RE: [ActiveDir] Excel plugin for directory access
Ok, I saw both this and Michael's response. I will add more weight to the consideration. Note that lack ofbreakout of the deletions (and the undeletes for that matter) weren't a function of what MS was doing with the ds* tools. It was my consideration of the operation and whether or not it fit into the parameter scheme easily without making it too weird. All of those ops consist of modifying an existing object (A delete is basically a moveand clearing of attribs if you think about it / an undelete is a move and population of some attribs)and all have similar parameters for use. I will see what I had going for parameters so far in the adadd code and see if I did anything that wouldn't easily work into admod. I must be getting old, I can't even recall off the top of my head the parameters I have set for it yet in the code... :o) Oh well, I have to hop a plane to Boise now. I'll see some of you in Redmond next week. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, November 02, 2004 2:02 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Excel plugin for directory access I vote for putting add functionality in admod and not breaking it out as a separate tool. (you didn'tput AD deletions into a separate tool) Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, November 02, 2004 1:51 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Excel plugin for directory access I haven't look at this but saw an email on it today... It is a Active Directory plugin for Excel 2003. This is not in any way related to joeware nor ADFind and I do not otherwise endorse or recommend, however I know some folks were looking for this capability so I thought I would let you know I ran into it so thought they may want to check it out. http://bink.nu/?ArticleID=2782 FYI, I am looking at the CSV options. I want to make sure that they are consistent across adfind, admod, and the up and coming adadd [1] joe [1]Yeah that is a stupid name I know but I have to stick with the convention or possibly wrap into admod which I may do just because of how bad that name is...
[ActiveDir] ProxyAddress Verification Tools
What is the best tool out there that checks and verifies proxyaddresses are good (format and info)and not duplicated in a forest? I have a perl script to do it, but would like something faster and don't really want to write it but will if I have to. You are verifying your proxyaddresses right? If not, you might consider it. In my last position at a world class widget factory company that was a huge issue and caused Exchange great stress. We found thousands of issues in the proxyaddresses. joe
Re: [ActiveDir] ProxyAddress Verification Tools
I've only seen this type of verification with provisioning systems that were developed in-house. Well, that and the Exchange 5.5 Admin program that does a syntax check and finds any duplicates. The standard AD UI tools are not so fussy and appear to let you add duplicates. MIIS might offer some possibilities in this area. Tony -- Original Message -- From: joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 3 Nov 2004 06:22:15 -0500 What is the best tool out there that checks and verifies proxyaddresses are good (format and info) and not duplicated in a forest? I have a perl script to do it, but would like something faster and don't really want to write it but will if I have to. You are verifying your proxyaddresses right? If not, you might consider it. In my last position at a world class widget factory company that was a huge issue and caused Exchange great stress. We found thousands of issues in the proxyaddresses. joe Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Scripting help
Hi to all from Darkest Africa!! Can anyone assist me with a scripting issue? Ive generated a list of the groups in my AD by using dsquery. I have a text file as output. Ive been able read this into a file and extract some information. However my management wants a list of all the Distribution lists only with the Name of the Group and who its Manager is. My script generates all the requisite info but I cant get it to differentiate between Security and DLs. We have a bunch of Security Groups that have had Exchange E-mail addresses added to them and so are being used as DLs as well. It appears that all the DLs have a proxyAddresses attribute. Is there anyway I can do a script based search through the whole if the domain and extract all groups that have this attribute and return the values that I need. Any help would really appreciated as Im completely new to this. Regards Peter Johnson
[ActiveDir] Write Cache Enabled
Return Receipt Your [ActiveDir] Write Cache Enabled document : was Lucia Washaya/UNAMSIL received by: at: 03/11/2004 12:22:52 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RESOLVED: A weird one (or Joeware vs. MS)
If anyone here is interested, I have been able to nail the issue. After deeper investigation, I found that moving the W2K3 servers into client's OU (different GPOs that force the client to Send NTLMv2 response only) resolved the issue. The problem was caused by domain member servers of forestA.com not being able to negotiate NTLM dialect with forestA.com DCs. forestA.com DCs are configured to Send NTLMv2 response only. Windows servers (if not explicitly configured) default to Send LMNTLM responses (see http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/576.asp http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/576.asp for details) forestB.com DCs are using less strict Domain Controllers GPO, hence servers in forestA.com were able to negotiate NTLM dialect with forestB.com DCs, but not with forestA.com DCs. The interesting part is that apparently Task Scheduler is not capable of doing Kerberos and tries only NTLM (and I was trying to chase Kerberos) So for the sake of others: if you configure your DCs to Send NTLMv2 only, the default settings of W2K3 member servers will prevent them from talking to DCs using NTLM. Forcing the clients to Send NTLMv2 will make the problem disappear. Guy From: [EMAIL PROTECTED] on behalf of Guy Teverovsky Sent: Thu 10/28/2004 5:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS) Hi Eric, All W2K3. And yes, as I wanted to eliminate any other issues, I was using forestA's domain accounts, which are members of local Administrators group (and the member servers GPO regarding user rights is at defaults). I even tried forestA's Admnistrator account. 