Potential DNS issues after applying MS04-011

Hi
Wook,
Thanks for the additional details! I've been
chasing my tail on this issue for about about a week now. Is it too simplistic
to think these problems could be avoided if service dependencies were
used?

Mike
Thommes

-Original Message-From: Lee, Wook
[mailto:[EMAIL PROTECTED]Sent: Friday, May 14, 2004 2:30
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Potential DNS issues after applying MS04-011

Just to clarify a bit,
there is a race condition when the DC boots where netlogon starts before some
other services, e.g. the KDC, are available. Netlogon thinks the DC no longer
hosts those services and deregisters the corresponding SRV records. If the
deregistration fails for some reason, then the SRV records stay around until
scavenging deletes them but if DDNS is working correctly, the deregistration
occurs right away.

This doesn't always happen since it all
depends on the timing of netlogon startup versus the other services on DCS in
your environment. If netlogon is restarted after the DC is fully up and
running, the restart will trigger netlogon to correctly register all of its
SRV records including any that might have been deregistered at boot time. Any
monitoring tools that check for the presence of SRV records should catch this
problem.

I've been told that if this problem is
endemic to your Windows 2000 forest, you will find that over time, some DCs
start to become overloaded while others sit idle. This is because as the SRV
records are removed, only those DCs that still have valid SRV records
registered will be targeted for use.

My understanding is that this problem
only affects Windows 2000 DCs though at any service pack level with MS04-011
installed. Windows 2003 DCs do not experience this problem with or without
MS04-011.

Wook

From: Grillenmeier, GuidoSent: Thu
5/13/2004 11:24 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Potential DNS
issues after applying MS04-011

Want all of you to
be aware of the following - this Q-Article lists known issues with MS04-011:
http://support.microsoft.com/default.aspx?scid=kb;en-us;835732

But,
I hope MS will update thatQ-article very soon, as there is
another very uncool issue with MS04-011, which causes issues
with Windows 2000 DCs and DNS. Some DC´s
may no longer register their DNS entries correctly on restart. Sometimes
the issue won't be apparent immediately, but it will become an issue once
scavenging deletes the old records in DSN.I have just verified this to be an issue at
one of my customer - I know that the following DNS entries can be affected,
which basically means that user's can't authenticate to the box, it won't be
registered as a GC etc.:_GC_KERBEROS_KPASSWD You can verify that these entries are not being registered for
specific DCs by checking their netlogon.dns file in the
c:\%systemdir%\system32\config folder and obviously by checking for the
existance of the service records in DNS.

There is a hot fix to correct
this specific problem - customers can request it via KB 841395, it went live
on Tuesday. The problem has to do with a timing issue in the startup of
netlogon (starts up before some of the other services are ready and thus
doesn't thing this machine provides certain services). As a temporary
workaround after the DC/GC comes up one needs to stop and start
netlogon.

/Guido

[ActiveDir] OT: Ad hoc queries from within Excel









Im
constantly having users ask me to do some ad-hoc query on AD, and send them the
output. Seems like it would be pretty cool to create an Excel add-in that would
allow someone to import AD data directly into Excel. Ive seen a few add-ins
that query a SQL database like that, but has anyone already seen such a thing
for AD? I dont want to reinvent the wheel  just not finding
anything so far on Google



Mark Creamer

Systems Engineer

Cintas Corporation

Honesty and
Integrity in Everything We Do

RE: [ActiveDir] OT: Research Question

2004-05-14 Thread DL.ActiveDirectory

Title: OT: Research Question









Now I guess I should have written
programmers and other IT pros.



Sorry.





Mitch Lawrence



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Posted At: Friday, May 14,
 2004 7:09 AM
Posted To: ~AD Discussion~
Conversation: [ActiveDir] OT:
Research Question
Subject: RE: [ActiveDir] OT:
Research Question



Hey,
you said it, not us!



As I
slink back into VS2003...







--

Roger D. Seielstad - MTS MCSE MS-MVP 
Sr. Systems Administrator 
Inovis Inc. 

















From: Lou Vega
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 4:58
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

programmers *and* it professionals 
so.us programmers are not it professionals? ;-)





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory
Sent: Thursday, May 13, 2004 4:22
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question



No,
its quite alright. One of the assignments I had this week was ask
programmers and it professionals what factors in business are most important to
them and why. So I went and asked all the ones I knew. Im using
all the answers to formulate the results for class.



Mitch





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Posted At: Thursday, May 13, 2004
2:34 PM
Posted To: ~AD Discussion~
Conversation: [ActiveDir] OT:
Research Question
Subject: RE: [ActiveDir] OT:
Research Question



Maybe
I've misunderstood the question. You're asking for an answer to the
question?

















From: DL.ActiveDirectory
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 2:46
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

Yes, but
having live data from people I 'know' (so to speak) makes this a much more
personal assignment, and one that I am more likely to get a good grade on since
I have a kindred feeling for the research data.

I am
using ALL the answers I get, as each one adds a little more to the over all
picture. Plus, this isn't the only list this got posted on. ;)



Mitch

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Posted At: Thursday, May 13, 2004
12:44 PM
Posted To: ~AD Discussion~
Conversation: [ActiveDir] OT:
Research Question
Subject: RE: [ActiveDir] OT:
Research Question



lol. 



Mitch,
you probably want to insert favorite search engine for surveys. Places
like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of information as
well for marketing purposes. They may share. I'm sure the bureau of labor
and statistics would keep such information as well. Not to mention
psychological websites, those related to workplace issues (OSHA?) and industry
magazines that also conduct such salary and well-being surveys.



Happy
hunting.



Al





















From: Zach Huseby
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 12:59
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

the 2nd
and the 18th of each month.

























From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of DL.ActiveDirectory
Sent: Thursday, May 13, 2004 10:05
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Research
Question

Hello,

I am doing research for a college project, and I
would appreciate any feedback I can get on the following question:

As an IT professional, what factors
in your employment make
a difference to you? Why?

I really appreciate the time you take to give me some
insight into your world.

Thank you,

Mitch

Noob college student

RE: [ActiveDir] OT: Research Question

Title: OT: Research Question



Depends. I've seen many It pros that couldn't 
program. I've seen many programmers that could do the It pro job. 
Typically something gives when you do programming and infrastrcture work. 
Very different mindsets. I usually just hope when I meet someone who 
claims to do both that hygiene skills aren't what was sacrificed. 
;-)


From: Lou Vega [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 4:58 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question


programmers *and* it professionals  so.us programmers 
are not it professionals? ;-)


-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
DL.ActiveDirectorySent: Thursday, May 13, 
2004 4:22 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question

No, its 
quite alright. One of the assignments I had this week was ask programmers and 
it professionals what factors in business are most important to them and why. 
So I went and asked all the ones I knew. Im using all the answers to formulate 
the results for class.

Mitch


-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlPosted At: Thursday, May 13, 
2004 2:34 PMPosted To: ~AD 
Discussion~Conversation: 
[ActiveDir] OT: Research QuestionSubject: RE: [ActiveDir] OT: Research 
Question

Maybe I've 
misunderstood the question. You're asking for an answer to the 
question?





From: 
DL.ActiveDirectory [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 2:46 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question
Yes, but 
having live data from people I 'know' (so to speak) makes this a much more 
personal assignment, and one that I am more likely to get a good grade on since 
I have a kindred feeling for the research data.
I am using 
ALL the answers I get, as each one adds a little more to the over all picture. 
Plus, this isn't the only list this got posted on. ;)

Mitch
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlPosted At: Thursday, May 13, 
2004 12:44 PMPosted To: ~AD 
Discussion~Conversation: 
[ActiveDir] OT: Research QuestionSubject: RE: [ActiveDir] OT: Research 
Question

lol. 


Mitch, you 
probably want to insert favorite search engine for surveys. Places 
like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of information as 
well for marketing purposes. They may share. I'm sure the bureau of labor 
and statistics would keep such information as well. Not to mention 
psychological websites, those related to workplace issues (OSHA?) and industry 
magazines that also conduct such salary and well-being 
surveys.

Happy 
hunting.

Al






From: Zach 
Huseby [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:59 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question
the 2nd 
and the 18th of each month.








From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
DL.ActiveDirectorySent: Thursday, May 13, 2004 10:05 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Research 
Question
Hello,
I am doing research for a college 
project, and I would appreciate any feedback I can get on the following 
question:
As an IT 
professional, what factors in your 
employment make a difference 
to you? Why?
I really appreciate the time you 
take to give me some insight into your world.
Thank 
you,
Mitch
Noob college 
student

Re: [ActiveDir] AD and Mac OSX disk quotas

Let me look it up, It will just take me some time to put it all 
together.  Just to get my bearings on the subject, let me ask some 
questions:

1. What is the Specific OS version on your client mac machines?

2. What is the Specific OS version on your server mac machines?

3. What is the exact hardware that you are using for your mac servers?

4. How many mac servers do you have and what are their 
utilizations(file and print, web, open directory, etc.)?



On May 14, 2004, at 3:33 AM, Cawan Starks wrote:

Is there a script or documentation available for modifying Active 
Directory schema for support for OS X disk quotas?

I have Mac users authenticating to AD but there home directories are 
stored on a Mac Server. Home directories mount fine via SMB but I am 
unable to set disk quotas for individual users. Any help or references 
will be appreciated.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Research Question

2004-05-14 Thread DL.ActiveDirectory

Title: OT: Research Question









Thank you all for your responses. I got
more than enough to make this an excellent look into what drives the
individuals in this industry. It isnt complete, but it is a great look.
Thank you again.





Thank you, 
Mitchell D. Lawrence

Re: [ActiveDir] OT: Research Question

The favorite thing about my job is answering questions for Students and Interns

It gives me the warm fuzzies


On May 13, 2004, at 12:05 PM, DL.ActiveDirectory wrote:

x-tad-smallerHello,/x-tad-smaller

x-tad-smallerI am doing research for a college project, and I would appreciate any feedback I can get on the following question:/x-tad-smaller

x-tad-smallerAs an IT professional, what factors/x-tad-smaller x-tad-smallerin your employment/x-tad-smaller x-tad-smallermake a difference to you?  Why?/x-tad-smaller

x-tad-smallerI really appreciate the time you take to give me some insight into your world./x-tad-smaller

Thank you,

Mitch

x-tad-smallerNoob college student/x-tad-smaller

RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain.

Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.



I think the original request was that it be vbscript or 
vb.net. I suppose you could wrap the call, but I'm not sure it meets what 
he's looking for. 

Additionally, I think we overcomplicated the request. 
I think he just wants to be able to add to a workstation to a domain which is a 
script similar to http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31.mspxwhich 
uses the netbios or shortname of the domain to join (as does the built in 
pieces).

Otherwise, why do you want to find the members of a domain 
from a non-member workstation if not to join? Is there something else 
you're after? If so, you may want to investigate LDAP searching for DC's 
in a domain. You can pass the creds to the domain that are required for 
searching. DNS will do it, and the DNSGetHostbyname or sister method 
should be helpful there. 

Al




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 6:39 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Enumerating DCs from a workstation that is not me mber of 
domain.

This should be what you want...
http://msdn.microsoft.com/library/default.asp?url="">


From: AD [mailto:[EMAIL PROTECTED] Sent: 
Thursday, May 13, 2004 5:34 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs 
from a workstation that is not me mber of domain.

The problem with name resolution is the fact that you 
have to HARD Code your server names. That is what I am trying to stay away 
from.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Thursday, May 13, 2004 4:42 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Enumerating 
DCs from a workstation that is not me mber of domain.

Huh? Wouldn't thename resolution calls work 
better then?
http://msdn.microsoft.com/library/default.asp?url="">




Al






From: AD [mailto:[EMAIL PROTECTED] Sent: 
Thursday, May 13, 2004 3:46 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs 
from a workstation that is not member of domain.


Believe it or not Mike I gave 
that idea a lot of thought. NSLookup -t NS DomainName.com. But I would have to 
create a shell object, capture the output to a file and then parseit. Not 
the cleanest solution.

I was hoping to find an object that will 
kinda do it all.


From: [EMAIL PROTECTED] on 
behalf of Thommes, Michael M.Sent: Thu 5/13/2004 10:10 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Enumerating DCs from a workstation that is not member of 
domain.

Couldn't you just query DNS (ie, nslookup aa.bb.cc) and look at 
the IPs returned?Mike Thommes-Original Message-From: 
AD [mailto:[EMAIL PROTECTED]]Sent: Thursday, 
May 13, 2004 8:47 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
Enumerating DCs from a workstation that is notmember of 
domain.Hey Guys,I am looking for a vb script or vb.net code 
that would return domain controllers (names or ip addresses) of a specific 
domain name on a workstation that is NOT member of the domain.When you 
add a computer to a domain (right click "my computer", properties, Computer 
Name, Change) you specify a domain name. When you click on ok it will ask you 
for a username and password right? When you click "ok" the computer must talk 
with a domain controller to add your computer to the domain right? I basically 
need that functionality.Thank you in advance.Yves 
St-CyrList info : http://www.activedir.org/mail_list.htmList 
FAQ : http://www.activedir.org/list_faq.htmList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List 
info : http://www.activedir.org/mail_list.htmList 
FAQ : http://www.activedir.org/list_faq.htmList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] HELP ! - password policy changing on replication

How are you monitoring your DC's?  You can look for failure events
preventing GP from being applied. Once you find one of those, you could dig
deeper based on the information found.

How's the PSS method coming along? 

