RE: [ActiveDir] Potential DNS issues after applying MS04-011
Just to clarify a bit, there is a race condition when the DC boots where netlogon starts before some other services, e.g. the KDC, are available. Netlogon thinks the DC no longer hosts those services and deregisters the corresponding SRV records. If the deregistration fails for some reason, then the SRV records stay around until scavenging deletes them but if DDNS is working correctly, the deregistration occurs right away. This doesn't always happen since it all depends on the timing of netlogon startup versus the other services on DCS in your environment. If netlogon is restarted after the DC is fully up and running, the restart will trigger netlogon to correctly register all of its SRV records including any that might have been deregistered at boot time. Any monitoring tools that check for the presence of SRV records should catch this problem. I've been told that if this problem is endemic to your Windows 2000 forest, you will find that over time, some DCs start to become overloaded while others sit idle. This is because as the SRV records are removed, only those DCs that still have valid SRV records registered will be targeted for use. My understanding is that this problem only affects Windows 2000 DCs though at any service pack level with MS04-011 installed. Windows 2003 DCs do not experience this problem with or without MS04-011. Wook From: Grillenmeier, GuidoSent: Thu 5/13/2004 11:24 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Potential DNS issues after applying MS04-011 Want all of you to be aware of the following - this Q-Article lists known issues with MS04-011: http://support.microsoft.com/default.aspx?scid=kb;en-us;835732 But, I hope MS will update thatQ-article very soon, as there is another very uncool issue with MS04-011, which causes issues with Windows 2000 DCs and DNS. Some DC´s may no longer register their DNS entries correctly on restart. Sometimes the issue won't be apparent immediately, but it will become an issue once scavenging deletes the old records in DSN.I have just verified this to be an issue at one of my customer - I know that the following DNS entries can be affected, which basically means that user's can't authenticate to the box, it won't be registered as a GC etc.:_GC_KERBEROS_KPASSWD You can verify that these entries are not being registered for specific DCs by checking their netlogon.dns file in the c:\%systemdir%\system32\config folder and obviously by checking for the existance of the service records in DNS. There is a hot fix to correct this specific problem - customers can request it via KB 841395, it went live on Tuesday. The problem has to do with a timing issue in the startup of netlogon (starts up before some of the other services are ready and thus doesn't thing this machine provides certain services). As a temporary workaround after the DC/GC comes up one needs to stop and start netlogon. /Guido
[ActiveDir] AD and Mac OSX disk quotas
Is there a script or documentation available for modifying Active Directory schema for support for OS X disk quotas? I have Mac users authenticating to AD but there home directories are stored on a Mac Server. Home directories mount fine via SMB but I am unable to set disk quotas for individual users. Any help or references will be appreciated. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 04-011 Issues
Hello all, Anybody working on 2000 server-based networks would care to share experiences post 04-011 patch installation? As of now the installation at other customer's sites showed no issues. However i should be about to deploy it at a quite critical site. - Has anybody experienced the issues described in the Q841382? If so, anybody has installed and sorted out the problem with the patch offered in this very article? - If ipsecw2k.sys, imcide.sys and dlttape.sys are not present/loaded in the machine, is it safe to say that the 04-011 patch installation will succeed or there are more pitfalls i should be aware of? Any other suggestion would be very appreciated. I am aware about the DNS issue as posted by Guido. Thank you List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook 2003 via GPO?
It will put it back if you give it a chance if you're referring to something I've seen. I had 3 servers on 3 different sites; each had a share called cdimages which were supposed to be manually synched but, of course, they never were. I made this into a dfs share and, as you say, dfs appeared to delete everything. It actually moves it to a hidden folder (ntfrs_pre_existing??), copies everything from the master server and then puts back what's needed from the other folder. This took a long time (one of the links is only 2Mbit and there were many GB of data) but it did all work in the end. Steve -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 10 May 2004 21:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Outlook 2003 via GPO? I think there's a way to pre-provision targets, but, I attempted to do it and FRS deleted all my stuff. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Research Question
Title: OT: Research Question Hey, you said it, not us! As I slink back into VS2003... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Lou Vega [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question programmers *and* it professionals so.us programmers are not it professionals? ;-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectorySent: Thursday, May 13, 2004 4:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question No, its quite alright. One of the assignments I had this week was ask programmers and it professionals what factors in business are most important to them and why. So I went and asked all the ones I knew. Im using all the answers to formulate the results for class. Mitch -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlPosted At: Thursday, May 13, 2004 2:34 PMPosted To: ~AD Discussion~Conversation: [ActiveDir] OT: Research QuestionSubject: RE: [ActiveDir] OT: Research Question Maybe I've misunderstood the question. You're asking for an answer to the question? From: DL.ActiveDirectory [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 2:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question Yes, but having live data from people I 'know' (so to speak) makes this a much more personal assignment, and one that I am more likely to get a good grade on since I have a kindred feeling for the research data. I am using ALL the answers I get, as each one adds a little more to the over all picture. Plus, this isn't the only list this got posted on. ;) Mitch -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlPosted At: Thursday, May 13, 2004 12:44 PMPosted To: ~AD Discussion~Conversation: [ActiveDir] OT: Research QuestionSubject: RE: [ActiveDir] OT: Research Question lol. Mitch, you probably want to insert favorite search engine for surveys. Places like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of information as well for marketing purposes. They may share. I'm sure the bureau of labor and statistics would keep such information as well. Not to mention psychological websites, those related to workplace issues (OSHA?) and industry magazines that also conduct such salary and well-being surveys. Happy hunting. Al From: Zach Huseby [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question the 2nd and the 18th of each month. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectorySent: Thursday, May 13, 2004 10:05 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Research Question Hello, I am doing research for a college project, and I would appreciate any feedback I can get on the following question: As an IT professional, what factors in your employment make a difference to you? Why? I really appreciate the time you take to give me some insight into your world. Thank you, Mitch Noob college student
RE: [ActiveDir] TCP Port Blocking
Our remote users have always been domain members - its part of our security policy. You're correct that an incorrect IPSec policy could cause issues, but the parts I left off were what I thought were obvious - only block what you know you can block, and include exclusion rules for things like either domain controllers and internal services boxes (like AV servers) or at least for the company's internal IP ranges. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Lee, Wook [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 6:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] TCP Port Blocking The problem with trying to patch remote systems via GP is that simple things like ICMP blocking can prevent GP from applying. And it only works for W2K and XP clients that are members of the forest. It's not uncommon for remote users to be on systems that are just workgroup members. Wook From: Roger SeielstadSent: Thu 5/13/2004 1:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] TCP Port Blocking I've not done it directly, but its possible to use IPSec policies to block specific ports, which would do exactly what you're trying to do. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Mike Hogenauer [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:14 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] TCP Port Blocking Sorry for the newbie sounding question. How can I use Group Policy to block certain ports in all workstation in a certain OU? Ex: for the SASSER virus its recommended to block TCP 5554 9996. I have remote users that I wanted apply a GP to that will block these ports. Thanks Mike Mike Hogenauer blocked::mailto:[EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149
RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain.
Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. Um - no. The gethostbyname calls request the network stack process a name resolution request. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: AD [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 6:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain. The problem with name resolution is the fact that you have to HARD Code your server names. That is what I am trying to stay away from. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 13, 2004 4:42 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain. Huh? Wouldn't thename resolution calls work better then? http://msdn.microsoft.com/library/default.asp?url=""> Al From: AD [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 3:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. Believe it or not Mike I gave that idea a lot of thought. NSLookup -t NS DomainName.com. But I would have to create a shell object, capture the output to a file and then parseit. Not the cleanest solution. I was hoping to find an object that will kinda do it all. From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.Sent: Thu 5/13/2004 10:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. Couldn't you just query DNS (ie, nslookup aa.bb.cc) and look at the IPs returned?Mike Thommes-Original Message-From: AD [mailto:[EMAIL PROTECTED]]Sent: Thursday, May 13, 2004 8:47 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Enumerating DCs from a workstation that is notmember of domain.Hey Guys,I am looking for a vb script or vb.net code that would return domain controllers (names or ip addresses) of a specific domain name on a workstation that is NOT member of the domain.When you add a computer to a domain (right click "my computer", properties, Computer Name, Change) you specify a domain name. When you click on ok it will ask you for a username and password right? When you click "ok" the computer must talk with a domain controller to add your computer to the domain right? I basically need that functionality.Thank you in advance.Yves St-CyrList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Research Question
Title: OT: Research Question Pay is important, obviously, but Im now more interested in the overall strength of the company I work for, and a good stream of challenging projects to work on. I dont know what the median age is of the folks on this list, but I suspect its probably at least a little younger than me (42) maybe Im completely wrong though. Id be interested in knowing that. The reason I bring up age is that Im no longer interested in jumping around from one company to another. I like where I am, our management is among the most respected in our industry, and what little politics I do endure, my immediate boss does a great job of shielding me from. So what do I want now? Challenging work (variety) Recognition Training to keep an edge (formal [classroom] and informal [this list is a major resource]) Opportunity to play with new things (new to me that is, e.g. Linux - I dont want to get pigeon-holed) Competitive pay Plenty of time off to play with my Triumph If I could change one thing about work life, it would be NO MORE CUBICLES ;-) Mark
RE: [ActiveDir] Potential DNS issues after applying MS04-011
Hi Wook, Thanks for the additional details! I've been chasing my tail on this issue for about about a week now. Is it too simplistic to think these problems could be avoided if service dependencies were used? Mike Thommes -Original Message-From: Lee, Wook [mailto:[EMAIL PROTECTED]Sent: Friday, May 14, 2004 2:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Potential DNS issues after applying MS04-011 Just to clarify a bit, there is a race condition when the DC boots where netlogon starts before some other services, e.g. the KDC, are available. Netlogon thinks the DC no longer hosts those services and deregisters the corresponding SRV records. If the deregistration fails for some reason, then the SRV records stay around until scavenging deletes them but if DDNS is working correctly, the deregistration occurs right away. This doesn't always happen since it all depends on the timing of netlogon startup versus the other services on DCS in your environment. If netlogon is restarted after the DC is fully up and running, the restart will trigger netlogon to correctly register all of its SRV records including any that might have been deregistered at boot time. Any monitoring tools that check for the presence of SRV records should catch this problem. I've been told that if this problem is endemic to your Windows 2000 forest, you will find that over time, some DCs start to become overloaded while others sit idle. This is because as the SRV records are removed, only those DCs that still have valid SRV records registered will be targeted for use. My understanding is that this problem only affects Windows 2000 DCs though at any service pack level with MS04-011 installed. Windows 2003 DCs do not experience this problem with or without MS04-011. Wook From: Grillenmeier, GuidoSent: Thu 5/13/2004 11:24 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Potential DNS issues after applying MS04-011 Want all of you to be aware of the following - this Q-Article lists known issues with MS04-011: http://support.microsoft.com/default.aspx?scid=kb;en-us;835732 But, I hope MS will update thatQ-article very soon, as there is another very uncool issue with MS04-011, which causes issues with Windows 2000 DCs and DNS. Some DC´s may no longer register their DNS entries correctly on restart. Sometimes the issue won't be apparent immediately, but it will become an issue once scavenging deletes the old records in DSN.I have just verified this to be an issue at one of my customer - I know that the following DNS entries can be affected, which basically means that user's can't authenticate to the box, it won't be registered as a GC etc.:_GC_KERBEROS_KPASSWD You can verify that these entries are not being registered for specific DCs by checking their netlogon.dns file in the c:\%systemdir%\system32\config folder and obviously by checking for the existance of the service records in DNS. There is a hot fix to correct this specific problem - customers can request it via KB 841395, it went live on Tuesday. The problem has to do with a timing issue in the startup of netlogon (starts up before some of the other services are ready and thus doesn't thing this machine provides certain services). As a temporary workaround after the DC/GC comes up one needs to stop and start netlogon. /Guido
[ActiveDir] OT: Ad hoc queries from within Excel
Im constantly having users ask me to do some ad-hoc query on AD, and send them the output. Seems like it would be pretty cool to create an Excel add-in that would allow someone to import AD data directly into Excel. Ive seen a few add-ins that query a SQL database like that, but has anyone already seen such a thing for AD? I dont want to reinvent the wheel just not finding anything so far on Google Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] OT: Research Question
Title: OT: Research Question Now I guess I should have written programmers and other IT pros. Sorry. Mitch Lawrence -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Posted At: Friday, May 14, 2004 7:09 AM Posted To: ~AD Discussion~ Conversation: [ActiveDir] OT: Research Question Subject: RE: [ActiveDir] OT: Research Question Hey, you said it, not us! As I slink back into VS2003... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Lou Vega [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Research Question programmers *and* it professionals so.us programmers are not it professionals? ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Sent: Thursday, May 13, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Research Question No, its quite alright. One of the assignments I had this week was ask programmers and it professionals what factors in business are most important to them and why. So I went and asked all the ones I knew. Im using all the answers to formulate the results for class. Mitch -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Posted At: Thursday, May 13, 2004 2:34 PM Posted To: ~AD Discussion~ Conversation: [ActiveDir] OT: Research Question Subject: RE: [ActiveDir] OT: Research Question Maybe I've misunderstood the question. You're asking for an answer to the question? From: DL.ActiveDirectory [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 2:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Research Question Yes, but having live data from people I 'know' (so to speak) makes this a much more personal assignment, and one that I am more likely to get a good grade on since I have a kindred feeling for the research data. I am using ALL the answers I get, as each one adds a little more to the over all picture. Plus, this isn't the only list this got posted on. ;) Mitch -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Posted At: Thursday, May 13, 2004 12:44 PM Posted To: ~AD Discussion~ Conversation: [ActiveDir] OT: Research Question Subject: RE: [ActiveDir] OT: Research Question lol. Mitch, you probably want to insert favorite search engine for surveys. Places like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of information as well for marketing purposes. They may share. I'm sure the bureau of labor and statistics would keep such information as well. Not to mention psychological websites, those related to workplace issues (OSHA?) and industry magazines that also conduct such salary and well-being surveys. Happy hunting. Al From: Zach Huseby [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Research Question the 2nd and the 18th of each month. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Sent: Thursday, May 13, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Research Question Hello, I am doing research for a college project, and I would appreciate any feedback I can get on the following question: As an IT professional, what factors in your employment make a difference to you? Why? I really appreciate the time you take to give me some insight into your world. Thank you, Mitch Noob college student
RE: [ActiveDir] OT: Research Question
Title: OT: Research Question Depends. I've seen many It pros that couldn't program. I've seen many programmers that could do the It pro job. Typically something gives when you do programming and infrastrcture work. Very different mindsets. I usually just hope when I meet someone who claims to do both that hygiene skills aren't what was sacrificed. ;-) From: Lou Vega [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question programmers *and* it professionals so.us programmers are not it professionals? ;-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectorySent: Thursday, May 13, 2004 4:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question No, its quite alright. One of the assignments I had this week was ask programmers and it professionals what factors in business are most important to them and why. So I went and asked all the ones I knew. Im using all the answers to formulate the results for class. Mitch -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlPosted At: Thursday, May 13, 2004 2:34 PMPosted To: ~AD Discussion~Conversation: [ActiveDir] OT: Research QuestionSubject: RE: [ActiveDir] OT: Research Question Maybe I've misunderstood the question. You're asking for an answer to the question? From: DL.ActiveDirectory [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 2:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question Yes, but having live data from people I 'know' (so to speak) makes this a much more personal assignment, and one that I am more likely to get a good grade on since I have a kindred feeling for the research data. I am using ALL the answers I get, as each one adds a little more to the over all picture. Plus, this isn't the only list this got posted on. ;) Mitch -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlPosted At: Thursday, May 13, 2004 12:44 PMPosted To: ~AD Discussion~Conversation: [ActiveDir] OT: Research QuestionSubject: RE: [ActiveDir] OT: Research Question lol. Mitch, you probably want to insert favorite search engine for surveys. Places like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of information as well for marketing purposes. They may share. I'm sure the bureau of labor and statistics would keep such information as well. Not to mention psychological websites, those related to workplace issues (OSHA?) and industry magazines that also conduct such salary and well-being surveys. Happy hunting. Al From: Zach Huseby [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question the 2nd and the 18th of each month. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectorySent: Thursday, May 13, 2004 10:05 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Research Question Hello, I am doing research for a college project, and I would appreciate any feedback I can get on the following question: As an IT professional, what factors in your employment make a difference to you? Why? I really appreciate the time you take to give me some insight into your world. Thank you, Mitch Noob college student
Re: [ActiveDir] AD and Mac OSX disk quotas
Let me look it up, It will just take me some time to put it all together. Just to get my bearings on the subject, let me ask some questions: 1. What is the Specific OS version on your client mac machines? 2. What is the Specific OS version on your server mac machines? 3. What is the exact hardware that you are using for your mac servers? 4. How many mac servers do you have and what are their utilizations(file and print, web, open directory, etc.)? On May 14, 2004, at 3:33 AM, Cawan Starks wrote: Is there a script or documentation available for modifying Active Directory schema for support for OS X disk quotas? I have Mac users authenticating to AD but there home directories are stored on a Mac Server. Home directories mount fine via SMB but I am unable to set disk quotas for individual users. Any help or references will be appreciated. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Research Question
Title: OT: Research Question Thank you all for your responses. I got more than enough to make this an excellent look into what drives the individuals in this industry. It isnt complete, but it is a great look. Thank you again. Thank you, Mitchell D. Lawrence
Re: [ActiveDir] OT: Research Question
The favorite thing about my job is answering questions for Students and Interns It gives me the warm fuzzies On May 13, 2004, at 12:05 PM, DL.ActiveDirectory wrote: x-tad-smallerHello,/x-tad-smaller x-tad-smallerI am doing research for a college project, and I would appreciate any feedback I can get on the following question:/x-tad-smaller x-tad-smallerAs an IT professional, what factors/x-tad-smaller x-tad-smallerin your employment/x-tad-smaller x-tad-smallermake a difference to you? Why?/x-tad-smaller x-tad-smallerI really appreciate the time you take to give me some insight into your world./x-tad-smaller Thank you, Mitch x-tad-smallerNoob college student/x-tad-smaller
RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain.
Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. I think the original request was that it be vbscript or vb.net. I suppose you could wrap the call, but I'm not sure it meets what he's looking for. Additionally, I think we overcomplicated the request. I think he just wants to be able to add to a workstation to a domain which is a script similar to http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31.mspxwhich uses the netbios or shortname of the domain to join (as does the built in pieces). Otherwise, why do you want to find the members of a domain from a non-member workstation if not to join? Is there something else you're after? If so, you may want to investigate LDAP searching for DC's in a domain. You can pass the creds to the domain that are required for searching. DNS will do it, and the DNSGetHostbyname or sister method should be helpful there. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 6:39 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain. This should be what you want... http://msdn.microsoft.com/library/default.asp?url=""> From: AD [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 5:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain. The problem with name resolution is the fact that you have to HARD Code your server names. That is what I am trying to stay away from. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 13, 2004 4:42 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain. Huh? Wouldn't thename resolution calls work better then? http://msdn.microsoft.com/library/default.asp?url=""> Al From: AD [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 3:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. Believe it or not Mike I gave that idea a lot of thought. NSLookup -t NS DomainName.com. But I would have to create a shell object, capture the output to a file and then parseit. Not the cleanest solution. I was hoping to find an object that will kinda do it all. From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.Sent: Thu 5/13/2004 10:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. Couldn't you just query DNS (ie, nslookup aa.bb.cc) and look at the IPs returned?Mike Thommes-Original Message-From: AD [mailto:[EMAIL PROTECTED]]Sent: Thursday, May 13, 2004 8:47 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Enumerating DCs from a workstation that is notmember of domain.Hey Guys,I am looking for a vb script or vb.net code that would return domain controllers (names or ip addresses) of a specific domain name on a workstation that is NOT member of the domain.When you add a computer to a domain (right click "my computer", properties, Computer Name, Change) you specify a domain name. When you click on ok it will ask you for a username and password right? When you click "ok" the computer must talk with a domain controller to add your computer to the domain right? I basically need that functionality.Thank you in advance.Yves St-CyrList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP ! - password policy changing on replication
How are you monitoring your DC's? You can look for failure events preventing GP from being applied. Once you find one of those, you could dig deeper based on the information found. How's the PSS method coming along? -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 6:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HELP ! - password policy changing on replication Further info - I found a posting by Joe that describes a similar issue - by looking at repadmin /showmeta on a DC where the policy is wrong, I can see the version of the 'wrong' attributes (like MaxPwdAge) is very high (60) with today's date and recent time, while the others are at 1 with the date/time of when we installed AD over 3 yrs ago. Clearly something is causing this to change on a DC someplace. I hoed the Originating DSA would tell me where the problem lies, but each time this flip-flops I see a different DC in that field. I need to know what to look for to figure out a) which DC is originating the problem and b) where the problem is. I suspect something related to our domain policy is corrupted on some DC, causing it to set itself to default values at its policy refresh, and this is replicating. Then whe other DCs refresh their policy properly, they get the correct settings. Can anybody help ? We're working our way to the right folks at MS PSS at this point... Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A Sent: Thursday, May 13, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] HELP ! - password policy changing on replication We're experiencing a problem which I'm sure I've seen documented before...just can't remember where. Symptom is that people are having passwords expire prematurely - suddenly they're prompted for id/password when trying to access a resource, and if they log out/in they are told their password has expired. If, on the other hand, they just wait a bit instead of logging out/in, things work in a few minutes. It bounces back and forth every five minutes or so. Our Max password age is 90. When the user is OK, the time until expiration (as we calculate it based on PwdLastSet and Max Password Age) is what we expect. When the user is having problems, it appears it expired at 42 days. I recall something about password policy being set incorrectly so it flip-flops between 90 and 42 days. Can anybody tell me what that was all about ??? Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Passwords
On *that* dc? Which dc do you have errors on? :) Seriously, do you have any errors going on? Replication, role, etc? From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords I have no errors on that DC, it is up and operational -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, May 13, 2004 3:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords Sounds to me like one of your FSMO roles is messed up. IstheDC that holds the PDC emulator down, or messed up? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.Sent: Thursday, May 13, 2004 1:20 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Passwords Anyone have any ideas why this happens? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message-From: Levine, Jeffrey Sent: Thursday, May 13, 2004 12:10 PMTo: Salandra, Justin A.Cc: Bruno, ThomasSubject: Passwords Justin, Several employees are getting normal messages to change their passwords, and they proceed to do so. The following day they are asked once again to change their password. Any reason? Should they ignore it? Please advise. Jeffrey D. Levine Accountant Carmel Richmond Healthcare Rehabilitation Center 88 Old Town Road Staten Island, NY 10304 Phone: (718) 668-8541 Fax: (718) 980-6815 [EMAIL PROTECTED] This message is a private communication. If you are not the intended recipient, please do not read, copy, or use it and do not disclose it to others. Please notify the sender of the delivery error by replying to this message, and then delete it from your system. Thank you.
RE: [ActiveDir] OT: Ad hoc queries from within Excel
We wrote a basic one that allows users to dump DL memberships to a spreadsheet w some of the attributes. Basically it was for the clerical folks that create phone lists for depts. and floors. I don't know if we can share. Also It's hard coded to our domains and OUs Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, May 14, 2004 6:46 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Ad hoc queries from within Excel Im constantly having users ask me to do some ad-hoc query on AD, and send them the output. Seems like it would be pretty cool to create an Excel add-in that would allow someone to import AD data directly into Excel. Ive seen a few add-ins that query a SQL database like that, but has anyone already seen such a thing for AD? I dont want to reinvent the wheel just not finding anything so far on Google Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] TCP Port Blocking
You will need to create an IPSEC policy and apply this via GPOs. Denny From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, May 13, 2004 4:14 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] TCP Port Blocking Sorry for the newbie sounding question. How can I use Group Policy to block certain ports in all workstation in a certain OU? Ex: for the SASSER virus its recommended to block TCP 5554 9996. I have remote users that I wanted apply a GP to that will block these ports. Thanks Mike Mike Hogenauer [EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149
RE: [ActiveDir] FW: Passwords
I have to DCs and neither have any errors in any log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 14, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords On *that* dc? Which dc do you have errors on? :) Seriously, do you have any errors going on? Replication, role, etc? From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords I have no errors on that DC, it is up and operational -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, May 13, 2004 3:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords Sounds to me like one of your FSMO roles is messed up. IstheDC that holds the PDC emulator down, or messed up? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A. Sent: Thursday, May 13, 2004 1:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] FW: Passwords Anyone have any ideas why this happens? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: Levine, Jeffrey Sent: Thursday, May 13, 2004 12:10 PM To: Salandra, Justin A. Cc: Bruno, Thomas Subject: Passwords Justin, Several employees are getting normal messages to change their passwords, and they proceed to do so. The following day they are asked once again to change their password. Any reason? Should they ignore it? Please advise. Jeffrey D. Levine Accountant Carmel Richmond Healthcare Rehabilitation Center 88 Old Town Road Staten Island, NY 10304 Phone: (718) 668-8541 Fax: (718) 980-6815 [EMAIL PROTECTED] This message is a private communication. If you are not the intended recipient, please do not read, copy, or use it and do not disclose it to others. Please notify the sender of the delivery error by replying to this message, and then delete it from your system. Thank you.
RE: [ActiveDir] TCP Port Blocking
Great article that simplifies the creation of IPsec policies ...seeing that the GUI is nefarious... http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp At 10:36 AM 5/14/2004, Depp, Dennis M. wrote: urn:schemas-microsoft-com:office:office xmlns:w = urn:schemas-microsoft-com:office:word xmlns:st1 = urn:schemas-microsoft-com:office:smarttags You will need to create an IPSEC policy and apply this via GPOs. Denny -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, May 13, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] TCP Port Blocking Sorry for the newbie sounding question. How can I use Group Policy to block certain ports in all workstation in a certain OU? Ex: for the SASSER virus it's recommended to block TCP 5554 9996. I have remote users that I wanted apply a GP to that will block these ports. Thanks Mike Mike Hogenauer blocked::mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Passwords
What happens if they ignore the password reset notification? Al From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords I have to DCs and neither have any errors in any log. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 10:22 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords On *that* dc? Which dc do you have errors on? :) Seriously, do you have any errors going on? Replication, role, etc? From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords I have no errors on that DC, it is up and operational -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, May 13, 2004 3:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords Sounds to me like one of your FSMO roles is messed up. IstheDC that holds the PDC emulator down, or messed up? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.Sent: Thursday, May 13, 2004 1:20 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Passwords Anyone have any ideas why this happens? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message-From: Levine, Jeffrey Sent: Thursday, May 13, 2004 12:10 PMTo: Salandra, Justin A.Cc: Bruno, ThomasSubject: Passwords Justin, Several employees are getting normal messages to change their passwords, and they proceed to do so. The following day they are asked once again to change their password. Any reason? Should they ignore it? Please advise. Jeffrey D. Levine Accountant Carmel Richmond Healthcare Rehabilitation Center 88 Old Town Road Staten Island, NY 10304 Phone: (718) 668-8541 Fax: (718) 980-6815 [EMAIL PROTECTED] This message is a private communication. If you are not the intended recipient, please do not read, copy, or use it and do not disclose it to others. Please notify the sender of the delivery error by replying to this message, and then delete it from your system. Thank you.