2 W2K3 forests. Both at W2K3 FFL with all domains at W2K3 Native mode. forestB.com has 3 child domains ([EMAIL PROTECTED] can schedule the job on host.forestA.com) forestA.com is a single domain (this is where the W2K3 hosts are) forestA.com trusts forestB.com The problem is observed only on W2K3 member servers. The following works against W2K member server or XP (with the same RSoP), but fails against W2K3 (Standard and Enterprise): C:\schtasks /Create /RU ForestA\administrator /RP password /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X X.X.X.X is a host in ForestA.com. Tell me if you need more info (DC's RSoP, member servers RSoP ?). Thanks a lot ! Guy On Wed, 2004-10-27 at 19:22 -0700, Eric Fleischman wrote: Silly question perhaps: does the acct in question have log on as a batch job (and any other rights required, perhaps log on locally?) that it needs for the job to run? I can set this up in my lab tomorrow to see if it works/fails and take a peak, just let me know what OSs are involved (all 2003, since it is a forest trust I think you said below?). ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, October 27, 2004 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS) Already tried most of what you mentioned. Same error when using forestA account on the console of host.forestA.com box. Scheduling remotely - same error. Nothing in event log and the sniffer does not even show Kerb traffic (I'll do more tests tomorrow, but meanwhile I was not successful at catching any authentication traffic between the host and DCs from either forest, but it could be the hour...). It looks like the API just fails and says: Hey! I am not aware of the account domain you are trying to make me look at ! (tried ForestA\user, upn and kerb principal - same result) Tried both by IP and by hostname. The error I get: C:\schtasks /Create /RU ForestA\administrator /RP password /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X WARNING: The task name test1 already exists. Do you want to replace it (Y/N)?y WARNING: The scheduled task test1 has been created, but may not run because the account information could not be set. Clocks are synced and alright across the forests. The event logs are perfectly clean. Actually this is the only issue I have with the server (and it's ALL W2K3 member servers in the forestA that show this behavior). The strange thing that I have found right now is that the forestA DCs are immune to this weirdness (forestA accounts can be used to schedule jobs on forestA DCs). Guy On Wed, 2004-10-27 at 16:29 -0400, joe wrote: I have to say that seems to be a weird one... But I am glad that cpau helps it work for you. :o) Are you doing this remotely? What happens if you sit down on host.forestA.com with a forestA userid and try to schedule the task? Also can you try to schedule it remotely with just the IP address? If that works, the issue is probably somewhere in kerberos and I would start looking for ker errors and verify SPN's are
RE: [ActiveDir] Scripting help
Here's but two possible ways that sprung to mind. Returns security groups only - dsquery * domainroot -filter "((objectcategory=group)(!sAMAccountType:1.2.840.113556.1.4.803:=1))" Return DLs only - dsquery * domainroot -filter "((objectcategory=group)(sAMAccountType:1.2.840.113556.1.4.803:=1))" Deano -- Dean Wells MSEtechnology* Email: dwells@msetechnology.com http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Wednesday, November 03, 2004 3:55 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Scripting help Hi to all from Darkest Africa!! Can anyone assist me with a scripting issue? Ive generated a list of the groups in my AD by using dsquery. I have a text file as output. Ive been able read this into a file and extract some information. However my management wants a list of all the Distribution lists only with the Name of the Group and who its Manager is. My script generates all the requisite info but I cant get it to differentiate between Security and DLs. We have a bunch of Security Groups that have had Exchange E-mail addresses added to them and so are being used as DLs as well. It appears that all the DLs have a proxyAddresses attribute. Is there anyway I can do a script based search through the whole if the domain and extract all groups that have this attribute and return the values that I need. Any help would really appreciated as Im completely new to this. Regards Peter Johnson
Re: [ActiveDir] ProxyAddress Verification Tools