-Original Message-
From: Fugleberg, David A [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 6:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] HELP ! - password policy changing on replication

Further info - I found a posting by Joe that describes a similar issue - by
looking at repadmin /showmeta on a DC where the policy is wrong, I can see
the version of the 'wrong' attributes (like MaxPwdAge) is very high (60)
with today's date and recent time, while the others are at 1 with the
date/time of when we installed AD over 3 yrs ago.  Clearly something is
causing this to change on a DC someplace.  I hoed the Originating DSA
would tell me where the problem lies, but each time this flip-flops I see a
different DC in that field.  

I need to know what to look for to figure out a) which DC is originating the
problem and b) where the problem is.  I suspect something related to our
domain policy is corrupted on some DC, causing it to set itself to default
values at its policy refresh, and this is replicating.  Then whe other DCs
refresh their policy properly, they get the correct settings.  Can anybody
help ?  We're working our way to the right folks at MS PSS at this point...
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A
Sent: Thursday, May 13, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] HELP ! - password policy changing on replication

We're experiencing a problem which I'm sure I've seen documented
before...just can't remember where.

Symptom is that people are having passwords expire prematurely - suddenly
they're prompted for id/password when trying to access a resource, and if
they log out/in they are told their password has expired.  If, on the other
hand, they just wait a bit instead of logging out/in, things work in a few
minutes.  It bounces back and forth every five minutes or so.  Our Max
password age is 90.  When the user is OK, the time until expiration (as we
calculate it based on PwdLastSet and Max Password Age) is what we expect.
When the user is having problems, it appears it expired at 42 days.

I recall something about password policy being set incorrectly so it
flip-flops between 90 and 42 days.  Can anybody tell me what that was all
about ???

Dave 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FW: Passwords




On *that* dc? Which dc do you have errors on? 
:)

Seriously, do you have any errors going on? 
Replication, role, etc?


From: Salandra, Justin A. 
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
FW: Passwords


I have no errors on 
that DC, it is up and operational

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Thursday, May 13, 
2004 3:17 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords


Sounds to 
me like one of your FSMO roles is messed up. IstheDC that holds the 
PDC emulator down, or messed up?



  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin 
  A.Sent: Thursday, May 13, 
  2004 1:20 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] FW: 
  Passwords
  Anyone 
  have any ideas why this happens?
  
  Justin A. Salandra, MCSE
  Senior Network Engineer
  Catholic Healthcare System
  212.752.7300 - office
  917.455.0110 - cell
  [EMAIL PROTECTED]
  
  
  -Original 
  Message-From: Levine, 
  Jeffrey Sent: Thursday, May 
  13, 2004 12:10 PMTo: 
  Salandra, Justin A.Cc: 
  Bruno, ThomasSubject: 
  Passwords
  
  
  Justin,
  
  
  
  Several employees are getting 
  normal messages to change their passwords, and they proceed to do so. 
  The following day they are asked once again to change their password. 
  Any reason? Should they ignore it? Please 
  advise.
  Jeffrey D. Levine 
  Accountant 
  Carmel 
  Richmond Healthcare 
   Rehabilitation Center 88 Old Town 
  Road Staten Island, NY 
  10304 Phone: (718) 
  668-8541 Fax: (718) 980-6815 
  [EMAIL PROTECTED] 
  
  
  This message is a private 
  communication. If you are not the intended recipient, please do not 
  read, copy, or use it and do not disclose it to others. Please notify 
  the sender of the delivery error by replying to this message, and then delete 
  it from your system. Thank you.

RE: [ActiveDir] OT: Ad hoc queries from within Excel

2004-05-14 Thread Ayers, Diane




We wrote a basic one that allows users 
to dump DL memberships to a spreadsheet w some of the attributes. 
Basically it was for the clerical folks that create phone lists for depts. and 
floors. I don't know if we can share. Also It's hard coded to 
our domains and OUs

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Friday, May 14, 2004 6:46 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Ad hoc queries 
from within Excel


Im 
constantly having users ask me to do some ad-hoc query on AD, and send them the 
output. Seems like it would be pretty cool to create an Excel add-in that would 
allow someone to import AD data directly into Excel. Ive seen a few add-ins 
that query a SQL database like that, but has anyone already seen such a thing 
for AD? I dont want to reinvent the wheel  just not finding anything so far on 
Google

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

RE: [ActiveDir] TCP Port Blocking

2004-05-14 Thread Depp, Dennis M.




You will need to create an IPSEC policy and apply this via 
GPOs.

Denny


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Thursday, May 13, 2004 4:14 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] TCP Port 
Blocking


Sorry for 
the newbie sounding question. 

How can I 
use Group Policy to block certain ports in all workstation in a certain OU? Ex: 
for the SASSER virus its recommended to block TCP 5554 9996. I have remote 
users that I wanted apply a GP to that will block these ports. 


Thanks 


Mike

Mike 
Hogenauer
[EMAIL PROTECTED]
Rendition 
Networks, Inc.
10735 
Willows Rd NE, Suite 
150
Redmond, 
WA 98052
425.636.2115 
| Fax: 425.497.1149

RE: [ActiveDir] FW: Passwords










I have to DCs and neither have any errors
in any log.



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, May 14, 2004 10:22
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords



On *that* dc? Which
dc do you have errors on? :)



Seriously, do you have
any errors going on? Replication, role, etc?









From: Salandra, Justin A.
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 4:17
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords

I have no errors on that
DC, it is up and operational



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, May 13, 2004 3:17
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords





Sounds
to me like one of your FSMO roles is messed up. IstheDC that holds
the PDC emulator down, or messed up?











-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.
Sent: Thursday, May 13, 2004 1:20
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FW: Passwords

Anyone have
any ideas why this happens?



Justin A. Salandra, MCSE

Senior Network Engineer

Catholic Healthcare System

212.752.7300 - office

917.455.0110 - cell

[EMAIL PROTECTED]





-Original Message-
From: Levine, Jeffrey 
Sent: Thursday, May 13, 2004 12:10
PM
To: Salandra, Justin A.
Cc: Bruno, Thomas
Subject: Passwords





Justin,











Several employees are getting normal
messages to change their passwords, and they proceed to do so. The
following day they are asked once again to change their password. Any
reason? Should they ignore it? Please advise.



Jeffrey D. Levine 
Accountant

Carmel Richmond 
Healthcare  Rehabilitation Center

88 Old
Town Road 
Staten
Island, NY 10304 
Phone:
(718) 668-8541 
Fax:
(718) 980-6815 
[EMAIL PROTECTED] 



This message is a private communication. If you
are not the intended recipient, please do not read, copy, or use it and do not
disclose it to others. Please notify the sender of the delivery error by
replying to this message, and then delete it from your system. Thank you.

RE: [ActiveDir] TCP Port Blocking

2004-05-14 Thread John Singler

Great article that simplifies the creation of IPsec policies ...seeing that 
the GUI is nefarious...

http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp

At 10:36 AM 5/14/2004, Depp, Dennis M. wrote:
urn:schemas-microsoft-com:office:office xmlns:w = 
urn:schemas-microsoft-com:office:word xmlns:st1 = 
urn:schemas-microsoft-com:office:smarttags
You will need to create an IPSEC policy and apply this via GPOs.

Denny

--
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Thursday, May 13, 2004 4:14 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] TCP Port Blocking

Sorry for the newbie sounding question.



How can I use Group Policy to block certain ports in all workstation in a 
certain OU? Ex: for the SASSER virus it's recommended to block TCP 5554 
9996. I have remote users that I wanted apply a GP to that will block 
these ports.



Thanks



Mike



Mike Hogenauer

blocked::mailto:[EMAIL PROTECTED][EMAIL PROTECTED]

Rendition Networks, Inc.

10735 Willows Rd NE, Suite 150

Redmond, WA 98052

425.636.2115 | Fax: 425.497.1149


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FW: Passwords




What happens if they ignore the password reset 
notification? 

Al


From: Salandra, Justin A. 
[mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
FW: Passwords


I have to DCs and 
neither have any errors in any log.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 
10:22 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords

On *that* 
dc? Which dc do you have errors on? :)

Seriously, 
do you have any errors going on? Replication, role, etc?




From: Salandra, 
Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords
I have no 
errors on that DC, it is up and operational

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Thursday, May 13, 
2004 3:17 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords


Sounds to 
me like one of your FSMO roles is messed up. IstheDC that holds the 
PDC emulator down, or messed up?



  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin 
  A.Sent: Thursday, May 13, 
  2004 1:20 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] FW: 
  Passwords
  Anyone 
  have any ideas why this happens?
  
  Justin A. Salandra, MCSE
  Senior Network Engineer
  Catholic Healthcare System
  212.752.7300 - office
  917.455.0110 - cell
  [EMAIL PROTECTED]
  
  
  -Original 
  Message-From: Levine, 
  Jeffrey Sent: Thursday, May 
  13, 2004 12:10 PMTo: 
  Salandra, Justin A.Cc: 
  Bruno, ThomasSubject: 
  Passwords
  
  
  Justin,
  
  
  
  Several employees are getting 
  normal messages to change their passwords, and they proceed to do so. 
  The following day they are asked once again to change their password. 
  Any reason? Should they ignore it? Please 
  advise.
  Jeffrey D. Levine 
  Accountant 
  Carmel 
  Richmond Healthcare 
   Rehabilitation Center 88 Old Town 
  Road Staten Island, NY 
  10304 Phone: (718) 
  668-8541 Fax: (718) 980-6815 
  [EMAIL PROTECTED] 
  
  
  This message is a private 
  communication. If you are not the intended recipient, please do not 
  read, copy, or use it and do not disclose it to others. Please notify 
  the sender of the delivery error by replying to this message, and then delete 
  it from your system. Thank you.

Re: [ActiveDir] AD and Mac OSX disk quotas

Here is the specific attribute you are looking to import, although 
there is an entire apple-user class that you would probably want to 
import in order to support all of the apple controls.  I have attached 
a copy of the latest version of the Apple Openldap Schema that is used 
for open directory.  If you have OS X server that is NOT 10.3.3 then 
you would want to find the apple.schema file located in 
/etc/openldap/schema/ on your OS X server.  Rather than provide you 
with a script or ldif that will import values for you, I think it best 
to provide the necessary information for you to make the best decision. 
 I recommend that you research the reason for updating your AD Schema 
and follow some basic good practice guidelines.  See recipe 10.5 
Extending the Schema in Robbie Allen's Active Directory Cookbook for 
more information about Schema update best practices.  Also check out KB 
283791 from MS to find out how to do ldif schema updates.

changetype: modify
add: attributeTypes
attributeTypes: ( 1.3.6.1.4.1.63.1000.1.1.1.1.8 NAME 
'apple-user-homequota' DESC 'home directory quota' EQUALITY 
caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

On May 14, 2004, at 9:59 AM, Brent Westmoreland wrote:

Let me look it up, It will just take me some time to put it all 
together.  Just to get my bearings on the subject, let me ask some 
questions:

1. What is the Specific OS version on your client mac machines?

2. What is the Specific OS version on your server mac machines?

3. What is the exact hardware that you are using for your mac servers?

4. How many mac servers do you have and what are their 
utilizations(file and print, web, open directory, etc.)?



On May 14, 2004, at 3:33 AM, Cawan Starks wrote:

Is there a script or documentation available for modifying Active 
Directory schema for support for OS X disk quotas?

I have Mac users authenticating to AD but there home directories are 
stored on a Mac Server. Home directories mount fine via SMB but I am 
unable to set disk quotas for individual users. Any help or 
references will be appreciated.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/


apple.schema
Description: application/applefile


apple.schema
Description: application/text

[ActiveDir] consequences of setting password expiration length




Hi 
Folks,
 I 
apologize for the question since I think it has been battered around in one form 
or another but I can't seem to find the answer. The question: a related 
company root admin wants to see a password expiration length time on a W2K 
domain. He is worried that everyone's password will expire at the same 
time. Correct or incorrect? TIA!

Mike 
Thommes

RE: [ActiveDir] consequences of setting password expiration lengt h




Depends on which part of the process you're concerned 
about. Will the passwords expire at the same time? Not 
necessarily. They'll all expire at the interval of password expiration 
based on pwdLastSet. To play that out, if user 1 last set her pwd 
yesterday, she has until pwd expiration interval from yesterday. If user2 
last set his pwd two weeks ago, he'll get the notification pwd expiration - 2 
weeks.

So, unless all accounts just had their pwd set at the exact 
same time, then no, they won't all get their pwd notification at the same 
time. They'll get it when they next meet the criteria. To be more 
articulate in your admins case, they will all expire at the same time *interval* 
vs. the same exact moment in time. Not that it matters for most domains, 
but...

Al


From: Thommes, Michael M. 
[mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 11:04 
AMTo: Active Directory Mailing List (E-mail)Subject: 
[ActiveDir] consequences of setting password expiration 
length

Hi 
Folks,
 I 
apologize for the question since I think it has been battered around in one form 
or another but I can't seem to find the answer. The question: a related 
company root admin wants to see a password expiration length time on a W2K 
domain. He is worried that everyone's password will expire at the same 
time. Correct or incorrect? TIA!

Mike 
Thommes

RE: [ActiveDir] consequences of setting password expiration lengt h




Thanks, Al!

  -Original Message-From: Mulnick, Al 
  [mailto:[EMAIL PROTECTED]Sent: Friday, May 14, 2004 10:29 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] consequences of setting password expiration lengt 
  h
  Depends on which part of the process you're concerned 
  about. Will the passwords expire at the same time? Not 
  necessarily. They'll all expire at the interval of password expiration 
  based on pwdLastSet. To play that out, if user 1 last set her pwd 
  yesterday, she has until pwd expiration interval from yesterday. If 
  user2 last set his pwd two weeks ago, he'll get the notification pwd 
  expiration - 2 weeks.
  