Re: [ActiveDir] AD and Mac OSX disk quotas
Here is the specific attribute you are looking to import, although there is an entire apple-user class that you would probably want to import in order to support all of the apple controls. I have attached a copy of the latest version of the Apple Openldap Schema that is used for open directory. If you have OS X server that is NOT 10.3.3 then you would want to find the apple.schema file located in /etc/openldap/schema/ on your OS X server. Rather than provide you with a script or ldif that will import values for you, I think it best to provide the necessary information for you to make the best decision. I recommend that you research the reason for updating your AD Schema and follow some basic good practice guidelines. See recipe 10.5 Extending the Schema in Robbie Allen's Active Directory Cookbook for more information about Schema update best practices. Also check out KB 283791 from MS to find out how to do ldif schema updates. changetype: modify add: attributeTypes attributeTypes: ( 1.3.6.1.4.1.63.1000.1.1.1.1.8 NAME 'apple-user-homequota' DESC 'home directory quota' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) On May 14, 2004, at 9:59 AM, Brent Westmoreland wrote: Let me look it up, It will just take me some time to put it all together. Just to get my bearings on the subject, let me ask some questions: 1. What is the Specific OS version on your client mac machines? 2. What is the Specific OS version on your server mac machines? 3. What is the exact hardware that you are using for your mac servers? 4. How many mac servers do you have and what are their utilizations(file and print, web, open directory, etc.)? On May 14, 2004, at 3:33 AM, Cawan Starks wrote: Is there a script or documentation available for modifying Active Directory schema for support for OS X disk quotas? I have Mac users authenticating to AD but there home directories are stored on a Mac Server. Home directories mount fine via SMB but I am unable to set disk quotas for individual users. Any help or references will be appreciated. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ apple.schema Description: application/applefile apple.schema Description: application/text
[ActiveDir] consequences of setting password expiration length
Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h
Depends on which part of the process you're concerned about. Will the passwords expire at the same time? Not necessarily. They'll all expire at the interval of password expiration based on pwdLastSet. To play that out, if user 1 last set her pwd yesterday, she has until pwd expiration interval from yesterday. If user2 last set his pwd two weeks ago, he'll get the notification pwd expiration - 2 weeks. So, unless all accounts just had their pwd set at the exact same time, then no, they won't all get their pwd notification at the same time. They'll get it when they next meet the criteria. To be more articulate in your admins case, they will all expire at the same time *interval* vs. the same exact moment in time. Not that it matters for most domains, but... Al From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h
Thanks, Al! -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]Sent: Friday, May 14, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Depends on which part of the process you're concerned about. Will the passwords expire at the same time? Not necessarily. They'll all expire at the interval of password expiration based on pwdLastSet. To play that out, if user 1 last set her pwd yesterday, she has until pwd expiration interval from yesterday. If user2 last set his pwd two weeks ago, he'll get the notification pwd expiration - 2 weeks. So, unless all accounts just had their pwd set at the exact same time, then no, they won't all get their pwd notification at the same time. They'll get it when they next meet the criteria. To be more articulate in your admins case, they will all expire at the same time *interval* vs. the same exact moment in time. Not that it matters for most domains, but... Al From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration length
It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, itll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, May 14, 2004 11:04 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h
Now if you want to set a policy for say 91 days but everyone's password is over say 150 days, you can either get to 91 days by starting with a high policy age and slowly decrease it or you can manually expire people so they have to change and then once they all get changed, set your policy. To do the latter, check out expire on my website - free win32 tools of www.joeware.net. It will allow you to specify userids and minimum passwords ages for expiration. That way you can do it in some sort of controlled fashion and if someone recently changed their password (say after you gathered your list of who to change), it won't touch them unless you set the minimum password age very low. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:50 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Thanks, Al! -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]Sent: Friday, May 14, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Depends on which part of the process you're concerned about. Will the passwords expire at the same time? Not necessarily. They'll all expire at the interval of password expiration based on pwdLastSet. To play that out, if user 1 last set her pwd yesterday, she has until pwd expiration interval from yesterday. If user2 last set his pwd two weeks ago, he'll get the notification pwd expiration - 2 weeks. So, unless all accounts just had their pwd set at the exact same time, then no, they won't all get their pwd notification at the same time. They'll get it when they next meet the criteria. To be more articulate in your admins case, they will all expire at the same time *interval* vs. the same exact moment in time. Not that it matters for most domains, but... Al From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration length
It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, itll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
[ActiveDir] Offline Files
On a Windows XP Machine, I have a GPO that is allowing Offline files, and everything seemed okay when I was logged in as administrator, however when I tried to make something available offline the option on the context menu was grayed out. How do I change this through the GPO? I don't see the setting. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Passwords
The few thoughts I had 1. Are they maybe using local accounts? 2. Did anyone check the attributes on the user objects in the domain, are they changed? 3. Have they logged off and logged on since changing the password or do they just lock and unlock the desktops? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Friday, May 14, 2004 12:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords Today it is saying 5 days left. I will have to wait 5 days to see what happens. They have been clicking ignore since two days ago they all changed their password. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 10:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords What happens if they ignore the password reset notification? Al From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords I have to DCs and neither have any errors in any log. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 10:22 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords On *that* dc? Which dc do you have errors on? :) Seriously, do you have any errors going on? Replication, role, etc? From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords I have no errors on that DC, it is up and operational -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, May 13, 2004 3:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords Sounds to me like one of your FSMO roles is messed up. IstheDC that holds the PDC emulator down, or messed up? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.Sent: Thursday, May 13, 2004 1:20 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Passwords Anyone have any ideas why this happens? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message-From: Levine, Jeffrey Sent: Thursday, May 13, 2004 12:10 PMTo: Salandra, Justin A.Cc: Bruno, ThomasSubject: Passwords Justin, Several employees are getting normal messages to change their passwords, and they proceed to do so. The following day they are asked once again to change their password. Any reason? Should they ignore it? Please advise. Jeffrey D. Levine Accountant Carmel Richmond Healthcare Rehabilitation Center 88 Old Town Road Staten Island, NY 10304 Phone: (718) 668-8541 Fax: (718) 980-6815 [EMAIL PROTECTED] This message is a private communication. If you are not the intended recipient, please do not read, copy, or use it and do not disclose it to others. Please notify the sender of the delivery error by replying to this message, and then delete it from your system. Thank you.
[ActiveDir] Offline Files Modified Question
Let me modify my question, I noticed that with the MY Documents folder, I am unable to specify whether to make it available offline or not. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] consequences of setting password expiration length
I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 14, 2004 12:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a fresh TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Friday, May 14, 2004 11:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, itll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, May 14, 2004 11:04 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] FW: Passwords
NO Attributes appear normal They receive this when logging on not unlocking the workstation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 14, 2004 12:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords The few thoughts I had 1. Are they maybe using local accounts? 2. Did anyone check the attributes on the user objects in the domain, are they changed? 3. Have they logged off and logged on since changing the password or do they just lock and unlock the desktops? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, May 14, 2004 12:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords Today it is saying 5 days left. I will have to wait 5 days to see what happens. They have been clicking ignore since two days ago they all changed their password. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 14, 2004 10:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords What happens if they ignore the password reset notification? Al From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords I have to DCs and neither have any errors in any log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 14, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords On *that* dc? Which dc do you have errors on? :) Seriously, do you have any errors going on? Replication, role, etc? From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords I have no errors on that DC, it is up and operational -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, May 13, 2004 3:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords Sounds to me like one of your FSMO roles is messed up. IstheDC that holds the PDC emulator down, or messed up? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A. Sent: Thursday, May 13, 2004 1:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] FW: Passwords Anyone have any ideas why this happens? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: Levine, Jeffrey Sent: Thursday, May 13, 2004 12:10 PM To: Salandra, Justin A. Cc: Bruno, Thomas Subject: Passwords Justin, Several employees are getting normal messages to change their passwords, and they proceed to do so. The following day they are asked once again to change their password. Any reason? Should they ignore it? Please advise. Jeffrey D. Levine Accountant Carmel Richmond Healthcare Rehabilitation Center 88 Old Town Road Staten Island, NY 10304 Phone: (718) 668-8541 Fax: (718) 980-6815 [EMAIL PROTECTED] This message is a private communication. If you are not the intended recipient, please do not read, copy, or use it and do not disclose it to others. Please notify the sender of the delivery error by replying to this message, and then delete it from your system. Thank you.
RE: [ActiveDir] Outlook 2003 via GPO?
Mine never got copied back from the preexisting folder. Took me a while of wondering why replication hadn't started to go look at the source, and low behold the ntfrs_preexisting was empty. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 6:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Outlook 2003 via GPO? It will put it back if you give it a chance if you're referring to something I've seen. I had 3 servers on 3 different sites; each had a share called cdimages which were supposed to be manually synched but, of course, they never were. I made this into a dfs share and, as you say, dfs appeared to delete everything. It actually moves it to a hidden folder (ntfrs_pre_existing??), copies everything from the master server and then puts back what's needed from the other folder. This took a long time (one of the links is only 2Mbit and there were many GB of data) but it did all work in the end. Steve -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 10 May 2004 21:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Outlook 2003 via GPO? I think there's a way to pre-provision targets, but, I attempted to do it and FRS deleted all my stuff. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] consequences of setting password expiration length
Correct. --Brian -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:04 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] OT: Ad hoc queries from within Excel
Thanks Brian I hadnt seen that one. Ill take a look mc -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Ad hoc queries from within Excel Check out Richard Muellers site - http://www.rlmueller.net/. He has some AD Excel stuff that you might be able to build off of. MSSQL can be setup as a linked server to AD via the OLEDb p-rovider, so, if you had something to mail merge MSSQL, you could then mail merge AD through there. --Brian -Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 9:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Ad hoc queries from within Excel We wrote a basic one that allows users to dump DL memberships to a spreadsheet w some of the attributes. Basically it was for the clerical folks that create phone lists for depts. and floors. I don't know if we can share. Also It's hard coded to our domains and OUs Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, May 14, 2004 6:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Ad hoc queries from within Excel Im constantly having users ask me to do some ad-hoc query on AD, and send them the output. Seems like it would be pretty cool to create an Excel add-in that would allow someone to import AD data directly into Excel. Ive seen a few add-ins that query a SQL database like that, but has anyone already seen such a thing for AD? I dont want to reinvent the wheel just not finding anything so far on Google Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] consequences of setting password expiration length
But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, itll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] FW: Passwords
2. Are they updated with the new value from when they changed? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Friday, May 14, 2004 1:26 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords NO Attributes appear normal They receive this when logging on not unlocking the workstation. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords The few thoughts I had 1. Are they maybe using local accounts? 2. Did anyone check the attributes on the user objects in the domain, are they changed? 3. Have they logged off and logged on since changing the password or do they just lock and unlock the desktops? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Friday, May 14, 2004 12:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords Today it is saying 5 days left. I will have to wait 5 days to see what happens. They have been clicking ignore since two days ago they all changed their password. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 10:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords What happens if they ignore the password reset notification? Al From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords I have to DCs and neither have any errors in any log. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 10:22 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords On *that* dc? Which dc do you have errors on? :) Seriously, do you have any errors going on? Replication, role, etc? From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords I have no errors on that DC, it is up and operational -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, May 13, 2004 3:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords Sounds to me like one of your FSMO roles is messed up. IstheDC that holds the PDC emulator down, or messed up? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.Sent: Thursday, May 13, 2004 1:20 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Passwords Anyone have any ideas why this happens? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message-From: Levine, Jeffrey Sent: Thursday, May 13, 2004 12:10 PMTo: Salandra, Justin A.Cc: Bruno, ThomasSubject: Passwords Justin, Several employees are getting normal messages to change their passwords, and they proceed to do so. The following day they are asked once again to change their password. Any reason? Should they ignore it? Please advise. Jeffrey D. Levine Accountant Carmel Richmond Healthcare Rehabilitation Center 88 Old Town Road Staten Island, NY 10304 Phone: (718) 668-8541 Fax: (718) 980-6815 [EMAIL PROTECTED] This message is a private communication. If you are not the intended recipient, please do not read, copy, or use it and do not disclose it to others. Please notify the sender of the delivery error by replying to this message, and then delete it from your system. Thank you.