Not being nearly as prolific a coder as other folks on this list, Access is a pretty nifty tool for this. Macroing a directory dump into a linked table and then doing various queries is simple enough even for me to figure out. On 11/3/04 7:01 AM, Tony Murray [EMAIL PROTECTED] wrote: I've only seen this type of verification with provisioning systems that were developed in-house. Well, that and the Exchange 5.5 Admin program that does a syntax check and finds any duplicates. The standard AD UI tools are not so fussy and appear to let you add duplicates. MIIS might offer some possibilities in this area. Tony -- Original Message -- From: joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 3 Nov 2004 06:22:15 -0500 What is the best tool out there that checks and verifies proxyaddresses are good (format and info) and not duplicated in a forest? I have a perl script to do it, but would like something faster and don't really want to write it but will if I have to. You are verifying your proxyaddresses right? If not, you might consider it. In my last position at a world class widget factory company that was a huge issue and caused Exchange great stress. We found thousands of issues in the proxyaddresses. joe Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ProxyAddress Verification Tools
When you say verify, what do you mean exactly. That means multiple things to me, such as whether one was created, whether there are dups, whether it conforms to the naming standards, and so on. Can you provide some boundaries? Personally, I haven't seen anything that does this as a tool. Although it's expected that this is built in to the creation process, there are ways this can get messed up and there are ways to circumvent even the safe-guards built into the Exchange product. There are ways to prevent it as well such as having a good system of unique id's for user LHS of the SMTP addresses etc. In practice, you never see users with unfriendly smtp addresses for very long though :) Haven't looked at the new health checker to see if it identifies proxy-address issues. Probably should. I would think a perl or vbscript with regular expressions would be helpful, but for dups it would require a little more effort to catch before monitoring does especially in a large environment. Some sort of database app would be most efficient I would think. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 03, 2004 6:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] ProxyAddress Verification Tools What is the best tool out there that checks and verifies proxyaddresses are good (format and info) and not duplicated in a forest? I have a perl script to do it, but would like something faster and don't really want to write it but will if I have to. You are verifying your proxyaddresses right? If not, you might consider it. In my last position at a world class widget factory company that was a huge issue and caused Exchange great stress. We found thousands of issues in the proxyaddresses. joe List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting help
No, had I read your question more thoroughly I'd have known that was useful to you ;) It currently differentiates the group types by querying on the bit used by AD to maintain the difference. Proxy address doesn't come into play. Maybe this will do as you ask - dsquery * domainroot -filter "((objectcategory=group)(proxyAddresses=*))" Does that solve your problem? -- Dean Wells MSEtechnology* Email: dwells@msetechnology.com http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Wednesday, November 03, 2004 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Scripting help Thanks Dean. Would that return the Security groups that are also being used as DL by virtue of having the proxy address field set? Sorry if its an obvious question but I new to this side of AD From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: 03 November 2004 16:11To: Send - AD mailing listSubject: RE: [ActiveDir] Scripting help Here's but two possible ways that sprung to mind. Returns security groups only - dsquery * domainroot -filter "((objectcategory=group)(!sAMAccountType:1.2.840.113556.1.4.803:=1))" Return DLs only - dsquery * domainroot -filter "((objectcategory=group)(sAMAccountType:1.2.840.113556.1.4.803:=1))" Deano -- Dean Wells MSEtechnology* Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Wednesday, November 03, 2004 3:55 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Scripting help Hi to all from Darkest Africa!! Can anyone assist me with a scripting issue? Ive generated a list of the groups in my AD by using dsquery. I have a text file as output. Ive been able read this into a file and extract some information. However my management wants a list of all the Distribution lists only with the Name of the Group and who its Manager is. My script generates all the requisite info but I cant get it to differentiate between Security and DLs. We have a bunch of Security Groups that have had Exchange E-mail addresses added to them and so are being used as DLs as well. It appears that all the DLs have a proxyAddresses attribute. Is there anyway I can do a script based search through the whole if the domain and extract all groups that have this attribute and return the values that I need. Any help would really appreciated as Im completely new to this. Regards Peter Johnson
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
Just one last question before this string goes away: Has anyone joined a Windows 98 machine to a Native Windows 2003 AD Domain that was not upgraded from an NT domain before? All of the responses I have seen have only been for a Windows 2000 AD and I'm wondering if a new security enhancement in 2003 is what is preventing my 98 machines from seeing and connecting to the 2003 AD. charle -Original Message- From: Carerros, Charles [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain I think there is more I have to do to get it work with AD though. Don't have I to make sure that the workstation is using NTLM2 authentication and SMB signing? (In which case I still might have to write off my Win95 boxes because I don't believe that they support either of those.) I really hope that I'm wrong, but then again if I'm right then they will all be forced to upgrade. I just need to make sure that I exhaust all resources before I go and tell someone the bad news about the 95 boxes. But I think that the script option might be the best approach. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Ok, it was worth a shot. I have not heard of or seen any tool that will help you with this. The only thing I can think of it in your logon script have it copy a script to the 9x machine, modify the registry to RunOnce that script you just copied and have that script on next logon change the domain member ship If that is at all possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Scripting help