  So, unless all accounts just had their pwd set at the 
  exact same time, then no, they won't all get their pwd notification at the 
  same time. They'll get it when they next meet the criteria. To be 
  more articulate in your admins case, they will all expire at the same time 
  *interval* vs. the same exact moment in time. Not that it matters for 
  most domains, but...
  
  Al
  
  
  From: Thommes, Michael M. 
  [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 11:04 
  AMTo: Active Directory Mailing List (E-mail)Subject: 
  [ActiveDir] consequences of setting password expiration 
  length
  
  Hi 
  Folks,
   
  I apologize for the question since I think it has been battered around in one 
  form or another but I can't seem to find the answer. The question: a 
  related company root admin wants to see a password expiration length time on a 
  W2K domain. He is worried that everyone's password will expire at the 
  same time. Correct or incorrect? TIA!
  
  Mike 
  Thommes

RE: [ActiveDir] consequences of setting password expiration length

2004-05-14 Thread Craig Cerino









It really depends on what type of group
policy you se.



On an interesting note - -I just attended
the Microsoft Security Strategies Road Show this week and the topic of
passwords vs. passphrases was
brought up.



If you are willing to implement the policy
- - if you force your users to use a minimum 15 character password/passphrase
(i.e. my dog has fleas which is
16 including spaces - - remember with windows you can use spaces in passwords)
you can have them never be forced to change their password, not use lockouts
after X bad attempts and still have just over 1,677,259,342,285,725,925,376
different possibilities. Meaning even with a brute force attack - -it would
conceivably take thousands of years to crack a password.



n
Minimum
of 15 characters means no LMHash created

n
15
lowercase letters = 1,677,259,342,285,725,925,376 possibilities

n
Try a
million a second, itll take 531,855 centuries

(credited
to Mark Minasi)



Just a little idea they through out there.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Friday, May 14, 2004 11:04
AM
To: Active Directory Mailing List
(E-mail)
Subject: [ActiveDir] consequences
of setting password expiration length







Hi Folks,





 I apologize for the question since I
think it has been battered around in one form or another but I can't seem to
find the answer. The question: a related company root admin wants to see
a password expiration length time on a W2K domain. He is worried that
everyone's password will expire at the same time. Correct or
incorrect? TIA!











Mike Thommes

RE: [ActiveDir] consequences of setting password expiration lengt h




Now if you want to set a policy for say 91 days but 
everyone's password is over say 150 days, you can either get to 91 days by 
starting with a high policy age and slowly decrease it or you can manually 
expire people so they have to change and then once they all get changed, set 
your policy. To do the latter, check out expire on my website - free win32 tools 
of www.joeware.net. It will allow you to 
specify userids and minimum passwords ages for expiration. That way you can do 
it in some sort of controlled fashion and if someone recently changed their 
password (say after you gathered your list of who to change), it won't touch 
them unless you set the minimum password age very low. 

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.Sent: Friday, May 14, 2004 11:50 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration lengt h

Thanks, Al!

  -Original Message-From: Mulnick, Al 
  [mailto:[EMAIL PROTECTED]Sent: Friday, May 14, 2004 10:29 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] consequences of setting password expiration lengt 
  h
  Depends on which part of the process you're concerned 
  about. Will the passwords expire at the same time? Not 
  necessarily. They'll all expire at the interval of password expiration 
  based on pwdLastSet. To play that out, if user 1 last set her pwd 
  yesterday, she has until pwd expiration interval from yesterday. If 
  user2 last set his pwd two weeks ago, he'll get the notification pwd 
  expiration - 2 weeks.
  
  So, unless all accounts just had their pwd set at the 
  exact same time, then no, they won't all get their pwd notification at the 
  same time. They'll get it when they next meet the criteria. To be 
  more articulate in your admins case, they will all expire at the same time 
  *interval* vs. the same exact moment in time. Not that it matters for 
  most domains, but...
  
  Al
  
  
  From: Thommes, Michael M. 
  [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 11:04 
  AMTo: Active Directory Mailing List (E-mail)Subject: 
  [ActiveDir] consequences of setting password expiration 
  length
  
  Hi 
  Folks,
   
  I apologize for the question since I think it has been battered around in one 
  form or another but I can't seem to find the answer. The question: a 
  related company root admin wants to see a password expiration length time on a 
  W2K domain. He is worried that everyone's password will expire at the 
  same time. Correct or incorrect? TIA!
  
  Mike 
  Thommes

RE: [ActiveDir] consequences of setting password expiration length




It is a good idea. I use pass phrases... however trying 
using TS Manager to grab one a session when you have a long password like that, 
comes back and tells you bad password even though you can log into a "fresh" TS 
session just fine. 

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
CerinoSent: Friday, May 14, 2004 11:54 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length


It really depends on 
what type of group policy you se.

On an interesting note 
- -I just attended the Microsoft Security Strategies Road Show this week and the 
topic of passwords vs. passphrases was brought 
up.

If you are willing to 
implement the policy - - if you force your users to use a minimum 15 character 
password/passphrase (i.e. my dog has 
fleas which is 16 including spaces - - remember with windows you can 
use spaces in passwords) you can have them never be forced to change their 
password, not use lockouts after X bad attempts and still have just over 
1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute 
force attack - -it would conceivably take thousands of years to crack a 
password.

n 
Minimum of 
15 characters means no LMHash created
n 
15 
lowercase letters = 1,677,259,342,285,725,925,376 
possibilities
n 
Try a 
million a second, itll take 531,855 centuries
(credited 
to Mark Minasi)

Just a little idea they 
through out there.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Thommes, Michael 
M.Sent: Friday, May 14, 2004 
11:04 AMTo: Active Directory 
Mailing List (E-mail)Subject: 
[ActiveDir] consequences of setting password expiration 
length


Hi 
Folks,

 I apologize for 
the question since I think it has been battered around in one form or another 
but I can't seem to find the answer. The question: a related company root 
admin wants to see a password expiration length time on a W2K domain. He 
is worried that everyone's password will expire at the same time. Correct 
or incorrect? TIA!



Mike 
Thommes

[ActiveDir] Offline Files

On a Windows XP Machine, I have a GPO that is allowing Offline files,
and everything seemed okay when I was logged in as administrator,
however when I tried to make something available offline the option on
the context menu was grayed out.  How do I change this through the GPO?
I don't see the setting.

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FW: Passwords




The few thoughts I had

1. Are they maybe using local accounts?

2. Did anyone check the attributes on the user objects in 
the domain, are they changed?

3. Have they logged off and logged on since changing the 
password or do they just lock and unlock the desktops?




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Friday, May 14, 2004 12:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords


Today it is saying 5 
days left. I will have to wait 5 days to see what happens. They have 
been clicking ignore since two days ago they all changed their 
password.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 
10:48 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords

What 
happens if they ignore the password reset notification? 

Al




From: Salandra, 
Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords
I have to 
DCs and neither have any errors in any log.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 
10:22 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords

On *that* 
dc? Which dc do you have errors on? :)

Seriously, 
do you have any errors going on? Replication, role, etc?





From: Salandra, 
Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords
I have no 
errors on that DC, it is up and operational

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Thursday, May 13, 
2004 3:17 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords


Sounds to 
me like one of your FSMO roles is messed up. IstheDC that holds the 
PDC emulator down, or messed up?



  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin 
  A.Sent: Thursday, May 13, 
  2004 1:20 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] FW: 
  Passwords
  Anyone 
  have any ideas why this happens?
  
  Justin A. Salandra, MCSE
  Senior Network Engineer
  Catholic Healthcare System
  212.752.7300 - office
  917.455.0110 - cell
  [EMAIL PROTECTED]
  
  
  -Original 
  Message-From: Levine, 
  Jeffrey Sent: Thursday, May 
  13, 2004 12:10 PMTo: 
  Salandra, Justin A.Cc: 
  Bruno, ThomasSubject: 
  Passwords
  
  
  Justin,
  
  
  
  Several employees are getting 
  normal messages to change their passwords, and they proceed to do so. 
  The following day they are asked once again to change their password. 
  Any reason? Should they ignore it? Please 
  advise.
  Jeffrey D. Levine 
  Accountant 
  Carmel 
  Richmond Healthcare 
   Rehabilitation Center 88 Old Town 
  Road Staten Island, NY 
  10304 Phone: (718) 
  668-8541 Fax: (718) 980-6815 
  [EMAIL PROTECTED] 
  
  
  This message is a private 
  communication. If you are not the intended recipient, please do not 
  read, copy, or use it and do not disclose it to others. Please notify 
  the sender of the delivery error by replying to this message, and then delete 
  it from your system. Thank you.

[ActiveDir] Offline Files Modified Question

Let me modify my question, I noticed that with the MY Documents folder,
I am unable to specify whether to make it available offline or not.

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] consequences of setting password expiration length

2004-05-14 Thread Craig Cerino









I thought we were discussing end user
policies though not TS Admins











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 14, 2004 12:33
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
consequences of setting password expiration length





It is a good idea. I use pass phrases...
however trying using TS Manager to grab one a session when you have a long
password like that, comes back and tells you bad password even though you can
log into a fresh TS session just fine. 



 joe









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Friday, May 14, 2004 11:54
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
consequences of setting password expiration length

It really depends on what type of group
policy you se.



On an interesting note - -I just attended
the Microsoft Security Strategies Road Show this week and the topic of
passwords vs. passphrases was
brought up.



If you are willing to implement the policy
- - if you force your users to use a minimum 15 character password/passphrase
(i.e. my dog has fleas which is
16 including spaces - - remember with windows you can use spaces in passwords)
you can have them never be forced to change their password, not use lockouts
after X bad attempts and still have just over
1,677,259,342,285,725,925,376 different possibilities. Meaning even with a
brute force attack - -it would conceivably take thousands of years to crack a
password.



n
Minimum of 15 characters means no LMHash created

n
15 lowercase letters =
1,677,259,342,285,725,925,376 possibilities

n
Try a million a second, itll take 531,855
centuries

(credited
to Mark Minasi)



Just a little idea they through out there.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Friday, May 14, 2004 11:04
AM
To: Active Directory Mailing List
(E-mail)
Subject: [ActiveDir] consequences
of setting password expiration length







Hi Folks,





 I apologize for the question since I
think it has been battered around in one form or another but I can't seem to
find the answer. The question: a related company root admin wants to see
a password expiration length time on a W2K domain. He is worried that
everyone's password will expire at the same time. Correct or incorrect?
TIA!











Mike Thommes

RE: [ActiveDir] FW: Passwords











 NO
 Attributes appear normal
 They receive this when logging
 on not unlocking the workstation.




-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 14, 2004 12:36
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords



The few thoughts I had



1. Are they maybe using
local accounts?



2. Did anyone check the
attributes on the user objects in the domain, are they changed?



3. Have they logged off
and logged on since changing the password or do they just lock and unlock the
desktops?













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Salandra, Justin A.
Sent: Friday, May 14, 2004 12:20
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords

Today it is saying 5 days
left. I will have to wait 5 days to see what happens. They have
been clicking ignore since two days ago they all changed their password.



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, May 14, 2004 10:48
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords



What happens
if they ignore the password reset notification? 



Al













From: Salandra, Justin A.
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 10:39
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords

I have
to DCs and neither have any errors in any log.



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, May 14, 2004 10:22
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords



On
*that* dc? Which dc do you have errors on? :)



Seriously,
do you have any errors going on? Replication, role, etc?

















From: Salandra, Justin A.
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 4:17
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords

I have
no errors on that DC, it is up and operational



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, May 13, 2004 3:17
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords





Sounds
to me like one of your FSMO roles is messed up. IstheDC that holds
the PDC emulator down, or messed up?











-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.
Sent: Thursday, May 13, 2004 1:20
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FW: Passwords

Anyone
have any ideas why this happens?



Justin A. Salandra, MCSE

Senior Network Engineer

Catholic Healthcare System

212.752.7300 - office

917.455.0110 - cell

[EMAIL PROTECTED]





-Original Message-
From: Levine, Jeffrey 
Sent: Thursday, May 13, 2004 12:10
PM
To: Salandra, Justin A.
Cc: Bruno, Thomas
Subject: Passwords





Justin,











Several employees are getting normal
messages to change their passwords, and they proceed to do so. The
following day they are asked once again to change their password. Any
reason? Should they ignore it? Please advise.



Jeffrey D. Levine 
Accountant

Carmel Richmond 
Healthcare  Rehabilitation Center

88 Old
Town Road 
Staten
Island, NY 10304 
Phone:
(718) 668-8541 
Fax:
(718) 980-6815 
[EMAIL PROTECTED] 



This message is a private communication. If you
are not the intended recipient, please do not read, copy, or use it and do not
disclose it to others. Please notify the sender of the delivery error by
replying to this message, and then delete it from your system. Thank you.

RE: [ActiveDir] Outlook 2003 via GPO?

2004-05-14 Thread Brian Desmond

Mine never got copied back from the preexisting folder. Took me a while
of wondering why replication hadn't started to go look at the source,
and low  behold the ntfrs_preexisting was empty.

--Brian

-Original Message-
From: Steve Rochford [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 6:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Outlook 2003 via GPO?

It will put it back if you give it a chance if you're referring to
something I've seen. 

I had 3 servers on 3 different sites; each had a share called cdimages
which were supposed to be manually synched but, of course, they never
were.