[ActiveDir] GPO refresh for computer policy?
I read somewhere that the computer policy refresh does not periodically apply unless there has been a change to the policy. Is that true? We have a group that is proposing ACL'ing system files on servers in the computer policy. Is this a good idea or bad idea? Our believe is that it's overkill. But, if the above is true, then it negates some of the potential benefit that they're claiming that they could get from having these files ACL'd in the GPO. Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Passwords
2a. And is that updated value showing on both dc's correctly? From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 2:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords 2. Are they updated with the new value from when they changed? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Friday, May 14, 2004 1:26 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords NO Attributes appear normal They receive this when logging on not unlocking the workstation. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords The few thoughts I had 1. Are they maybe using local accounts? 2. Did anyone check the attributes on the user objects in the domain, are they changed? 3. Have they logged off and logged on since changing the password or do they just lock and unlock the desktops? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Friday, May 14, 2004 12:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords Today it is saying 5 days left. I will have to wait 5 days to see what happens. They have been clicking ignore since two days ago they all changed their password. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 10:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords What happens if they ignore the password reset notification? Al From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords I have to DCs and neither have any errors in any log. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 10:22 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords On *that* dc? Which dc do you have errors on? :) Seriously, do you have any errors going on? Replication, role, etc? From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords I have no errors on that DC, it is up and operational -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, May 13, 2004 3:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Passwords Sounds to me like one of your FSMO roles is messed up. IstheDC that holds the PDC emulator down, or messed up? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.Sent: Thursday, May 13, 2004 1:20 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Passwords Anyone have any ideas why this happens? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message-From: Levine, Jeffrey Sent: Thursday, May 13, 2004 12:10 PMTo: Salandra, Justin A.Cc: Bruno, ThomasSubject: Passwords Justin, Several employees are getting normal messages to change their passwords, and they proceed to do so. The following day they are asked once again to change their password. Any reason? Should they ignore it? Please advise. Jeffrey D. Levine Accountant Carmel Richmond Healthcare Rehabilitation Center 88 Old Town Road Staten Island, NY 10304 Phone: (718) 668-8541 Fax: (718) 980-6815 [EMAIL PROTECTED] This message is a private communication. If you are not the intended recipient, please do not read, copy, or use it and do not disclose it to others. Please notify the sender of the delivery error by replying to this message, and then delete it from your system. Thank you.
RE: [ActiveDir] FW: Passwords
Are you on W2k or W3K AD? Lynden From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords NO Attributes appear normal They receive this when logging on not unlocking the workstation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 14, 2004 12:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords The few thoughts I had 1. Are they maybe using local accounts? 2. Did anyone check the attributes on the user objects in the domain, are they changed? 3. Have they logged off and logged on since changing the password or do they just lock and unlock the desktops? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, May 14, 2004 12:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords Today it is saying 5 days left. I will have to wait 5 days to see what happens. They have been clicking ignore since two days ago they all changed their password. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 14, 2004 10:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords What happens if they ignore the password reset notification? Al From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords I have to DCs and neither have any errors in any log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 14, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords On *that* dc? Which dc do you have errors on? :) Seriously, do you have any errors going on? Replication, role, etc? From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords I have no errors on that DC, it is up and operational -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, May 13, 2004 3:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Passwords Sounds to me like one of your FSMO roles is messed up. IstheDC that holds the PDC emulator down, or messed up? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A. Sent: Thursday, May 13, 2004 1:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] FW: Passwords Anyone have any ideas why this happens? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: Levine, Jeffrey Sent: Thursday, May 13, 2004 12:10 PM To: Salandra, Justin A. Cc: Bruno, Thomas Subject: Passwords Justin, Several employees are getting normal messages to change their passwords, and they proceed to do so. The following day they are asked once again to change their password. Any reason? Should they ignore it? Please advise. Jeffrey D. Levine Accountant Carmel Richmond Healthcare Rehabilitation Center 88 Old Town Road Staten Island, NY 10304 Phone: (718) 668-8541 Fax: (718) 980-6815 [EMAIL PROTECTED] This message is a private communication. If you are not the intended recipient, please do not read, copy, or use it and do not disclose it to others. Please notify the sender of the delivery error by replying to this message, and then delete it from your system. Thank you. This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message in not the intended recipient or the employer or agent responsible for delivering the message to the recipient, you are hereby notified that dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email or telephone, and delete this message and all of its attachments.
[ActiveDir] Mixed network PC and Mac - AD or XServe
Hello: I need some advice about file service, directory management, and user authentication in a mixed Windows/Mac environment. I have a magazine client with approximately 70 users: half Macs, half Windows. As you might expect, the Macs are the art department and editorial; the PCs are business, advertising, etc. All workstations will either be running OSX (most recent) or WinXP Pro. Currently, there is no NOS, and file service is handled by a mixture of WinNT, Win2k, and AppleShare 9x. My initial thought was to just let AD handle everything and spend the effort on getting the Macs to play nice with the Windows servers. Exchange is likely. However, the in-house IT guy wants to explore Apple's server offerings. So, the questions are: - Is the speed and quality of the Windows servers sufficient for Mac clients (many handling large image or graphics files)? - Is AD managing of Macs and Mac users sufficient? - If there is a reason to deploy an Apple server, can it be managed by AD? That is, can it play like a Windows member server? - Finally, is there any reason to entertain running the whole shop under the Apple server and Open Directory? Many thanks. -- Noah M. Eiger EIS Consulting for PRBO Conservation Science 510-717-5742 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] attachment: winmail.dat
RE: [ActiveDir] consequences of setting password expiration lengt h
And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, itll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] GPO refresh for computer policy?
Mike- It is true, but you can override that behavior through Admin. Template policy on a per-policy area basis to force GPO to process during every foreground and background refresh regardless of whether the GPO has changed. The exception to this is that security policy (including file security) is automatically refreshed every 16 hours by default even if the GPO hasn't changed, and you can modify this by tweaking a reg value, which I can relay if you're interested. If you're planning to use File Security policy then the only thing I would caution on is that it can be fairly expensive from a processing and time perspective to do this in policy, especially if you're recursing lots of files and folders. Unless you absolutely positively need to make sure that those files are constantly at the right set of perms, I wouldn't necessarily recommend doing this in policy--probably better off just scripting it for one time and occasional setting outside of GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 14, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO refresh for computer policy? I read somewhere that the computer policy refresh does not periodically apply unless there has been a change to the policy. Is that true? We have a group that is proposing ACL'ing system files on servers in the computer policy. Is this a good idea or bad idea? Our believe is that it's overkill. But, if the above is true, then it negates some of the potential benefit that they're claiming that they could get from having these files ACL'd in the GPO. Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] consequences of setting password expiration lengt h
Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living. On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, itll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h
Queue Idan? Where's this at? URL? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 1:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living. On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, it'll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] consequences of setting password expiration lengt h
Identifying the issues is easy. Getting others to understand and work to resolve the issue is what separates the dish washers from the It professionals and developers ;-) From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 2:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living. On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, itll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
Re: [ActiveDir] Mixed network PC and Mac - AD or XServe
I'm currently involved in migrating a network from Netware to AD/OS X Server. The problem with running Windows servers in a Mac invironment is that Microsoft has no plans to support the latest AFP version, which kinda sucks for various reasons. (auto reconnect, etc) Best way I can come up with is to use AD as the authenticator (and for group policy support of Windows clients), and use OS X Server as the file server. The trick is to be able to apply policies to OS X users through open directory. There's supposed to be a way to use AD as the primary LDAP directory and pull additional attributes from another local directory but haven't quite figured it out yet. Samba can be configured to use Kerberos, but it's not the default. Macs can't really be managed from AD like Windows can. Same goes in the other direction too. So ya kinda need both (AD and OD). In my scenario, I'm shooting for single sign-on using Kerberos. To make it even more complicated, I would really like to authenticate from a MIT Kerberos realm, but Samba doesn't have support for that yet. Documentation is very limited with it comes down to the fine details, unfortunately. Robbie Foust OIT - Systems and Core Services Duke University Noah Eiger wrote: Hello: I need some advice about file service, directory management, and user authentication in a mixed Windows/Mac environment. I have a magazine client with approximately 70 users: half Macs, half Windows. As you might expect, the Macs are the art department and editorial; the PCs are business, advertising, etc. All workstations will either be running OSX (most recent) or WinXP Pro. Currently, there is no NOS, and file service is handled by a mixture of WinNT, Win2k, and AppleShare 9x. My initial thought was to just let AD handle everything and spend the effort on getting the Macs to play nice with the Windows servers. Exchange is likely. However, the in-house IT guy wants to explore Apple's server offerings. So, the questions are: - Is the speed and quality of the Windows servers sufficient for Mac clients (many handling large image or graphics files)? - Is AD managing of Macs and Mac users sufficient? - If there is a reason to deploy an Apple server, can it be managed by AD? That is, can it play like a Windows member server? - Finally, is there any reason to entertain running the whole shop under the Apple server and Open Directory? Many thanks. -- Noah M. Eiger EIS Consulting for PRBO Conservation Science 510-717-5742 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] consequences of setting password expiration lengt h
http://www.psynch.com/ Idan works for M-Tec, IIRC From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 12:51 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Queue Idan? Where's this at? URL? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 1:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living. On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, it'll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
[ActiveDir] Dial-In Property Sheet and Windows XP SP1