dsquery * domainroot -filter ((objectcategory=group)(!sAMAccountType:1.2.840.113556.1.4.803:=1)) Would return security groups regardless if they are also DG's. What might be easier is to use a filter that looks for legacyExchangeDN which must exist in order for it to be an Exchange object. In this case a DG. Proxyaddresses would also work in place of legacyExchangeDN. The syntax might look something like dsquery * domainroot -filter ((objectCategory=group)(legacyExchangeDN=*)) which will give you all groups that are Exchange mail-enabled, regardless of security group or not and regardless of location in the forest (I'm guessing about the forest location as I'm not that familiar with dsquery to know if it will query the GC or the DC in this case. If it queries the DC you may not get all of the groups. Should be easy to double check though). http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad schema/attributes_anr.asp?frame=true Will give you a list of other attributes that might be of interest. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Wednesday, November 03, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting help Thanks Dean. Would that return the Security groups that are also being used as DL by virtue of having the proxy address field set? Sorry if it's an obvious question but I new to this side of AD From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 03 November 2004 16:11 To: Send - AD mailing list Subject: RE: [ActiveDir] Scripting help Here's but two possible ways that sprung to mind. Returns security groups only - dsquery * domainroot -filter ((objectcategory=group)(!sAMAccountType:1.2.840.113556.1.4.803:=1)) Return DLs only - dsquery * domainroot -filter ((objectcategory=group)(sAMAccountType:1.2.840.113556.1.4.803:=1)) Deano -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Wednesday, November 03, 2004 3:55 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting help Hi to all from Darkest Africa!! Can anyone assist me with a scripting issue? I've generated a list of the groups in my AD by using dsquery. I have a text file as output. I've been able read this into a file and extract some information. However my management wants a list of all the Distribution lists only with the Name of the Group and who it's Manager is. My script generates all the requisite info but I can't get it to differentiate between Security and DL's. We have a bunch of Security Groups that have had Exchange E-mail addresses added to them and so are being used as DL's as well. It appears that all the DL's have a proxyAddresses attribute. Is there anyway I can do a script based search through the whole if the domain and extract all groups that have this attribute and return the values that I need. Any help would really appreciated as I'm completely new to this. Regards Peter Johnson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
SMB signing (as mentioned in the thread) prevents 9x gaining access to the NETLOGON share in order to apply policy and get logon scripts. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, November 03, 2004 9:48 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Just one last question before this string goes away: Has anyone joined a Windows 98 machine to a Native Windows 2003 AD Domain that was not upgraded from an NT domain before? All of the responses I have seen have only been for a Windows 2000 AD and I'm wondering if a new security enhancement in 2003 is what is preventing my 98 machines from seeing and connecting to the 2003 AD. charle -Original Message- From: Carerros, Charles [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain I think there is more I have to do to get it work with AD though. Don't have I to make sure that the workstation is using NTLM2 authentication and SMB signing? (In which case I still might have to write off my Win95 boxes because I don't believe that they support either of those.) I really hope that I'm wrong, but then again if I'm right then they will all be forced to upgrade. I just need to make sure that I exhaust all resources before I go and tell someone the bad news about the 95 boxes. But I think that the script option might be the best approach. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Ok, it was worth a shot. I have not heard of or seen any tool that will help you with this. The only thing I can think of it in your logon script have it copy a script to the 9x machine, modify the registry to RunOnce that script you just copied and have that script on next logon change the domain member ship If that is at all possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Scripting help