I made this into a dfs share and, as you say, dfs appeared to delete
everything. It actually moves it to a hidden folder
(ntfrs_pre_existing??), copies everything from the master server and
then puts back what's needed from the other folder. This took a long
time (one of the links is only 2Mbit and there were many GB of data) but
it did all work in the end.

Steve

-Original Message-
From: Brian Desmond [mailto:[EMAIL PROTECTED] 
Sent: 10 May 2004 21:03
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Outlook 2003 via GPO?

I think there's a way to pre-provision targets, but, I attempted to do
it and FRS deleted all my stuff. 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] consequences of setting password expiration length

2004-05-14 Thread Brian Desmond










Correct.



--Brian



-Original Message-
From: Thommes, Michael M.
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 10:04
AM
To: Active Directory Mailing List
(E-mail)
Subject: [ActiveDir] consequences
of setting password expiration length





Hi Folks,





 I apologize for
the question since I think it has been battered around in one form or another
but I can't seem to find the answer. The question: a related company root
admin wants to see a password expiration length time on a W2K domain. He
is worried that everyone's password will expire at the same time. Correct
or incorrect? TIA!











Mike Thommes

RE: [ActiveDir] OT: Ad hoc queries from within Excel










Thanks
Brian  I hadnt seen that one. Ill take a look





mc



-Original Message-
From: Brian Desmond
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 1:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Ad
hoc queries from within Excel



Check out Richard
Muellers site - http://www.rlmueller.net/.
He has some AD  Excel stuff that you might be able to build off of. MSSQL
can be setup as a linked server to AD via the OLEDb p-rovider, so, if you had
something to mail merge MSSQL, you could then mail merge AD through there.



--Brian



-Original Message-
From: Ayers, Diane
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Ad
hoc queries from within Excel



We wrote a basic one that allows users to dump DL memberships to a
spreadsheet w some of the attributes. Basically it was for the clerical
folks that create phone lists for depts. and floors. I don't know
if we can share. Also It's hard coded to our domains and OUs



Diane













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Friday, May 14, 2004 6:46 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Ad hoc
queries from within Excel

Im constantly having users ask me to do some ad-hoc query
on AD, and send them the output. Seems like it would be pretty cool to create an
Excel add-in that would allow someone to import AD data directly into Excel.
Ive seen a few add-ins that query a SQL database like that, but has
anyone already seen such a thing for AD? I dont want to reinvent the
wheel  just not finding anything so far on Google



Mark Creamer

Systems
Engineer

Cintas
Corporation

Honesty
and Integrity in Everything We Do

RE: [ActiveDir] consequences of setting password expiration length




But would you want a password policy weaker on your admins 
than on your users?

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
CerinoSent: Friday, May 14, 2004 12:43 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length


I thought we were 
discussing end user policies though not TS Admins





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, May 14, 2004 12:33 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

It is a good idea. I 
use pass phrases... however trying using TS Manager to grab one a session when 
you have a long password like that, comes back and tells you bad password even 
though you can log into a "fresh" TS session just fine. 


 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Craig 
CerinoSent: Friday, May 14, 
2004 11:54 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length
It really depends on 
what type of group policy you se.

On an interesting note 
- -I just attended the Microsoft Security Strategies Road Show this week and the 
topic of passwords vs. passphrases was brought 
up.

If you are willing to 
implement the policy - - if you force your users to use a minimum 15 character 
password/passphrase (i.e. my dog has 
fleas which is 16 including spaces - - remember with windows you can 
use spaces in passwords) you can have them never be forced to change their 
password, not use lockouts after X bad attempts and still have just over 
1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute 
force attack - -it would conceivably take thousands of years to crack a 
password.

n 
Minimum of 15 
characters means no LMHash created
n 
15 lowercase letters = 
1,677,259,342,285,725,925,376 possibilities
n 
Try a million a second, 
itll take 531,855 centuries
(credited 
to Mark Minasi)

Just a little idea they 
through out there.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Thommes, Michael 
M.Sent: Friday, May 14, 2004 
11:04 AMTo: Active Directory 
Mailing List (E-mail)Subject: 
[ActiveDir] consequences of setting password expiration 
length


Hi 
Folks,

 I apologize for 
the question since I think it has been battered around in one form or another 
but I can't seem to find the answer. The question: a related company root 
admin wants to see a password expiration length time on a W2K domain. He 
is worried that everyone's password will expire at the same time. Correct 
or incorrect? TIA!



Mike 
Thommes

RE: [ActiveDir] FW: Passwords




2. Are they updated with the new value from when they 
changed?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Friday, May 14, 2004 1:26 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords



  NO 
  Attributes appear 
  normal 
  They receive this 
  when logging on not unlocking the workstation. 

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, May 14, 2004 12:36 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords

The few 
thoughts I had

1. Are 
they maybe using local accounts?

2. Did 
anyone check the attributes on the user objects in the domain, are they 
changed?

3. Have 
they logged off and logged on since changing the password or do they just lock 
and unlock the desktops?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Salandra, Justin 
A.Sent: Friday, May 14, 2004 
12:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords
Today it 
is saying 5 days left. I will have to wait 5 days to see what 
happens. They have been clicking ignore since two days ago they all 
changed their password.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 
10:48 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords

What 
happens if they ignore the password reset notification? 

Al





From: Salandra, 
Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords
I have to 
DCs and neither have any errors in any log.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 
10:22 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords

On *that* 
dc? Which dc do you have errors on? :)

Seriously, 
do you have any errors going on? Replication, role, etc?






From: Salandra, 
Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords
I have no 
errors on that DC, it is up and operational

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Thursday, May 13, 
2004 3:17 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords


Sounds to 
me like one of your FSMO roles is messed up. IstheDC that holds the 
PDC emulator down, or messed up?



  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin 
  A.Sent: Thursday, May 13, 
  2004 1:20 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] FW: 
  Passwords
  Anyone 
  have any ideas why this happens?
  
  Justin A. Salandra, MCSE
  Senior Network Engineer
  Catholic Healthcare System
  212.752.7300 - office
  917.455.0110 - cell
  [EMAIL PROTECTED]
  
  
  -Original 
  Message-From: Levine, 
  Jeffrey Sent: Thursday, May 
  13, 2004 12:10 PMTo: 
  Salandra, Justin A.Cc: 
  Bruno, ThomasSubject: 
  Passwords
  
  
  Justin,
  
  
  
  Several employees are getting 
  normal messages to change their passwords, and they proceed to do so. 
  The following day they are asked once again to change their password. 
  Any reason? Should they ignore it? Please 
  advise.
  Jeffrey D. Levine 
  Accountant 
  Carmel 
  Richmond Healthcare 
   Rehabilitation Center 88 Old Town 
  Road Staten Island, NY 
  10304 Phone: (718) 
  668-8541 Fax: (718) 980-6815 
  [EMAIL PROTECTED] 
  
  
  This message is a private 
  communication. If you are not the intended recipient, please do not 
  read, copy, or use it and do not disclose it to others. Please notify 
  the sender of the delivery error by replying to this message, and then delete 
  it from your system. Thank you.

[ActiveDir] GPO refresh for computer policy?

2004-05-14 Thread mikeb

I read somewhere that the computer policy refresh does not periodically apply unless 
there has been a change to the policy.  Is that true?

We have a group that is proposing ACL'ing system files on servers in the computer 
policy.  Is this a good idea or bad idea?  Our believe is that it's overkill.  But, if 
the above is true, then it negates some of the potential benefit that they're claiming 
that they could get from having these files ACL'd in the GPO.

Thanks,
Mike
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FW: Passwords




2a. And is that updated value showing on both dc's 
correctly?


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 2:00 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords

2. Are they updated with the new value from when they 
changed?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Friday, May 14, 2004 1:26 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords



  NO 
  Attributes appear 
  normal 
  They receive this 
  when logging on not unlocking the workstation. 

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, May 14, 2004 12:36 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords

The few 
thoughts I had

1. Are 
they maybe using local accounts?

2. Did 
anyone check the attributes on the user objects in the domain, are they 
changed?

3. Have 
they logged off and logged on since changing the password or do they just lock 
and unlock the desktops?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Salandra, Justin 
A.Sent: Friday, May 14, 2004 
12:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords
Today it 
is saying 5 days left. I will have to wait 5 days to see what 
happens. They have been clicking ignore since two days ago they all 
changed their password.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 
10:48 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords

What 
happens if they ignore the password reset notification? 

Al





From: Salandra, 
Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords
I have to 
DCs and neither have any errors in any log.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 
10:22 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords

On *that* 
dc? Which dc do you have errors on? :)

Seriously, 
do you have any errors going on? Replication, role, etc?






From: Salandra, 
Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords
I have no 
errors on that DC, it is up and operational

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Thursday, May 13, 
2004 3:17 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: 
Passwords


Sounds to 
me like one of your FSMO roles is messed up. IstheDC that holds the 
PDC emulator down, or messed up?



  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin 
  A.Sent: Thursday, May 13, 
  2004 1:20 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] FW: 
  Passwords
  Anyone 
  have any ideas why this happens?
  
  Justin A. Salandra, MCSE
  Senior Network Engineer
  Catholic Healthcare System
  212.752.7300 - office
  917.455.0110 - cell
  [EMAIL PROTECTED]
  
  
  -Original 
  Message-From: Levine, 
  Jeffrey Sent: Thursday, May 
  13, 2004 12:10 PMTo: 
  Salandra, Justin A.Cc: 
  Bruno, ThomasSubject: 
  Passwords
  
  
  Justin,
  
  
  
  Several employees are getting 
  normal messages to change their passwords, and they proceed to do so. 
  The following day they are asked once again to change their password. 
  Any reason? Should they ignore it? Please 
  advise.
  Jeffrey D. Levine 
  Accountant 
  Carmel 
  Richmond Healthcare 
   Rehabilitation Center 88 Old Town 
  Road Staten Island, NY 
  10304 Phone: (718) 
  668-8541 Fax: (718) 980-6815 
  [EMAIL PROTECTED] 
  
  
  This message is a private 
  communication. If you are not the intended recipient, please do not 
  read, copy, or use it and do not disclose it to others. Please notify 
  the sender of the delivery error by replying to this message, and then delete 
  it from your system. Thank you.

RE: [ActiveDir] FW: Passwords

2004-05-14 Thread Philadelphia, Lynden - Revios Toronto









Are you on W2k or W3K AD?







Lynden 











From: Salandra, Justin
A. [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 1:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords






 NO
 Attributes
 appear normal
 They
 receive this when logging on not unlocking the workstation.




-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 14, 2004 12:36
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords



The few thoughts I had



1. Are they maybe using
local accounts?



2. Did anyone check the attributes
on the user objects in the domain, are they changed?



3. Have they logged off
and logged on since changing the password or do they just lock and unlock the
desktops?

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Friday, May 14, 2004 12:20
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords

Today it is saying 5 days
left. I will have to wait 5 days to see what happens. They have
been clicking ignore since two days ago they all changed their password.



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, May 14, 2004 10:48
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords



What
happens if they ignore the password reset notification? 



Al

















From: Salandra,
Justin A. [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 10:39
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords

I have
to DCs and neither have any errors in any log.



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, May 14, 2004 10:22
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords



On
*that* dc? Which dc do you have errors on? :)



Seriously,
do you have any errors going on? Replication, role, etc?





















From: Salandra,
Justin A. [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 4:17
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords

I have
no errors on that DC, it is up and operational



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Douglas M. Long
Sent: Thursday, May 13, 2004 3:17
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords





Sounds
to me like one of your FSMO roles is messed up. IstheDC that holds
the PDC emulator down, or messed up?











-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.
Sent: Thursday, May 13, 2004 1:20
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FW: Passwords

Anyone
have any ideas why this happens?



Justin A. Salandra, MCSE

Senior Network Engineer

Catholic Healthcare System

212.752.7300 - office

917.455.0110 - cell

[EMAIL PROTECTED]





-Original Message-
From: Levine, Jeffrey 
Sent: Thursday, May 13, 2004 12:10
PM
To: Salandra, Justin A.
Cc: Bruno, Thomas
Subject: Passwords





Justin,











Several employees are getting normal
messages to change their passwords, and they proceed to do so. The
following day they are asked once again to change their password. Any
reason? Should they ignore it? Please advise.



Jeffrey D. Levine
 
Accountant 
Carmel Richmond
 
Healthcare 
  Rehabilitation Center

88 Old Town Road
 
Staten Island, NY 10304

Phone:
(718) 668-8541 
Fax:
(718) 980-6815 
[EMAIL PROTECTED] 



This message is a private communication. If you
are not the intended recipient, please do not read, copy, or use it and do not
disclose it to others. Please notify the sender of the delivery error by
replying to this message, and then delete it from your system. Thank you.















This message is intended for the use of the individual or entity to which it is 
addressed and may contain information that is privileged, confidential and exempt from 
disclosure under applicable law.  If the reader of this message in not the intended 
recipient or the employer or agent responsible for delivering the message to the 
recipient, you are hereby notified that dissemination, distribution or copying of this 
communication is strictly prohibited.  If you have received this communication in 
error, please notify us immediately by email or telephone, and delete this message and 
all of its attachments.

[ActiveDir] Mixed network PC and Mac - AD or XServe

2004-05-14 Thread Noah Eiger

Hello:
 
I need some advice about file service, directory management, and user
authentication in a mixed Windows/Mac environment. 
 
I have a magazine client with approximately 70 users: half Macs, half
Windows. As you might expect, the Macs are the art department and editorial;
the PCs are business, advertising, etc. All workstations will either be
running OSX (most recent) or WinXP Pro. Currently, there is no NOS, and file
service is handled by a mixture of WinNT, Win2k, and AppleShare 9x.
 