Have any problem to view the Dial-In Property Sheetwith Windows XP SP1 ?. Thks.AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso.This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
RE: [ActiveDir] Dial-In Property Sheet and Windows XP SP1
Install the Windows 2000 Adminpak.msi (ignore any warnings) and then install the 2003 Adminpak.msi over top of it, and you'll have the dial-in tab back. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, May 14, 2004 2:38 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Dial-In Property Sheet and Windows XP SP1Sensitivity: Private Have any problem to view the Dial-In Property Sheetwith Windows XP SP1 ?. Thks. AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso.This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Dial-In Property Sheet and Windows XP SP1
This is one of my pet peeves forthe ADUC in XP. See http://support.microsoft.com/?id=304718and then search for "dial-in". Quote: The Dial-in tab that configures Routing and Remote Access dial-in or VPN access and callback settings is removed when the Administration Tools package is installed on Windows XP clients. To remotely manage the RAS dial-in tab in Active Directory Users or Computers or Internet Authentication Server (IAS) from a Windows XP-based computer, use Terminal Services or Remote Desktop to access a Windows 2000-based or Windows Server 2003-based computer. Alternatively, log on to the console of a Windows 2000-based or Windows Server 2003-based computer to configure these settings directly. -Stuart From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:38 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Dial-In Property Sheet and Windows XP SP1Sensitivity: Private Have any problem to view the Dial-In Property Sheetwith Windows XP SP1 ?. Thks. AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso.This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
[ActiveDir] GPO troubles
We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers "Not configured". Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called "No Screensaver" and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to "Not configured" and the Password Protect the Screensaver GPO is "Disabled". Once a GPO is applied to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not configured" put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] GPO troubles
Russ, I believe what you need to do is set up an OU and put those machines in it. Then set the group policy Computer Configuration setting User Group Policy Loopback processing mode. Set the Screen Saver policy accordingly in the User Configuration section. Then users who log in to those machines should no longer be subject to the policy that enforces the screen saver mc -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO troubles Sensitivity: Private We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers Not configured. Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called No Screensaver and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to Not configured and the Password Protect the Screensaver GPO is Disabled. Once a GPO is applied to a PC, do you have to Disable it to unapply it, or will setting it to Not configured put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] GPO troubles
Is it absolutely necessary to create a whole seperate GPO for these computers? Seems like it will create an administrative nightmare. Can't you just deny access to the default domain GPO and it won't apply the screen saver settings? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, May 14, 2004 3:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO troublesSensitivity: Private Russ, I believe what you need to do is set up an OU and put those machines in it. Then set the group policy Computer Configuration setting User Group Policy Loopback processing mode. Set the Screen Saver policy accordingly in the User Configuration section. Then users who log in to those machines should no longer be subject to the policy that enforces the screen saver mc -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] GPO troublesSensitivity: Private We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers "Not configured". Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called "No Screensaver" and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to "Not configured" and the Password Protect the Screensaver GPO is "Disabled". Once a GPO is applied to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not configured" put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] GPO troubles
I dont think so screen savers are configured on the user, and you want to limit by the machine. Thats why the Loopback policy, and the reason for segregating the machines in a separate OU. Others please chime in if Im wrong though mc -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 4:14 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO troubles Sensitivity: Private Is it absolutely necessary to create a whole seperate GPO for these computers? Seems like it will create an administrative nightmare. Can't you just deny access to the default domain GPO and it won't apply the screen saver settings? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, May 14, 2004 3:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO troubles Sensitivity: Private Russ, I believe what you need to do is set up an OU and put those machines in it. Then set the group policy Computer Configuration setting User Group Policy Loopback processing mode. Set the Screen Saver policy accordingly in the User Configuration section. Then users who log in to those machines should no longer be subject to the policy that enforces the screen saver mc -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO troubles Sensitivity: Private We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers Not configured. Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called No Screensaver and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to Not configured and the Password Protect the Screensaver GPO is Disabled. Once a GPO is applied to a PC, do you have to Disable it to unapply it, or will setting it to Not configured put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] HELP ! - password policy changing on replication
Well, we seem to be ok now. The repadmin /showmeta deal was one of the early things we tried in hopes of narrowing it down, but the values of three of those attributes kept incrementing and the Org DSA would be different virtually every time, so it was hard to chase back. Operations started noticing isues around 1:30 Thursday afternoon, and I got pulled in around 3:30 or so. After checking a few things and realizing that it was a policy flip-flop issue I advised them to contact PSS - it was some time before they actually did. After 4 hrs of working with PS over the phone, they escalated and our TAM sourced a local engineer, but it was around 11:30 before he was able to get there. He spent the night trying to isolate it - turned on some additional auditing, etc. Early this morning he turned off FRS on the PDCE and saw the GPT for the default domain GPO change on that DC anyhow - it was being changed by something under SYSTEM, but couldn't be more specific. The problem seemed to stabilize after that, however. (Note - it had stopped for well over an hour once late in the evening but then resumed). Anyhow, by 8:30 or so this AM we were pretty fried - fresh troops had arrived, things were quiet, and MS had escalated to Dev as they were unsure of the culprit. I went home and got a little sleep. I woke up a little while ago and checked in - apparently things are OK. They restarted FRS and got the PDCE's SYSVOL back in sync, and all has been holding. MS basically said 'we're not sure why it happened', 'every case is different', etc. Not that I'm dissing them - they did a lot of work to chase it, and we certainly could have been better prepared if we had been auding object access and been able to figure out where it started. I haven't talked to them directly yet to see what, if anything, happened with their escalation to dev (they were doing so to see if they could determine what precisely was doing the changes in the SYSVOL on the PDCE when FRS was disabled). Anyhow, so much for the day off I was supposed to have today... If we learn any more about root cause, I'll repost. At this point, we may never know. If nothing else, it added some fuel to my oft-repeated request to get some outside expertise to come in and help me define/implement improvements to our AD structure and monitoring - it's easy to get isolated in your thinking when you don't get to move around and see how things work in other environments. That's why this list is invaluable - thanks to all of you ! Dave -Original Message- From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/14/2004 11:23 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] HELP ! - password policy changing on replication When it flips to a bad value, check the originating DSA with repadmin /showmeta, that should show you where the bad value came from which is *probably* on a machine where a GPO INF file that hasn't been updated. An alternative thing would be to do a CRC check of all files in all sysvol's and look for the stuff that varies. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, May 13, 2004 6:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HELP ! - password policy changing on replication Further info - I found a posting by Joe that describes a similar issue - by looking at repadmin /showmeta on a DC where the policy is wrong, I can see the version of the 'wrong' attributes (like MaxPwdAge) is very high (60) with today's date and recent time, while the others are at 1 with the date/time of when we installed AD over 3 yrs ago. Clearly something is causing this to change on a DC someplace. I hoed the Originating DSA would tell me where the problem lies, but each time this flip-flops I see a different DC in that field. I need to know what to look for to figure out a) which DC is originating the problem and b) where the problem is. I suspect something related to our domain policy is corrupted on some DC, causing it to set itself to default values at its policy refresh, and this is replicating. Then whe other DCs refresh their policy properly, they get the correct settings. Can anybody help ? We're working our way to the right folks at MS PSS at this point... Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A Sent: Thursday, May 13, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] HELP ! - password policy changing on replication
RE: [ActiveDir] GPO troubles
I just thought you could avoid creating an OU mess by using the security permissions (apply gpo, deny gpo) on each GPO properties. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, May 14, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO troublesSensitivity: Private I don't think so - screen savers are configured on the user, and you want to limit by the machine. That's why the Loopback policy, and the reason for segregating the machines in a separate OU. Others please chime in if I'm wrong though... mc -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 4:14 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO troublesSensitivity: Private Is it absolutely necessary to create a whole seperate GPO for these computers? Seems like it will create an administrative nightmare. Can't you just deny access to the default domain GPO and it won't apply the screen saver settings? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, May 14, 2004 3:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO troublesSensitivity: Private Russ, I believe what you need to do is set up an OU and put those machines in it. Then set the group policy Computer Configuration setting User Group Policy Loopback processing mode. Set the Screen Saver policy accordingly in the User Configuration section. Then users who log in to those machines should no longer be subject to the policy that enforces the screen saver mc -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] GPO troublesSensitivity: Private We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers "Not configured". Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called "No Screensaver" and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to "Not configured" and the Password Protect the Screensaver GPO is "Disabled". Once a GPO is applied to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not configured" put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] GPO troubles
Russ- Not Configured essentially means 'do nothing', so to undo an enabled setting, you have to set the downstream GPO to Disabled. In your case, I'm assuming you're controlling the screensaver through User Configuration|Admin Templates. If that's the case, then your deny ACEs need to be on a user group, since its the users that process this policy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, May 14, 2004 12:57 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] GPO troublesSensitivity: Private We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers "Not configured". Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called "No Screensaver" and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to "Not configured" and the Password Protect the Screensaver GPO is "Disabled". Once a GPO is applied to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not configured" put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] GPO troubles
Yep, that would work if the *users* were in the OU, but your goal is to isolate the machines from the policy regardless of who the user is. We do this for our Win2K based video-conferencing systems. The execs kept getting annoyed when the monitor went into locked screensaver right in the middle of a video conference. Go figure ;-) mc -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 4:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO troubles Sensitivity: Private I just thought you could avoid creating an OU mess by using the security permissions (apply gpo, deny gpo) on each GPO properties. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, May 14, 2004 3:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO troubles Sensitivity: Private I don't think so - screen savers are configured on the user, and you want to limit by the machine. That's why the Loopback policy, and the reason for segregating the machines in a separate OU. Others please chime in if I'm wrong though... mc -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 4:14 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO troubles Sensitivity: Private Is it absolutely necessary to create a whole seperate GPO for these computers? Seems like it will create an administrative nightmare. Can't you just deny access to the default domain GPO and it won't apply the screen saver settings? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, May 14, 2004 3:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO troubles Sensitivity: Private Russ, I believe what you need to do is set up an OU and put those machines in it. Then set the group policy Computer Configuration setting User Group Policy Loopback processing mode. Set the Screen Saver policy accordingly in the User Configuration section. Then users who log in to those machines should no longer be subject to the policy that enforces the screen saver mc -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO troubles Sensitivity: Private We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers Not configured. Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called No Screensaver and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to Not configured and the Password Protect the Screensaver GPO is Disabled. Once a GPO is applied to a PC, do you have to Disable it to unapply it, or will setting it to Not configured put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
Re: [ActiveDir] Mixed network PC and Mac - AD or XServe
My $0.02 In the existing situation, with 70 machines at one site, half macs and half PCs. The choice is actually a dead giveaway... Xserve's all the way. OS X server with OpenDirectory and Samba 3 can handle the authentication needs of the whole shop. You don't need Active Directory at all. Active Directory has great scalability, replication, and enterprise level features but very little native support for clients other than windows. OSX on the other hand can serve as a windows pdc and apple master directory using the exact same user records right out of the box, but it has lousy support for delegated administration and multimaster replication. The only downside to using all XServes is the lack of group policy support for the windows pc's, but if you only have 35, then so what. Another positive to using os x as an entry level nos is that there are no Client Access Licenses with OS X's unlimited version. For a company of 70 people this allows them to double, triple, even quadruple their numbers without having to pay up every quarter for the new licenses they just bought. Not to mention server hardware costs, for a pretty well loaded box and a well negotiated apple deal you can plan to spend 4700 to 6500 dollars per apple server, and that is cheap. You don't see HP and IBM offering small shops a big discount on hardware, so they will pay close to retail for any servers that they purchase. Finally, you go with an all OS X server solution, and you have effectively limited the dreaded 10th of the month server regression testing that we all have to do for MS patches. Yes, OS X has operating system patches too, but I have never had one apply that had a negative effect on my machine, and I mean NEVER. If the client had 200 people and plans to open 5 sites throughout North South America this year, I would have to say go with an AD solution. In the meantime, I would ride the low-cost wave of apple, until AD implements better alternative client support. Perhaps by then, OS X's solution will scale better and no migration would be necessary. We'll have a better picture when 10.4 is revealed. On May 14, 2004, at 3:09 PM, Robbie Foust wrote: I'm currently involved in migrating a network from Netware to AD/OS X Server. The problem with running Windows servers in a Mac invironment is that Microsoft has no plans to support the latest AFP version, which kinda sucks for various reasons. (auto reconnect, etc) Best way I can come up with is to use AD as the authenticator (and for group policy support of Windows clients), and use OS X Server as the file server. The trick is to be able to apply policies to OS X users through open directory. There's supposed to be a way to use AD as the primary LDAP directory and pull additional attributes from another local directory but haven't quite figured it out yet. Samba can be configured to use Kerberos, but it's not the default. Macs can't really be managed from AD like Windows can. Same goes in the other direction too. So ya kinda need both (AD and OD). In my scenario, I'm shooting for single sign-on using Kerberos. To make it even more complicated, I would really like to authenticate from a MIT Kerberos realm, but Samba doesn't have support for that yet. Documentation is very limited with it comes down to the fine details, unfortunately. Robbie Foust OIT - Systems and Core Services Duke University Noah Eiger wrote: Hello: I need some advice about file service, directory management, and user authentication in a mixed Windows/Mac environment. I have a magazine client with approximately 70 users: half Macs, half Windows. As you might expect, the Macs are the art department and editorial; the PCs are business, advertising, etc. All workstations will either be running OSX (most recent) or WinXP Pro. Currently, there is no NOS, and file service is handled by a mixture of WinNT, Win2k, and AppleShare 9x. My initial thought was to just let AD handle everything and spend the effort on getting the Macs to play nice with the Windows servers. Exchange is likely. However, the in-house IT guy wants to explore Apple's server offerings. So, the questions are: - Is the speed and quality of the Windows servers sufficient for Mac clients (many handling large image or graphics files)? - Is AD managing of Macs and Mac users sufficient? - If there is a reason to deploy an Apple server, can it be managed by AD? That is, can it play like a Windows member server? - Finally, is there any reason to entertain running the whole shop under the Apple server and Open Directory? Many thanks. -- Noah M. Eiger EIS Consulting for PRBO Conservation Science 510-717-5742 mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
[ActiveDir] OT? Archiving DNS debugging logs?
My DNS guy would like to be able to archive the DNS debugging logs (eg, c:\winnt\system32\dns.log) . Currently, you can indicate what size you like the log to be, and when it gets to that size, it just writes over itself. Has anyone found a way to automatically cut a new a log file? TIA! Mikke Thommes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO troubles
If you truly want to control a user policy based on the computer, then loopback is the right choice. You don't have to create a separate OU to do that. It makes it more obvious when you have machines controlled by loopback in a separate OU, but you can use security permissions to control it, as you've suggested. So, the way this might work is that you create a new GPO, enable loopback policy, setting loopback mode to replace, leave the ScreenSaver settings at Not Configured and then permission the GPO by removing the Authenticated Users ACE and adding Read and Apply Group Policy permsto your excluded computer group. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, May 14, 2004 1:38 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO troublesSensitivity: Private I just thought you could avoid creating an OU mess by using the security permissions (apply gpo, deny gpo) on each GPO properties. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, May 14, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO troublesSensitivity: Private I don't think so - screen savers are configured on the user, and you want to limit by the machine. That's why the Loopback policy, and the reason for segregating the machines in a separate OU. Others please chime in if I'm wrong though... mc -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 4:14 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO troublesSensitivity: Private Is it absolutely necessary to create a whole seperate GPO for these computers? Seems like it will create an administrative nightmare. Can't you just deny access to the default domain GPO and it won't apply the screen saver settings? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, May 14, 2004 3:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO troublesSensitivity: Private Russ, I believe what you need to do is set up an OU and put those machines in it. Then set the group policy Computer Configuration setting User Group Policy Loopback processing mode. Set the Screen Saver policy accordingly in the User Configuration section. Then users who log in to those machines should no longer be subject to the policy that enforces the screen saver mc -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] GPO troublesSensitivity: Private We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers "Not configured". Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called "No Screensaver" and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to "Not configured" and the Password Protect the Screensaver GPO is "Disabled". Once a GPO is applied to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not configured" put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the
Re: [ActiveDir] GPO troubles
Mark is absolutely correct, the screensaver setting is a user policy. In order to fix this correctly and still use the default domain policy to set the screensaver you have to use loopback processing. One great thing about active directory is that it is designed to be extensible. Creating another OU or a sub OU of the workstation OU does not constitute administration nightmare; It constitutes Active Directory operations. Now the question beckons, is loopback processing something that should be applied on a regular basis with 100 little sub ou's all containing exceptions? No, absolutely not. If you have that situation reconsider your ou structure and placement of Group Policies. Here is the loopback processing article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287 On May 14, 2004, at 4:46 PM, Creamer, Mark wrote: x-tad-biggerYep, that would work if the */x-tad-biggerx-tad-biggerusers/x-tad-biggerx-tad-bigger* were in the OU, but your goal is to isolate the machines from the policy regardless of who the user is. We do this for our Win2K based video-conferencing systems. The execs kept getting annoyed when the monitor went into locked screensaver right in the middle of a video conference. Go figure ;-)/x-tad-biggerx-tad-bigger /x-tad-biggermc> x-tad-bigger-Original Message-/x-tad-biggerx-tad-biggerFrom:/x-tad-biggerx-tad-bigger Rimmerman, Russ [mailto:[EMAIL PROTECTED]/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 14, 2004 4:38 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger '[EMAIL PROTECTED]'/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger RE: [ActiveDir] GPO troubles/x-tad-biggerx-tad-biggerSensitivity:/x-tad-biggerx-tad-bigger Private/x-tad-bigger x-tad-biggerI just thought you could avoid creating an OU mess by using the security permissions (apply gpo, deny gpo) on each GPO properties./x-tad-bigger x-tad-biggerFrom:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] /x-tad-biggerx-tad-biggerOn Behalf Of /x-tad-biggerx-tad-biggerCreamer, Mark/x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 14, 2004 3:20 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED]/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger RE: [ActiveDir] GPO troubles/x-tad-biggerx-tad-biggerSensitivity:/x-tad-biggerx-tad-bigger Private/x-tad-biggerx-tad-biggerI don't think so - screen savers are configured on the user, and you want to limit by the machine. That's why the Loopback policy, and the reason for segregating the machines in a separate OU. Others please chime in if I'm wrong though.../x-tad-bigger mc> x-tad-bigger-Original Message-/x-tad-biggerx-tad-biggerFrom:/x-tad-biggerx-tad-bigger Rimmerman, Russ [mailto:[EMAIL PROTECTED]/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 14, 2004 4:14 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger '[EMAIL PROTECTED]'/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger RE: [ActiveDir] GPO troubles/x-tad-biggerx-tad-biggerSensitivity:/x-tad-biggerx-tad-bigger Private/x-tad-bigger x-tad-biggerIs it absolutely necessary to create a whole seperate GPO for these computers? Seems like it will create an administrative nightmare. Can't you just deny access to the default domain GPO and it won't apply the screen saver settings?/x-tad-bigger x-tad-biggerFrom:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] /x-tad-biggerx-tad-biggerOn Behalf Of /x-tad-biggerx-tad-biggerCreamer, Mark/x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 14, 2004 3:04 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED]/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger RE: [ActiveDir] GPO troubles/x-tad-biggerx-tad-biggerSensitivity:/x-tad-biggerx-tad-bigger Private/x-tad-biggerx-tad-biggerRuss, I believe what you need to do is set up an OU and put those machines in it. Then set the group policy Computer Configuration setting User Group Policy Loopback processing mode. Set the Screen Saver policy accordingly in the User Configuration section./x-tad-biggerx-tad-bigger /x-tad-bigger x-tad-biggerThen users who log in to those machines should no longer be subject to the policy that enforces the screen saver/x-tad-bigger mc> x-tad-bigger-Original Message-/x-tad-biggerx-tad-biggerFrom:/x-tad-biggerx-tad-bigger Rimmerman, Russ [mailto:[EMAIL PROTECTED]/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 14, 2004 3:57 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger '[EMAIL PROTECTED]'/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger [ActiveDir] GPO troubles/x-tad-biggerx-tad-biggerSensitivity:/x-tad-biggerx-tad-bigger Private/x-tad-bigger x-tad-biggerWe have password protected screensavers enabled in our default domain policy, and then at a