My initial thought was to just let AD handle everything and spend the effort
on getting the Macs to play nice with the Windows servers. Exchange is
likely. However, the in-house IT guy wants to explore Apple's server
offerings.
 
So, the questions are: 
-  Is the speed and quality of the Windows servers sufficient for
Mac clients (many handling large image or graphics files)?
-  Is AD managing of Macs and Mac users sufficient? 
-  If there is a reason to deploy an Apple server, can it be managed
by AD? That is, can it play like a Windows member server?
-  Finally, is there any reason to entertain running the whole shop
under the Apple server and Open Directory?
 
Many thanks.
 

--
Noah M. Eiger
EIS Consulting for
PRBO Conservation Science
510-717-5742
 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
 
attachment: winmail.dat

RE: [ActiveDir] consequences of setting password expiration lengt h




And would you want something that never changes? On 
the one hand it reduces your help-desk-password-reset-side-business 
impact. On the other hand, it is much more likely to be shared or 
otherwise circulated by silly users. Oh sure, "our policy prevents that" 
you say. But think about it. Is a policy that you don't enforce a 
worthless policy? I say it is. 

OT: in case you're wondering, here's agroup who 
claims to be able to crack Windows passwords in 13.6 seconds with standard OTF 
hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03

Al


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 1:59 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

But would you want a password policy weaker on your admins 
than on your users?

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
CerinoSent: Friday, May 14, 2004 12:43 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length


I thought we were 
discussing end user policies though not TS Admins





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, May 14, 2004 12:33 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

It is a good idea. I 
use pass phrases... however trying using TS Manager to grab one a session when 
you have a long password like that, comes back and tells you bad password even 
though you can log into a "fresh" TS session just fine. 


 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Craig 
CerinoSent: Friday, May 14, 
2004 11:54 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length
It really depends on 
what type of group policy you se.

On an interesting note 
- -I just attended the Microsoft Security Strategies Road Show this week and the 
topic of passwords vs. passphrases was brought 
up.

If you are willing to 
implement the policy - - if you force your users to use a minimum 15 character 
password/passphrase (i.e. my dog has 
fleas which is 16 including spaces - - remember with windows you can 
use spaces in passwords) you can have them never be forced to change their 
password, not use lockouts after X bad attempts and still have just over 
1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute 
force attack - -it would conceivably take thousands of years to crack a 
password.

n 
Minimum of 15 
characters means no LMHash created
n 
15 lowercase letters = 
1,677,259,342,285,725,925,376 possibilities
n 
Try a million a second, 
itll take 531,855 centuries
(credited 
to Mark Minasi)

Just a little idea they 
through out there.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Thommes, Michael 
M.Sent: Friday, May 14, 2004 
11:04 AMTo: Active Directory 
Mailing List (E-mail)Subject: 
[ActiveDir] consequences of setting password expiration 
length


Hi 
Folks,

 I apologize for 
the question since I think it has been battered around in one form or another 
but I can't seem to find the answer. The question: a related company root 
admin wants to see a password expiration length time on a W2K domain. He 
is worried that everyone's password will expire at the same time. Correct 
or incorrect? TIA!



Mike 
Thommes

RE: [ActiveDir] GPO refresh for computer policy?

Mike-
It is true, but you can override that behavior through Admin. Template
policy on a per-policy area basis to force GPO to process during every
foreground and background refresh regardless of whether the GPO has
changed. The exception to this is that security policy (including file
security) is automatically refreshed every 16 hours by default even if
the GPO hasn't changed, and you can modify this by  tweaking a reg
value, which I can relay if you're interested.

If you're planning to use File Security policy then the only thing I
would caution on is that it can be fairly expensive from a processing
and time perspective to do this in policy, especially if you're
recursing lots of files and folders. Unless you absolutely positively
need to make sure that those files are constantly at the right set of
perms, I wouldn't necessarily recommend doing this in policy--probably
better off just scripting it for one time  and occasional setting
outside of GPO.

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, May 14, 2004 11:16 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPO refresh for computer policy?

I read somewhere that the computer policy refresh does not periodically
apply unless there has been a change to the policy.  Is that true?

We have a group that is proposing ACL'ing system files on servers in the
computer policy.  Is this a good idea or bad idea?  Our believe is that
it's overkill.  But, if the above is true, then it negates some of the
potential benefit that they're claiming that they could get from having
these files ACL'd in the GPO.

Thanks,
Mike
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] consequences of setting password expiration lengt h




Crap, I didn't even catch the part about never changing the 
password, that is assinine. Any admin who set a policy like that needs to be 
washing dishes for a living. 

On the password reset help desk business, get a self-help 
reset web site... Queue Idan from M-Tec.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 2:33 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration lengt h

And would you want something that never changes? On 
the one hand it reduces your help-desk-password-reset-side-business 
impact. On the other hand, it is much more likely to be shared or 
otherwise circulated by silly users. Oh sure, "our policy prevents that" 
you say. But think about it. Is a policy that you don't enforce a 
worthless policy? I say it is. 

OT: in case you're wondering, here's agroup who 
claims to be able to crack Windows passwords in 13.6 seconds with standard OTF 
hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03

Al


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 1:59 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

But would you want a password policy weaker on your admins 
than on your users?

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
CerinoSent: Friday, May 14, 2004 12:43 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length


I thought we were 
discussing end user policies though not TS Admins





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, May 14, 2004 12:33 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

It is a good idea. I 
use pass phrases... however trying using TS Manager to grab one a session when 
you have a long password like that, comes back and tells you bad password even 
though you can log into a "fresh" TS session just fine. 


 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Craig 
CerinoSent: Friday, May 14, 
2004 11:54 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length
It really depends on 
what type of group policy you se.

On an interesting note 
- -I just attended the Microsoft Security Strategies Road Show this week and the 
topic of passwords vs. passphrases was brought 
up.

If you are willing to 
implement the policy - - if you force your users to use a minimum 15 character 
password/passphrase (i.e. my dog has 
fleas which is 16 including spaces - - remember with windows you can 
use spaces in passwords) you can have them never be forced to change their 
password, not use lockouts after X bad attempts and still have just over 
1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute 
force attack - -it would conceivably take thousands of years to crack a 
password.

n 
Minimum of 15 
characters means no LMHash created
n 
15 lowercase letters = 
1,677,259,342,285,725,925,376 possibilities
n 
Try a million a second, 
itll take 531,855 centuries
(credited 
to Mark Minasi)

Just a little idea they 
through out there.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Thommes, Michael 
M.Sent: Friday, May 14, 2004 
11:04 AMTo: Active Directory 
Mailing List (E-mail)Subject: 
[ActiveDir] consequences of setting password expiration 
length


Hi 
Folks,

 I apologize for 
the question since I think it has been battered around in one form or another 
but I can't seem to find the answer. The question: a related company root 
admin wants to see a password expiration length time on a W2K domain. He 
is worried that everyone's password will expire at the same time. Correct 
or incorrect? TIA!



Mike 
Thommes

RE: [ActiveDir] consequences of setting password expiration lengt h




Queue Idan? Where's this at? 
URL?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, May 14, 2004 1:46 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration lengt h

Crap, I didn't even catch the part about never changing the 
password, that is assinine. Any admin who set a policy like that needs to be 
washing dishes for a living. 

On the password reset help desk business, get a self-help 
reset web site... Queue Idan from M-Tec.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 2:33 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration lengt h

And would you want something that never changes? On 
the one hand it reduces your help-desk-password-reset-side-business 
impact. On the other hand, it is much more likely to be shared or 
otherwise circulated by silly users. Oh sure, "our policy prevents that" 
you say. But think about it. Is a policy that you don't enforce a 
worthless policy? I say it is. 

OT: in case you're wondering, here's agroup who 
claims to be able to crack Windows passwords in 13.6 seconds with standard OTF 
hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03

Al


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 1:59 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

But would you want a password policy weaker on your admins 
than on your users?

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
CerinoSent: Friday, May 14, 2004 12:43 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length


I thought we were 
discussing end user policies though not TS Admins





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, May 14, 2004 12:33 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

It is a good idea. I 
use pass phrases... however trying using TS Manager to grab one a session when 
you have a long password like that, comes back and tells you bad password even 
though you can log into a "fresh" TS session just fine. 


 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Craig 
CerinoSent: Friday, May 14, 
2004 11:54 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length
It really depends on 
what type of group policy you se.

On an interesting note 
- -I just attended the Microsoft Security Strategies Road Show this week and the 
topic of passwords vs. passphrases was brought 
up.

If you are willing to 
implement the policy - - if you force your users to use a minimum 15 character 
password/passphrase (i.e. my dog has 
fleas which is 16 including spaces - - remember with windows you can 
use spaces in passwords) you can have them never be forced to change their 
password, not use lockouts after X bad attempts and still have just over 
1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute 
force attack - -it would conceivably take thousands of years to crack a 
password.

n 
Minimum of 15 
characters means no LMHash created
n 
15 lowercase letters = 
1,677,259,342,285,725,925,376 possibilities
n 
Try a million a second, 
it'll take 531,855 centuries
(credited 
to Mark Minasi)

Just a little idea they 
through out there.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Thommes, Michael 
M.Sent: Friday, May 14, 2004 
11:04 AMTo: Active Directory 
Mailing List (E-mail)Subject: 
[ActiveDir] consequences of setting password expiration 
length


Hi 
Folks,

 I apologize for 
the question since I think it has been battered around in one form or another 
but I can't seem to find the answer. The question: a related company root 
admin wants to see a password expiration length time on a W2K domain. He 
is worried that everyone's password will expire at the same time. Correct 
or incorrect? TIA!



Mike 
Thommes

~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] consequences of setting password expiration lengt h




Identifying the issues is easy. Getting others to 
understand and work to resolve the issue is what separates the dish washers from 
the It professionals and developers ;-)


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 2:46 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration lengt h

Crap, I didn't even catch the part about never changing the 
password, that is assinine. Any admin who set a policy like that needs to be 
washing dishes for a living. 

On the password reset help desk business, get a self-help 
reset web site... Queue Idan from M-Tec.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 2:33 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration lengt h

And would you want something that never changes? On 
the one hand it reduces your help-desk-password-reset-side-business 
impact. On the other hand, it is much more likely to be shared or 
otherwise circulated by silly users. Oh sure, "our policy prevents that" 
you say. But think about it. Is a policy that you don't enforce a 
worthless policy? I say it is. 

OT: in case you're wondering, here's agroup who 
claims to be able to crack Windows passwords in 13.6 seconds with standard OTF 
hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03

Al


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 1:59 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

But would you want a password policy weaker on your admins 
than on your users?

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
CerinoSent: Friday, May 14, 2004 12:43 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length


I thought we were 
discussing end user policies though not TS Admins





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, May 14, 2004 12:33 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

It is a good idea. I 
use pass phrases... however trying using TS Manager to grab one a session when 
you have a long password like that, comes back and tells you bad password even 
though you can log into a "fresh" TS session just fine. 


 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Craig 
CerinoSent: Friday, May 14, 
2004 11:54 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length
It really depends on 
what type of group policy you se.

On an interesting note 
- -I just attended the Microsoft Security Strategies Road Show this week and the 
topic of passwords vs. passphrases was brought 
up.

If you are willing to 
implement the policy - - if you force your users to use a minimum 15 character 
password/passphrase (i.e. my dog has 
fleas which is 16 including spaces - - remember with windows you can 
use spaces in passwords) you can have them never be forced to change their 
password, not use lockouts after X bad attempts and still have just over 
1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute 
force attack - -it would conceivably take thousands of years to crack a 
password.

n 
Minimum of 15 
characters means no LMHash created
n 
15 lowercase letters = 
1,677,259,342,285,725,925,376 possibilities
n 
Try a million a second, 
itll take 531,855 centuries
(credited 
to Mark Minasi)

Just a little idea they 
through out there.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Thommes, Michael 
M.Sent: Friday, May 14, 2004 
11:04 AMTo: Active Directory 
Mailing List (E-mail)Subject: 
[ActiveDir] consequences of setting password expiration 
length


Hi 
Folks,

 I apologize for 
the question since I think it has been battered around in one form or another 
but I can't seem to find the answer. The question: a related company root 
admin wants to see a password expiration length time on a W2K domain. He 
is worried that everyone's password will expire at the same time. Correct 
or incorrect? TIA!



Mike 
Thommes

Re: [ActiveDir] Mixed network PC and Mac - AD or XServe

2004-05-14 Thread Robbie Foust

I'm currently involved in migrating a network from Netware to AD/OS X 
Server.  The problem with running Windows servers in a Mac invironment 
is that Microsoft has no plans to support the latest AFP version, which 
kinda sucks for various reasons. (auto reconnect, etc)

Best way I can come up with is to use AD as the authenticator (and for 
group policy support of Windows clients), and use OS X Server as the 
file server.  The trick is to be able to apply policies to OS X users 
through open directory.  There's supposed to be a way to use AD as the 
primary LDAP directory and pull additional attributes from another 
local directory but haven't quite figured it out yet.  Samba can be 
configured to use Kerberos, but it's not the default.

Macs can't really be managed from AD like Windows can.  Same goes in the 
other direction too.  So ya kinda need both (AD and OD).  In my 
scenario, I'm shooting for single sign-on using Kerberos.  To make it 
even more complicated, I would really like to authenticate from a MIT 
Kerberos realm, but Samba doesn't have support for that yet.

Documentation is very limited with it comes down to the fine details, 
unfortunately.

Robbie Foust
OIT - Systems and Core Services
Duke University
Noah Eiger wrote:

Hello:

I need some advice about file service, directory management, and user
authentication in a mixed Windows/Mac environment. 

I have a magazine client with approximately 70 users: half Macs, half
Windows. As you might expect, the Macs are the art department and editorial;
the PCs are business, advertising, etc. All workstations will either be
running OSX (most recent) or WinXP Pro. Currently, there is no NOS, and file
service is handled by a mixture of WinNT, Win2k, and AppleShare 9x.
My initial thought was to just let AD handle everything and spend the effort
on getting the Macs to play nice with the Windows servers. Exchange is
likely. However, the in-house IT guy wants to explore Apple's server
offerings.
So, the questions are: 
-  Is the speed and quality of the Windows servers sufficient for
Mac clients (many handling large image or graphics files)?
-  Is AD managing of Macs and Mac users sufficient? 
-  If there is a reason to deploy an Apple server, can it be managed
by AD? That is, can it play like a Windows member server?
-  Finally, is there any reason to entertain running the whole shop
under the Apple server and Open Directory?

Many thanks.


--
Noah M. Eiger
EIS Consulting for
PRBO Conservation Science
510-717-5742
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] consequences of setting password expiration lengt h

2004-05-14 Thread Coleman, Hunter




http://www.psynch.com/

Idan works for M-Tec, IIRC


From: Rimmerman, Russ 
[mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 
12:51 PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] consequences of setting password expiration lengt 
h

Queue Idan? Where's this at? 
URL?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, May 14, 2004 1:46 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration lengt h

Crap, I didn't even catch the part about never changing the 
password, that is assinine. Any admin who set a policy like that needs to be 
washing dishes for a living. 

On the password reset help desk business, get a self-help 
reset web site... Queue Idan from M-Tec.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Friday, May 14, 2004 2:33 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration lengt h

And would you want something that never changes? On 
the one hand it reduces your help-desk-password-reset-side-business 
impact. On the other hand, it is much more likely to be shared or 
otherwise circulated by silly users. Oh sure, "our policy prevents that" 
you say. But think about it. Is a policy that you don't enforce a 
worthless policy? I say it is. 

OT: in case you're wondering, here's agroup who 
claims to be able to crack Windows passwords in 13.6 seconds with standard OTF 
hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03

Al


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 1:59 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

But would you want a password policy weaker on your admins 
than on your users?

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
CerinoSent: Friday, May 14, 2004 12:43 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length


I thought we were 
discussing end user policies though not TS Admins





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, May 14, 2004 12:33 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length

It is a good idea. I 
use pass phrases... however trying using TS Manager to grab one a session when 
you have a long password like that, comes back and tells you bad password even 
though you can log into a "fresh" TS session just fine. 


 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Craig 
CerinoSent: Friday, May 14, 
2004 11:54 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of 
setting password expiration length
It really depends on 
what type of group policy you se.

On an interesting note 
- -I just attended the Microsoft Security Strategies Road Show this week and the 
topic of passwords vs. passphrases was brought 
up.

If you are willing to 
implement the policy - - if you force your users to use a minimum 15 character 
password/passphrase (i.e. my dog has 
fleas which is 16 including spaces - - remember with windows you can 
use spaces in passwords) you can have them never be forced to change their 
password, not use lockouts after X bad attempts and still have just over 
1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute 
force attack - -it would conceivably take thousands of years to crack a 
password.

n 
Minimum of 15 
characters means no LMHash created
n 
15 lowercase letters = 
1,677,259,342,285,725,925,376 possibilities
n 
Try a million a second, 
it'll take 531,855 centuries
(credited 
to Mark Minasi)

Just a little idea they 
through out there.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Thommes, Michael 
M.Sent: Friday, May 14, 2004 
11:04 AMTo: Active Directory 
Mailing List (E-mail)Subject: 
[ActiveDir] consequences of setting password expiration 
length


Hi 
Folks,

 I apologize for 
the question since I think it has been battered around in one form or another 
but I can't seem to find the answer. The question: a related company root 
admin wants to see a password expiration length time on a W2K domain. He 
is worried that everyone's password will expire at the same time. Correct 
or incorrect? TIA!



Mike 
Thommes

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

[ActiveDir] Dial-In Property Sheet and Windows XP SP1

2004-05-14 Thread JCARROS

Have any problem to
view the Dial-In Property Sheetwith Windows XP SP1 ?.

Thks.AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso.This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.

RE: [ActiveDir] Dial-In Property Sheet and Windows XP SP1




Install the Windows 2000 Adminpak.msi (ignore any warnings) 
and then install the 2003 Adminpak.msi over top of it, and you'll have the 
dial-in tab back.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, May 14, 2004 2:38 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
Dial-In Property Sheet and Windows XP SP1Sensitivity: 
Private

Have any problem to 
view the Dial-In Property Sheetwith Windows XP SP1 ?.

Thks.

AVISO LEGAL:Esta informacion es privada y confidencial y 
esta dirigida unicamente a su destinatario. Si usted no es el destinatario 
original de este mensaje y por este medio pudo acceder a dicha informacion por 
favor elimine el mensaje. La distribucion o copia de este mensaje esta 
estrictamente prohibida. Esta comunicacion es solo para propositos de 
informacion y no debe ser considerada como propuesta, aceptacion ni como una 
declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o 
afiliadas. La transmision de e-mails no garantiza que el correo electronico sea 
seguro o libre de error. Por consiguiente, no manifestamos que esta informacion 
sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo 
aviso.This information is private and confidential and intended for the 
recipient only. If you are not the intended recipient of this message you are 
hereby notified that any review, dissemination, distribution or copying of this 
message is strictly prohibited. This communication is for information purposes 
only and shall not be regarded neither as a proposal, acceptance nor as a 
statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries 
and/or affiliates. Email transmission cannot be guaranteed to be secure or 
error-free. Therefore, we do not represent that this information is complete or 
accurate and it should not be relied upon as such. All information is subject to 
change without notice. 

~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] Dial-In Property Sheet and Windows XP SP1

2004-05-14 Thread Fuller, Stuart




This is one of my pet peeves forthe ADUC in XP. 
See http://support.microsoft.com/?id=304718and 
then search for "dial-in".

Quote: 

The Dial-in tab that configures Routing and Remote Access 
dial-in or VPN access and callback settings is removed 
when the Administration Tools package is installed on Windows XP 
clients.
To remotely 
manage the RAS dial-in tab in Active Directory 
Users or Computers or Internet Authentication Server (IAS) from a Windows 
XP-based computer, use Terminal Services or Remote Desktop to access a Windows 
2000-based or Windows Server 2003-based computer. Alternatively, log on to the 
console of a Windows 2000-based or Windows Server 2003-based computer to 
configure these settings directly. 

-Stuart



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:38 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
Dial-In Property Sheet and Windows XP SP1Sensitivity: 
Private

Have any problem to 
view the Dial-In Property Sheetwith Windows XP SP1 ?.

Thks.

AVISO LEGAL:Esta informacion es privada y confidencial y 
esta dirigida unicamente a su destinatario. Si usted no es el destinatario 
original de este mensaje y por este medio pudo acceder a dicha informacion por 
favor elimine el mensaje. La distribucion o copia de este mensaje esta 
estrictamente prohibida. Esta comunicacion es solo para propositos de 
informacion y no debe ser considerada como propuesta, aceptacion ni como una 
declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o 
afiliadas. La transmision de e-mails no garantiza que el correo electronico sea 
seguro o libre de error. Por consiguiente, no manifestamos que esta informacion 
sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo 
aviso.This information is private and confidential and intended for the 
recipient only. If you are not the intended recipient of this message you are 
hereby notified that any review, dissemination, distribution or copying of this 
message is strictly prohibited. This communication is for information purposes 
only and shall not be regarded neither as a proposal, acceptance nor as a 
statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries 
and/or affiliates. Email transmission cannot be guaranteed to be secure or 
error-free. Therefore, we do not represent that this information is complete or 
accurate and it should not be relied upon as such. All information is subject to 
change without notice.

[ActiveDir] GPO troubles




We have password 
protected screensavers enabled in our default domain policy, and then at a lower 
OU level, I have a GPO linked that is set to Screen Savers "Not 
configured". Basically, we want all users to have password protected 
screensavers except a select few 
machines.

So, I created a 
security group called "No Screensaver" and added computer accounts that we don't 
want screensavers to be enforced on. Then I went into our default domain 
policy, and added deny read and deny apply gpo to this No Screensaver 
group. The GPO that IS applied only to the No Screensaver group has all 
the screen saver settings set to "Not configured" and the Password Protect the 
Screensaver GPO is "Disabled". 

Once a GPO is applied 
to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not 
configured" put it back to normal? 


I added my computer to 
this No Screensaver group, and still my screen saver settings and buttons are 
greyed out and it will not let me change it. 


Thanks

~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] GPO troubles










Russ, I
believe what you need to do is set up an OU and put those machines in it. Then
set the group policy Computer Configuration setting User Group Policy Loopback processing
mode. Set the Screen Saver policy accordingly in the User Configuration
section. 



Then users
who log in to those machines should no longer be subject to the policy that
enforces the screen saver





mc



-Original Message-
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 3:57 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO troubles
Sensitivity: Private



We have password
protected screensavers enabled in our default domain policy, and then at a
lower OU level, I have a GPO linked that is set to Screen Savers Not
configured. Basically, we want all users to have password protected
screensavers except a select few machines.



So, I created a security
group called No Screensaver and added computer accounts that we
don't want screensavers to be enforced on. Then I went into our default
domain policy, and added deny read and deny apply gpo to this No Screensaver
group. The GPO that IS applied only to the No Screensaver group has all
the screen saver settings set to Not configured and the Password
Protect the Screensaver GPO is Disabled. 



Once a GPO is applied to
a PC, do you have to Disable it to unapply it, or will setting it
to Not configured put it back to normal? 



I added my computer to
this No Screensaver group, and still my screen saver settings and buttons are
greyed out and it will not let me change it. 



Thanks






~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] GPO troubles




Is it absolutely necessary to create a whole seperate 
GPO for these computers? Seems like it will create an administrative 
nightmare. Can't you just deny access to the default domain GPO and it 
won't apply the screen saver settings?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Friday, May 14, 2004 3:04 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO 
troublesSensitivity: Private


Russ, I 
believe what you need to do is set up an OU and put those machines in it. Then 
set the group policy Computer Configuration setting User Group Policy Loopback 
processing mode. Set the Screen Saver policy accordingly in the User 
Configuration section. 

Then 
users who log in to those machines should no longer be subject to the policy 
that enforces the screen saver


mc
-Original 
Message-From: Rimmerman, 
Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 
PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] GPO 
troublesSensitivity: 
Private

We have 
password protected screensavers enabled in our default domain policy, and then 
at a lower OU level, I have a GPO linked that is set to Screen Savers "Not 
configured". Basically, we want all users to have password protected 
screensavers except a select few machines.

So, I 
created a security group called "No Screensaver" and added computer accounts 
that we don't want screensavers to be enforced on. Then I went into our 
default domain policy, and added deny read and deny apply gpo to this No 
Screensaver group. The GPO that IS applied only to the No Screensaver 
group has all the screen saver settings set to "Not configured" and the Password 
Protect the Screensaver GPO is "Disabled". 

Once a GPO 
is applied to a PC, do you have to "Disable" it to unapply it, or will setting 
it to "Not configured" put it back to normal? 

I added my 
computer to this No Screensaver group, and still my screen saver settings and 
buttons are greyed out and it will not let me change it. 

Thanks

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] GPO troubles










I dont
think so  screen savers are configured on the user, and you want to
limit by the machine. Thats why the Loopback policy, and the reason for
segregating the machines in a separate OU. Others please chime in if Im
wrong though





mc



-Original Message-
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 4:14 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO
troubles
Sensitivity: Private



Is it absolutely
necessary to create a whole seperate GPO for these computers? Seems like
it will create an administrative nightmare. Can't you just deny access to
the default domain GPO and it won't apply the screen saver settings?









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Friday, May 14, 2004 3:04 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO
troubles
Sensitivity: Private

Russ, I believe what you need to do is set up an OU and put those
machines in it. Then set the group policy Computer Configuration setting User
Group Policy Loopback processing mode. Set the Screen Saver policy accordingly
in the User Configuration section. 



Then users who log in to those machines should no longer be subject
to the policy that enforces the screen saver





mc



-Original Message-
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 3:57 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO troubles
Sensitivity: Private



We have
password protected screensavers enabled in our default domain policy, and then
at a lower OU level, I have a GPO linked that is set to Screen Savers Not
configured. Basically, we want all users to have password protected
screensavers except a select few machines.



So, I
created a security group called No Screensaver and added computer
accounts that we don't want screensavers to be enforced on. Then I went into
our default domain policy, and added deny read and deny apply gpo to this No
Screensaver group. The GPO that IS applied only to the No Screensaver
group has all the screen saver settings set to Not configured and
the Password Protect the Screensaver GPO is Disabled. 



Once a
GPO is applied to a PC, do you have to Disable it to unapply it, or
will setting it to Not configured put it back to normal? 



I added
my computer to this No Screensaver group, and still my screen saver settings
and buttons are greyed out and it will not let me change it. 