RE: [ActiveDir] GPO troubles
Actually, now that I look at this, you may need to set the Screensaver policy in your loopback GPOto Disabled, if this GPO gets processed after the default domain GPO that sets this to enabled. Not sure now that I think about it, since loopback replace mode should do just that, but its possible that replacing an "Enabled" policy with a "Not Configured" won't have the desired effect. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, May 14, 2004 1:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO troublesSensitivity: Private If you truly want to control a user policy based on the computer, then loopback is the right choice. You don't have to create a separate OU to do that. It makes it more obvious when you have machines controlled by loopback in a separate OU, but you can use security permissions to control it, as you've suggested. So, the way this might work is that you create a new GPO, enable loopback policy, setting loopback mode to replace, leave the ScreenSaver settings at Not Configured and then permission the GPO by removing the Authenticated Users ACE and adding Read and Apply Group Policy permsto your excluded computer group. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, May 14, 2004 1:38 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO troublesSensitivity: Private I just thought you could avoid creating an OU mess by using the security permissions (apply gpo, deny gpo) on each GPO properties. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, May 14, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO troublesSensitivity: Private I don't think so - screen savers are configured on the user, and you want to limit by the machine. That's why the Loopback policy, and the reason for segregating the machines in a separate OU. Others please chime in if I'm wrong though... mc -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 4:14 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO troublesSensitivity: Private Is it absolutely necessary to create a whole seperate GPO for these computers? Seems like it will create an administrative nightmare. Can't you just deny access to the default domain GPO and it won't apply the screen saver settings? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, May 14, 2004 3:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO troublesSensitivity: Private Russ, I believe what you need to do is set up an OU and put those machines in it. Then set the group policy Computer Configuration setting User Group Policy Loopback processing mode. Set the Screen Saver policy accordingly in the User Configuration section. Then users who log in to those machines should no longer be subject to the policy that enforces the screen saver mc -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:57 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] GPO troublesSensitivity: Private We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers "Not configured". Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called "No Screensaver" and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to "Not configured" and the Password Protect the Screensaver GPO is "Disabled". Once a GPO is applied to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not configured" put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail
RE: [ActiveDir] GPO troubles
So if we have password protected screensavers enabled, and I want to allow a specific PC to be configured to whatever the currently logged in user wants for a screensaver, do I set it back to "Not configured"? Or do I have to disable it, wait for it to apply, and then set it back to Not Configured? How do I go from enabled back to default? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, May 14, 2004 3:39 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO troublesSensitivity: Private Russ- Not Configured essentially means 'do nothing', so to undo an enabled setting, you have to set the downstream GPO to Disabled. In your case, I'm assuming you're controlling the screensaver through User Configuration|Admin Templates. If that's the case, then your deny ACEs need to be on a user group, since its the users that process this policy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, May 14, 2004 12:57 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] GPO troublesSensitivity: Private We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers "Not configured". Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called "No Screensaver" and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to "Not configured" and the Password Protect the Screensaver GPO is "Disabled". Once a GPO is applied to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not configured" put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
[ActiveDir] authorize dhcp
I'm trying to authorize a dhcp server in a child domain as an enterprise admin and i get access denied. we are running win2k forest in mixed mode. any suggestions? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] authorize dhcp
Add the user ID you are running as to the DHCP Admins group on the DHCP server -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 14, 2004 4:09 PM To: ActiveDir (E-mail) Subject: [ActiveDir] authorize dhcp I'm trying to authorize a dhcp server in a child domain as an enterprise admin and i get access denied. we are running win2k forest in mixed mode. any suggestions? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] authorize dhcp
is that always the standard procdure? -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 5:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] authorize dhcp Add the user ID you are running as to the DHCP Admins group on the DHCP server -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 14, 2004 4:09 PM To: ActiveDir (E-mail) Subject: [ActiveDir] authorize dhcp I'm trying to authorize a dhcp server in a child domain as an enterprise admin and i get access denied. we are running win2k forest in mixed mode. any suggestions? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 04-011 Issues
The only problems I have noticed with MS04-011 is the older versions of shutdown.exe and printmig.exe didn't work. Printmig.exe actually ate up a nice chunk of memory in the process of hanging but 3.0= works fine We patched over 800 servers with only one case of performance issues related to an application: Dec PathWorks. Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Friday, May 14, 2004 1:42 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] 04-011 Issues Hello all, Anybody working on 2000 server-based networks would care to share experiences post 04-011 patch installation? As of now the installation at other customer's sites showed no issues. However i should be about to deploy it at a quite critical site. - Has anybody experienced the issues described in the Q841382? If so, anybody has installed and sorted out the problem with the patch offered in this very article? - If ipsecw2k.sys, imcide.sys and dlttape.sys are not present/loaded in the machine, is it safe to say that the 04-011 patch installation will succeed or there are more pitfalls i should be aware of? Any other suggestion would be very appreciated. I am aware about the DNS issue as posted by Guido. Thank you List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO troubles
Good question. This stuff gets ugly quick. Just a quick test shows that if I either enable or disable that policy, then its grayed out for the user, preventing them from changing it in either direction. The problem is that the first GPO to set this owns it, until another one comes along with the opposite setting or until the GPO no longer applies to the computer or user. So, you're in a sort of Catch-22 here where you can't manage it the way you want without using loopback, but the loopback policydoesn't "own" the setting, so you can't simply turn it off the way you want. Even if you first set it to disabled in the loopback policy and then tried to set it to Not Configured, it would still be delivered as enabled to the user via the default domain policy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, May 14, 2004 2:07 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO troublesSensitivity: Private So if we have password protected screensavers enabled, and I want to allow a specific PC to be configured to whatever the currently logged in user wants for a screensaver, do I set it back to "Not configured"? Or do I have to disable it, wait for it to apply, and then set it back to Not Configured? How do I go from enabled back to default? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, May 14, 2004 3:39 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO troublesSensitivity: Private Russ- Not Configured essentially means 'do nothing', so to undo an enabled setting, you have to set the downstream GPO to Disabled. In your case, I'm assuming you're controlling the screensaver through User Configuration|Admin Templates. If that's the case, then your deny ACEs need to be on a user group, since its the users that process this policy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, May 14, 2004 12:57 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] GPO troublesSensitivity: Private We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers "Not configured". Basically, we want all users to have password protected screensavers except a select few machines. So, I created a security group called "No Screensaver" and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to "Not configured" and the Password Protect the Screensaver GPO is "Disabled". Once a GPO is applied to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not configured" put it back to normal? I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
[ActiveDir] Exchange 2003 Question
Does anyone know how to do a search and destroy of an email message across mail stores? Thanks, S List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange 2003 Question
Use Exmerge. I believe it is in the Exchange support tools for 2000 and 2003. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Friday, May 14, 2004 6:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange 2003 Question Importance: High Does anyone know how to do a search and destroy of an email message across mail stores? Thanks, S List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT exchange settings
what is the purpose of the exchange settings folder(which is empty) under the pdc/rid/infra master dc in ad sites and services? and how does exchange or ad pick which server to place it under? finally, if i'm decomissning that server, how do i move this folder or will it move automagically? what will break? i know, alot of questions for an OT. sorry. thanks for any advice and info. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange 2003 Question
You will also have to give yourself (or some account) access to all the mailboxes to use Exmerge. http://support.microsoft.com/default.aspx?scid=kb;en-us;821897 Clyde Burns -Original Message- From: [EMAIL PROTECTED] on behalf of Depp, Dennis M. Sent: Fri 5/14/2004 6:39 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Exchange 2003 Question Use Exmerge. I believe it is in the Exchange support tools for 2000 and 2003. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Friday, May 14, 2004 6:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange 2003 Question Importance: High Does anyone know how to do a search and destroy of an email message across mail stores? Thanks, S List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and discard this e-mail. Thank you. winmail.dat
[ActiveDir] OT: Compaq Smart Array Failed Drive
I have a Proliant 3000 (Win2k SP4, Exch2000) with ten spindles in it, three arrays hooked up to an SA3200 card. Three of the spindles are configured as spares in the three arrays. To me, when I set this up, it translated to if an active spindle fails, a spare will hop in and the mirror/strip set will rebuild. Apparently this isn't the case. A 9.1GB mirror broke last week, so, I went in the Smart Array configuration gadget with plans to make sure a spare became active. The problem: the card/software won't activate a spare because it claims there's a problem with a drive in the array, and it won't let you modify an array until all the active drives are working. So, I took out the failed disk, and put in a blank. Now it's complaining that the drive is missing, and won't run until I put the drive back in. So, being sneaky as I am, I pulled a spare spindle out of the cage and slid it into the slot. Now Smart Array is bitching because it's missing a spare in the array, and see part A, you can't modify the array until all the physical units are working. Does anybody know how the heck to make this POS program just rebuild the mirror on one of the spare disks? I've been goofing with it for most of the week. I have no plans to order a new disk, I have extras. I don't need to keep the thing fully stocked with spares as I plan to sell this fine piece of machinery to a yachtsmen as a boat anchor come June. Thanks, Brian .+-wi0-+YbmPi0-+bf.+-j! 0j!oryIV+v*