Thanks


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 









~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] HELP ! - password policy changing on replication

2004-05-14 Thread Fugleberg, David A

Well, we seem to be ok now.  The repadmin /showmeta deal was one of the early things 
we tried in hopes of narrowing it down, but the values of three of those attributes 
kept incrementing and the Org DSA would be different virtually every time, so it was 
hard to chase back.  Operations started noticing isues around 1:30 Thursday afternoon, 
and I got pulled in around 3:30 or so.  After checking a few things and realizing that 
it was a policy flip-flop issue I advised them to contact PSS - it was some time 
before they actually did.  After 4 hrs of working with PS over the phone, they 
escalated and our TAM sourced a local engineer, but it was around 11:30 before he was 
able to get there.  He spent the night trying to isolate it - turned on some 
additional auditing, etc.  Early this morning he turned off FRS on  the PDCE and saw 
the GPT for the default domain GPO change on that DC anyhow - it was being changed by 
something under SYSTEM, but couldn't be more specific.  The problem seemed to 
stabilize after that, however. (Note - it had stopped for well over an hour once late 
in the evening but then resumed).
 
Anyhow, by 8:30 or so this AM we were pretty fried - fresh  troops had arrived, things 
were quiet, and MS had escalated to Dev as they were unsure of the culprit.  I went 
home and got a little sleep.  I woke up a little while ago and checked in - apparently 
things are OK.  They restarted FRS and got the PDCE's SYSVOL back in sync, and all has 
been holding.  MS basically said 'we're not sure why it happened', 'every case is 
different', etc.  Not that I'm dissing them - they did a lot of work to chase it, and 
we certainly could have been better prepared if we had been auding object access and 
been able to figure out where it started.  I haven't talked to them directly yet to 
see what, if anything, happened with their escalation to dev (they were doing so to 
see if they could determine what precisely was doing the changes in the SYSVOL on the 
PDCE when FRS was disabled).
 
Anyhow, so much for the day off I was supposed to have today... If we learn any more 
about root cause, I'll repost.  At this point, we may never know.  If nothing else, it 
added some fuel to my oft-repeated request to get some outside expertise to come in 
and help me define/implement improvements to our AD structure and monitoring - it's 
easy to get isolated in your thinking when you don't get to move around and see how 
things work in other environments.  That's why this list is invaluable - thanks to all 
of you !
Dave

-Original Message- 
From: [EMAIL PROTECTED] on behalf of joe 
Sent: Fri 5/14/2004 11:23 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] HELP ! - password policy changing on replication



When it flips to a bad value, check the originating DSA with repadmin
/showmeta, that should show you where the bad value came from which is
*probably* on a machine where a GPO INF file that hasn't been updated.

An alternative thing would be to do a CRC check of all files in all sysvol's
and look for the stuff that varies.

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Thursday, May 13, 2004 6:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] HELP ! - password policy changing on replication

Further info - I found a posting by Joe that describes a similar issue - by
looking at repadmin /showmeta on a DC where the policy is wrong, I can see
the version of the 'wrong' attributes (like MaxPwdAge) is very high (60)
with today's date and recent time, while the others are at 1 with the
date/time of when we installed AD over 3 yrs ago.  Clearly something is
causing this to change on a DC someplace.  I hoed the Originating DSA
would tell me where the problem lies, but each time this flip-flops I see a
different DC in that field. 

I need to know what to look for to figure out a) which DC is originating the
problem and b) where the problem is.  I suspect something related to our
domain policy is corrupted on some DC, causing it to set itself to default
values at its policy refresh, and this is replicating.  Then whe other DCs
refresh their policy properly, they get the correct settings.  Can anybody
help ?  We're working our way to the right folks at MS PSS at this point...
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A
Sent: Thursday, May 13, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] HELP ! - password policy changing on replication

RE: [ActiveDir] GPO troubles




I just thought you could avoid creating an OU mess by using 
the security permissions (apply gpo, deny gpo) on each GPO 
properties.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Friday, May 14, 2004 3:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO 
troublesSensitivity: Private


I don't 
think so - screen savers are configured on the user, and you want to limit by 
the machine. That's why the Loopback policy, and the reason for segregating the 
machines in a separate OU. Others please chime in if I'm wrong 
though...


mc
-Original 
Message-From: Rimmerman, 
Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 4:14 
PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO 
troublesSensitivity: 
Private

Is it 
absolutely necessary to create a whole seperate GPO for these computers? 
Seems like it will create an administrative nightmare. Can't you just deny 
access to the default domain GPO and it won't apply the screen saver 
settings?




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Friday, May 14, 2004 
3:04 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO 
troublesSensitivity: 
Private
Russ, I 
believe what you need to do is set up an OU and put those machines in it. Then 
set the group policy Computer Configuration setting User Group Policy Loopback 
processing mode. Set the Screen Saver policy accordingly in the User 
Configuration section. 

Then 
users who log in to those machines should no longer be subject to the policy 
that enforces the screen saver


mc
-Original 
Message-From: Rimmerman, 
Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 
PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] GPO 
troublesSensitivity: 
Private

We have 
password protected screensavers enabled in our default domain policy, and then 
at a lower OU level, I have a GPO linked that is set to Screen Savers "Not 
configured". Basically, we want all users to have password protected 
screensavers except a select few machines.

So, I 
created a security group called "No Screensaver" and added computer accounts 
that we don't want screensavers to be enforced on. Then I went into our 
default domain policy, and added deny read and deny apply gpo to this No 
Screensaver group. The GPO that IS applied only to the No Screensaver 
group has all the screen saver settings set to "Not configured" and the Password 
Protect the Screensaver GPO is "Disabled". 

Once a GPO 
is applied to a PC, do you have to "Disable" it to unapply it, or will setting 
it to "Not configured" put it back to normal? 

I added my 
computer to this No Screensaver group, and still my screen saver settings and 
buttons are greyed out and it will not let me change it. 

Thanks

  
  

  ~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~


  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] GPO troubles




Russ-
Not Configured essentially means 'do nothing', so to undo 
an enabled setting, you have to set the downstream GPO to Disabled. In your 
case, I'm assuming you're controlling the screensaver through User 
Configuration|Admin Templates. If that's the case, then your deny ACEs need to 
be on a user group, since its the users that process this policy. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Friday, May 14, 2004 12:57 PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] GPO 
troublesSensitivity: Private

We have password 
protected screensavers enabled in our default domain policy, and then at a lower 
OU level, I have a GPO linked that is set to Screen Savers "Not 
configured". Basically, we want all users to have password protected 
screensavers except a select few 
machines.

So, I created a 
security group called "No Screensaver" and added computer accounts that we don't 
want screensavers to be enforced on. Then I went into our default domain 
policy, and added deny read and deny apply gpo to this No Screensaver 
group. The GPO that IS applied only to the No Screensaver group has all 
the screen saver settings set to "Not configured" and the Password Protect the 
Screensaver GPO is "Disabled". 

Once a GPO is applied 
to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not 
configured" put it back to normal? 


I added my computer to 
this No Screensaver group, and still my screen saver settings and buttons are 
greyed out and it will not let me change it. 


Thanks

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

RE: [ActiveDir] GPO troubles










Yep, that
would work if the *users* were in
the OU, but your goal is to isolate the machines from the policy regardless of
who the user is. We do this for our Win2K based video-conferencing systems. The
execs kept getting annoyed when the monitor went into locked screensaver right
in the middle of a video conference. Go figure ;-)





mc



-Original Message-
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 4:38 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO
troubles
Sensitivity: Private



I just thought you could
avoid creating an OU mess by using the security permissions (apply gpo, deny
gpo) on each GPO properties.









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Friday, May 14, 2004 3:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO
troubles
Sensitivity: Private

I don't think so - screen savers are configured on the user, and
you want to limit by the machine. That's why the Loopback policy, and the
reason for segregating the machines in a separate OU. Others please chime in if
I'm wrong though...





mc



-Original Message-
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 4:14 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO
troubles
Sensitivity: Private



Is it
absolutely necessary to create a whole seperate GPO for these computers?
Seems like it will create an administrative nightmare. Can't you just
deny access to the default domain GPO and it won't apply the screen saver
settings?













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Friday, May 14, 2004 3:04 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO
troubles
Sensitivity: Private

Russ, I believe what you need to do is set up an OU and put those
machines in it. Then set the group policy Computer Configuration setting User
Group Policy Loopback processing mode. Set the Screen Saver policy accordingly
in the User Configuration section. 



Then users who log in to those machines should no longer be subject
to the policy that enforces the screen saver





mc



-Original Message-
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 14, 2004 3:57 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO troubles
Sensitivity: Private



We have password
protected screensavers enabled in our default domain policy, and then at a
lower OU level, I have a GPO linked that is set to Screen Savers Not
configured. Basically, we want all users to have password protected
screensavers except a select few machines.



So, I
created a security group called No Screensaver and added computer
accounts that we don't want screensavers to be enforced on. Then I went
into our default domain policy, and added deny read and deny apply gpo to this
No Screensaver group. The GPO that IS applied only to the No Screensaver
group has all the screen saver settings set to Not configured and
the Password Protect the Screensaver GPO is Disabled. 



Once a
GPO is applied to a PC, do you have to Disable it to unapply it, or
will setting it to Not configured put it back to normal? 



I added
my computer to this No Screensaver group, and still my screen saver settings
and buttons are greyed out and it will not let me change it. 



Thanks


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 





 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 









~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

Re: [ActiveDir] Mixed network PC and Mac - AD or XServe

My $0.02

In the existing situation, with 70 machines at one site, half macs and half PCs. The choice is actually a dead giveaway... Xserve's all the way. OS X server with OpenDirectory and Samba 3 can handle the authentication needs of the whole shop. You don't need Active Directory at all. Active Directory has great scalability, replication, and enterprise level features but very little native support for clients other than windows. OSX on the other hand can serve as a windows pdc and apple master directory using the exact same user records right out of the box, but it has lousy support for delegated administration and multimaster replication. The only downside to using all XServes is the lack of group policy support for the windows pc's, but if you only have 35, then so what.

Another positive to using os x as an entry level nos is that there are no Client Access Licenses with OS X's unlimited version. For a company of 70 people this allows them to double, triple, even quadruple their numbers without having to pay up every quarter for the new licenses they just bought. Not to mention server hardware costs, for a pretty well loaded box and a well negotiated apple deal you can plan to spend 4700 to 6500 dollars per apple server, and that is cheap. You don't see HP and IBM offering small shops a big discount on hardware, so they will pay close to retail for any servers that they purchase.

Finally, you go with an all OS X server solution, and you have effectively limited the dreaded 10th of the month server regression testing that we all have to do for MS patches. Yes, OS X has operating system patches too, but I have never had one apply that had a negative effect on my machine, and I mean NEVER.

If the client had 200 people and plans to open 5 sites throughout North South America this year, I would have to say go with an AD solution. In the meantime, I would ride the low-cost wave of apple, until AD implements better alternative client support. Perhaps by then, OS X's solution will scale better and no migration would be necessary. We'll have a better picture when 10.4 is revealed.

On May 14, 2004, at 3:09 PM, Robbie Foust wrote:

I'm currently involved in migrating a network from Netware to AD/OS X Server. The problem with running Windows servers in a Mac invironment is that Microsoft has no plans to support the latest AFP version, which kinda sucks for various reasons. (auto reconnect, etc)

Best way I can come up with is to use AD as the authenticator (and for group policy support of Windows clients), and use OS X Server as the file server. The trick is to be able to apply policies to OS X users through open directory. There's supposed to be a way to use AD as the primary LDAP directory and pull additional attributes from another local directory but haven't quite figured it out yet. Samba can be configured to use Kerberos, but it's not the default.

Macs can't really be managed from AD like Windows can. Same goes in the other direction too. So ya kinda need both (AD and OD). In my scenario, I'm shooting for single sign-on using Kerberos. To make it even more complicated, I would really like to authenticate from a MIT Kerberos realm, but Samba doesn't have support for that yet.

Documentation is very limited with it comes down to the fine details, unfortunately.

Robbie Foust
OIT - Systems and Core Services
Duke University

Noah Eiger wrote:

Hello:
I need some advice about file service, directory management, and user
authentication in a mixed Windows/Mac environment. I have a magazine client with approximately 70 users: half Macs, half
Windows. As you might expect, the Macs are the art department and editorial;
the PCs are business, advertising, etc. All workstations will either be
running OSX (most recent) or WinXP Pro. Currently, there is no NOS, and file
service is handled by a mixture of WinNT, Win2k, and AppleShare 9x.
My initial thought was to just let AD handle everything and spend the effort
on getting the Macs to play nice with the Windows servers. Exchange is
likely. However, the in-house IT guy wants to explore Apple's server
offerings.
So, the questions are: - Is the speed and quality of the Windows servers sufficient for
Mac clients (many handling large image or graphics files)?
- Is AD managing of Macs and Mac users sufficient? - If there is a reason to deploy an Apple server, can it be managed
by AD? That is, can it play like a Windows member server?
- Finally, is there any reason to entertain running the whole shop
under the Apple server and Open Directory?
Many thanks.

--
Noah M. Eiger
EIS Consulting for
PRBO Conservation Science
510-717-5742
mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]

List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:

[ActiveDir] OT? Archiving DNS debugging logs?

My DNS guy would like to be able to archive the DNS debugging logs (eg, 
c:\winnt\system32\dns.log) .  Currently, you can indicate what size you like the log 
to be, and when it gets to that size, it just writes over itself.  Has anyone found a 
way to automatically cut a new a log file?  TIA!
 
Mikke Thommes
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO troubles




If you truly want to control a user policy based on the 
computer, then loopback is the right choice. You don't have to create a separate 
OU to do that. It makes it more obvious when you have machines controlled by 
loopback in a separate OU, but you can use security permissions to control it, 
as you've suggested. So, the way this might work is that you create a new GPO, 
enable loopback policy, setting loopback mode to replace, leave the ScreenSaver 
settings at Not Configured and then permission the GPO by removing the 
Authenticated Users ACE and adding Read and Apply Group Policy permsto 
your excluded computer group.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Friday, May 14, 2004 1:38 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO 
troublesSensitivity: Private

I just thought you could avoid creating an OU mess by using 
the security permissions (apply gpo, deny gpo) on each GPO 
properties.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Friday, May 14, 2004 3:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO 
troublesSensitivity: Private


I don't 
think so - screen savers are configured on the user, and you want to limit by 
the machine. That's why the Loopback policy, and the reason for segregating the 
machines in a separate OU. Others please chime in if I'm wrong 
though...


mc
-Original 
Message-From: Rimmerman, 
Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 4:14 
PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO 
troublesSensitivity: 
Private

Is it 
absolutely necessary to create a whole seperate GPO for these computers? 
Seems like it will create an administrative nightmare. Can't you just deny 
access to the default domain GPO and it won't apply the screen saver 
settings?




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Friday, May 14, 2004 
3:04 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO 
troublesSensitivity: 
Private
Russ, I 
believe what you need to do is set up an OU and put those machines in it. Then 
set the group policy Computer Configuration setting User Group Policy Loopback 
processing mode. Set the Screen Saver policy accordingly in the User 
Configuration section. 

Then 
users who log in to those machines should no longer be subject to the policy 
that enforces the screen saver


mc
-Original 
Message-From: Rimmerman, 
Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 
PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] GPO 
troublesSensitivity: 
Private

We have 
password protected screensavers enabled in our default domain policy, and then 
at a lower OU level, I have a GPO linked that is set to Screen Savers "Not 
configured". Basically, we want all users to have password protected 
screensavers except a select few machines.

So, I 
created a security group called "No Screensaver" and added computer accounts 
that we don't want screensavers to be enforced on. Then I went into our 
default domain policy, and added deny read and deny apply gpo to this No 
Screensaver group. The GPO that IS applied only to the No Screensaver 
group has all the screen saver settings set to "Not configured" and the Password 
Protect the Screensaver GPO is "Disabled". 

Once a GPO 
is applied to a PC, do you have to "Disable" it to unapply it, or will setting 
it to "Not configured" put it back to normal? 

I added my 
computer to this No Screensaver group, and still my screen saver settings and 
buttons are greyed out and it will not let me change it. 

Thanks

  
  

  ~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~


  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the

Re: [ActiveDir] GPO troubles

Mark is absolutely correct, the screensaver setting is a user policy.  In order to fix this correctly and still use the default domain policy to set the screensaver you have to use loopback processing.  One great thing about active directory is that it is designed to be extensible.  Creating another  OU or a sub OU of the workstation OU does not constitute administration nightmare;  It constitutes Active Directory operations.  

Now the question beckons, is loopback processing something that should be applied on a regular basis with 100 little sub ou's all containing exceptions?  No, absolutely not.  If you have that situation reconsider your ou structure and placement of Group Policies.

Here is the loopback processing article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287 



On May 14, 2004, at 4:46 PM, Creamer, Mark wrote:

x-tad-biggerYep, that would work if the */x-tad-biggerx-tad-biggerusers/x-tad-biggerx-tad-bigger* were in the OU, but your goal is to isolate the machines from the policy regardless of who the user is. We do this for our Win2K based video-conferencing systems. The execs kept getting annoyed when the monitor went into locked screensaver right in the middle of a video conference. Go figure ;-)/x-tad-biggerx-tad-bigger /x-tad-biggermc>

x-tad-bigger-Original Message-/x-tad-biggerx-tad-biggerFrom:/x-tad-biggerx-tad-bigger Rimmerman, Russ [mailto:[EMAIL PROTECTED]/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 14, 2004 4:38 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger '[EMAIL PROTECTED]'/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger RE: [ActiveDir] GPO troubles/x-tad-biggerx-tad-biggerSensitivity:/x-tad-biggerx-tad-bigger Private/x-tad-bigger 

x-tad-biggerI just thought you could avoid creating an OU mess by using the security permissions (apply gpo, deny gpo) on each GPO properties./x-tad-bigger 


x-tad-biggerFrom:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] /x-tad-biggerx-tad-biggerOn Behalf Of /x-tad-biggerx-tad-biggerCreamer, Mark/x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 14, 2004 3:20 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED]/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger RE: [ActiveDir] GPO troubles/x-tad-biggerx-tad-biggerSensitivity:/x-tad-biggerx-tad-bigger Private/x-tad-biggerx-tad-biggerI don't think so - screen savers are configured on the user, and you want to limit by the machine. That's why the Loopback policy, and the reason for segregating the machines in a separate OU. Others please chime in if I'm wrong though.../x-tad-bigger 

mc>

x-tad-bigger-Original Message-/x-tad-biggerx-tad-biggerFrom:/x-tad-biggerx-tad-bigger Rimmerman, Russ [mailto:[EMAIL PROTECTED]/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 14, 2004 4:14 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger '[EMAIL PROTECTED]'/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger RE: [ActiveDir] GPO troubles/x-tad-biggerx-tad-biggerSensitivity:/x-tad-biggerx-tad-bigger Private/x-tad-bigger 

x-tad-biggerIs it absolutely necessary to create a whole seperate GPO for these computers?  Seems like it will create an administrative nightmare.  Can't you just deny access to the default domain GPO and it won't apply the screen saver settings?/x-tad-bigger 


x-tad-biggerFrom:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] /x-tad-biggerx-tad-biggerOn Behalf Of /x-tad-biggerx-tad-biggerCreamer, Mark/x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 14, 2004 3:04 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED]/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger RE: [ActiveDir] GPO troubles/x-tad-biggerx-tad-biggerSensitivity:/x-tad-biggerx-tad-bigger Private/x-tad-biggerx-tad-biggerRuss, I believe what you need to do is set up an OU and put those machines in it. Then set the group policy Computer Configuration setting User Group Policy Loopback processing mode. Set the Screen Saver policy accordingly in the User Configuration section./x-tad-biggerx-tad-bigger /x-tad-bigger 

x-tad-biggerThen users who log in to those machines should no longer be subject to the policy that enforces the screen saver/x-tad-bigger 

mc>

x-tad-bigger-Original Message-/x-tad-biggerx-tad-biggerFrom:/x-tad-biggerx-tad-bigger Rimmerman, Russ [mailto:[EMAIL PROTECTED]/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 14, 2004 3:57 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger '[EMAIL PROTECTED]'/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger [ActiveDir] GPO troubles/x-tad-biggerx-tad-biggerSensitivity:/x-tad-biggerx-tad-bigger Private/x-tad-bigger 

x-tad-biggerWe have password protected screensavers enabled in our default domain policy, and then at a

RE: [ActiveDir] GPO troubles




Actually, now that I look at this, you may need to set the 
Screensaver policy in your loopback GPOto Disabled, if this GPO gets 
processed after the default domain GPO that sets this to enabled. Not sure now 
that I think about it, since loopback replace mode should do just that, but its 
possible that replacing an "Enabled" policy with a "Not Configured" won't have 
the desired effect. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Friday, May 14, 2004 1:55 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO 
troublesSensitivity: Private

If you truly want to control a user policy based on the 
computer, then loopback is the right choice. You don't have to create a separate 
OU to do that. It makes it more obvious when you have machines controlled by 
loopback in a separate OU, but you can use security permissions to control it, 
as you've suggested. So, the way this might work is that you create a new GPO, 
enable loopback policy, setting loopback mode to replace, leave the ScreenSaver 
settings at Not Configured and then permission the GPO by removing the 
Authenticated Users ACE and adding Read and Apply Group Policy permsto 
your excluded computer group.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Friday, May 14, 2004 1:38 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO 
troublesSensitivity: Private

I just thought you could avoid creating an OU mess by using 
the security permissions (apply gpo, deny gpo) on each GPO 
properties.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Friday, May 14, 2004 3:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO 
troublesSensitivity: Private


I don't 
think so - screen savers are configured on the user, and you want to limit by 
the machine. That's why the Loopback policy, and the reason for segregating the 
machines in a separate OU. Others please chime in if I'm wrong 
though...


mc
-Original 
Message-From: Rimmerman, 
Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 4:14 
PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO 
troublesSensitivity: 
Private

Is it 
absolutely necessary to create a whole seperate GPO for these computers? 
Seems like it will create an administrative nightmare. Can't you just deny 
access to the default domain GPO and it won't apply the screen saver 
settings?




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Friday, May 14, 2004 
3:04 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO 
troublesSensitivity: 
Private
Russ, I 
believe what you need to do is set up an OU and put those machines in it. Then 
set the group policy Computer Configuration setting User Group Policy Loopback 
processing mode. Set the Screen Saver policy accordingly in the User 
Configuration section. 

Then 
users who log in to those machines should no longer be subject to the policy 
that enforces the screen saver


mc
-Original 
Message-From: Rimmerman, 
Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 
PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] GPO 
troublesSensitivity: 
Private

We have 
password protected screensavers enabled in our default domain policy, and then 
at a lower OU level, I have a GPO linked that is set to Screen Savers "Not 
configured". Basically, we want all users to have password protected 
screensavers except a select few machines.

So, I 
created a security group called "No Screensaver" and added computer accounts 
that we don't want screensavers to be enforced on. Then I went into our 
default domain policy, and added deny read and deny apply gpo to this No 
Screensaver group. The GPO that IS applied only to the No Screensaver 
group has all the screen saver settings set to "Not configured" and the Password 
Protect the Screensaver GPO is "Disabled". 

Once a GPO 
is applied to a PC, do you have to "Disable" it to unapply it, or will setting 
it to "Not configured" put it back to normal? 

I added my 
computer to this No Screensaver group, and still my screen saver settings and 
buttons are greyed out and it will not let me change it. 

Thanks

  
  

  ~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~


  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail

RE: [ActiveDir] GPO troubles




So if we have password protected screensavers enabled, and 
I want to allow a specific PC to be configured to whatever the currently logged 
in user wants for a screensaver, do I set it back to "Not configured"? Or 
do I have to disable it, wait for it to apply, and then set it back to Not 
Configured? How do I go from enabled back to 
default?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Friday, May 14, 2004 3:39 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO 
troublesSensitivity: Private

Russ-
Not Configured essentially means 'do nothing', so to undo 
an enabled setting, you have to set the downstream GPO to Disabled. In your 
case, I'm assuming you're controlling the screensaver through User 
Configuration|Admin Templates. If that's the case, then your deny ACEs need to 
be on a user group, since its the users that process this policy. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Friday, May 14, 2004 12:57 PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] GPO 
troublesSensitivity: Private

We have password 
protected screensavers enabled in our default domain policy, and then at a lower 
OU level, I have a GPO linked that is set to Screen Savers "Not 
configured". Basically, we want all users to have password protected 
screensavers except a select few 
machines.

So, I created a 
security group called "No Screensaver" and added computer accounts that we don't 
want screensavers to be enforced on. Then I went into our default domain 
policy, and added deny read and deny apply gpo to this No Screensaver 
group. The GPO that IS applied only to the No Screensaver group has all 
the screen saver settings set to "Not configured" and the Password Protect the 
Screensaver GPO is "Disabled". 

Once a GPO is applied 
to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not 
configured" put it back to normal? 


I added my computer to 
this No Screensaver group, and still my screen saver settings and buttons are 
greyed out and it will not let me change it. 


Thanks

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

[ActiveDir] authorize dhcp

2004-05-14 Thread Kern, Tom

I'm trying to authorize a dhcp server in a child domain as an enterprise admin and i 
get access denied.

we are running win2k forest in mixed mode.

any suggestions?
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] authorize dhcp

2004-05-14 Thread Ken Cornetet

Add the user ID you are running as to the DHCP Admins group on the DHCP
server

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, May 14, 2004 4:09 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] authorize dhcp

I'm trying to authorize a dhcp server in a child domain as an enterprise
admin and i get access denied.

we are running win2k forest in mixed mode.

any suggestions?
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] authorize dhcp

2004-05-14 Thread Kern, Tom

is that always the standard procdure?

-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED]
Sent: Friday, May 14, 2004 5:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] authorize dhcp

Add the user ID you are running as to the DHCP Admins group on the DHCP
server

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, May 14, 2004 4:09 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] authorize dhcp

I'm trying to authorize a dhcp server in a child domain as an enterprise
admin and i get access denied.

we are running win2k forest in mixed mode.

any suggestions?
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 04-011 Issues

2004-05-14 Thread Durant, Ryan A

The only problems I have noticed with MS04-011 is the older versions of
shutdown.exe and printmig.exe didn't work. Printmig.exe actually ate up
a nice chunk of memory in the process of hanging but 3.0= works fine

We patched over 800 servers with only one case of performance issues
related to an application: Dec PathWorks.

Ryan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J0mb
Sent: Friday, May 14, 2004 1:42 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] 04-011 Issues

Hello all,

Anybody working on 2000 server-based networks would care to share
experiences post 04-011 patch installation?
As of now the installation at other customer's sites showed no issues.
However i should be about to deploy it at a quite critical site.

- Has anybody experienced the issues described in the Q841382? If so,
anybody has installed and sorted out the problem with the patch offered
in this very article? 
- If ipsecw2k.sys, imcide.sys and dlttape.sys are not present/loaded in
the machine, is it safe to say that the 04-011 patch installation will
succeed or there are more pitfalls i should be aware of?

Any other suggestion would be very appreciated. I am aware about the DNS
issue as posted by Guido.

Thank you

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO troubles