Hi Dean It would seem to. I can then drop the created file into my script and see what I get. Thanks a lot. Ill get back to you with some news. Regards Peter Johnson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 03 November 2004 16:47 To: Send - AD mailing list Subject: RE: [ActiveDir] Scripting help No, had I read your question more thoroughly I'd have known that was useful to you ;) It currently differentiates the group types by querying on the bit used by AD to maintain the difference. Proxy address doesn't come into play. Maybe this will do as you ask - dsquery * domainroot -filter ((objectcategory=group)(proxyAddresses=*)) Does that solve your problem? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Wednesday, November 03, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting help Thanks Dean. Would that return the Security groups that are also being used as DL by virtue of having the proxy address field set? Sorry if its an obvious question but I new to this side of AD From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 03 November 2004 16:11 To: Send - AD mailing list Subject: RE: [ActiveDir] Scripting help Here's but two possible ways that sprung to mind. Returns security groups only - dsquery * domainroot -filter ((objectcategory=group)(!sAMAccountType:1.2.840.113556.1.4.803:=1)) Return DLs only - dsquery * domainroot -filter ((objectcategory=group)(sAMAccountType:1.2.840.113556.1.4.803:=1)) Deano -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Wednesday, November 03, 2004 3:55 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting help Hi to all from Darkest Africa!! Can anyone assist me with a scripting issue? Ive generated a list of the groups in my AD by using dsquery. I have a text file as output. Ive been able read this into a file and extract some information. However my management wants a list of all the Distribution lists only with the Name of the Group and who its Manager is. My script generates all the requisite info but I cant get it to differentiate between Security and DLs. We have a bunch of Security Groups that have had Exchange E-mail addresses added to them and so are being used as DLs as well. It appears that all the DLs have a proxyAddresses attribute. Is there anyway I can do a script based search through the whole if the domain and extract all groups that have this attribute and return the values that I need. Any help would really appreciated as Im completely new to this. Regards Peter Johnson
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
Yes, as I mentioned in another post: when Windows 2003 AD came out it included 2 new security mechanisms that are required for authentication. Downlevel clients (WfW, Win9x and WinNT) are not capable of communicating with those security mechanisms unless they are upgraded (WfW) or have the DS Client. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, November 03, 2004 9:48 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Just one last question before this string goes away: Has anyone joined a Windows 98 machine to a Native Windows 2003 AD Domain that was not upgraded from an NT domain before? All of the responses I have seen have only been for a Windows 2000 AD and I'm wondering if a new security enhancement in 2003 is what is preventing my 98 machines from seeing and connecting to the 2003 AD. charle -Original Message- From: Carerros, Charles [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain I think there is more I have to do to get it work with AD though. Don't have I to make sure that the workstation is using NTLM2 authentication and SMB signing? (In which case I still might have to write off my Win95 boxes because I don't believe that they support either of those.) I really hope that I'm wrong, but then again if I'm right then they will all be forced to upgrade. I just need to make sure that I exhaust all resources before I go and tell someone the bad news about the 95 boxes. But I think that the script option might be the best approach. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Ok, it was worth a shot. I have not heard of or seen any tool that will help you with this. The only thing I can think of it in your logon script have it copy a script to the 9x machine, modify the registry to RunOnce that script you just copied and have that script on next logon change the domain member ship If that is at all possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Write Cache Enabled
Not sure why yours wouldn't take when set. NOTE: You want to be careful mucking about at that level with a production machine as you want to ensure that you aren't going to cause any low-level issues when making changes. Check with your hardware vendor to find out what is needed to disable the on-disk caching. The way you're doing this should have worked just fine, but you might have a bios fix or something that needs to be taken into consideration. You may also want to check the log files to see if something else is going on. Here's a reference for how it's expected to be done: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q259716 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Tuesday, November 02, 2004 7:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled Al, Thank you very much for your comprehensive response. I am currently in the process of trying to Disable Write Cache. I have managed to do it via the Adaptec Software but for some reason windows still states that it is enabled. I go into System manager - Devices - Hard Disks - Properties. In the properties I select Disk Properties and there is a tick next to Write Cache Enabled. I remove the tick and save and then go back in and the tick is still there. Any ideas? If you need more info I will supply what ever is needed. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 3 November 2004 1:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled http://www.webopedia.com/TERM/d/disk_cache.html is a reference for what it is. Disk cache is a very dangerous thing when it comes to JET DB technology. The reason is that if the disk device loses power, or corrupts before it can commit to media, then you lose that bit of data likely corrupting the db. If the db is not so far gone that it can't replicate, your problems get worse. You should see SAN implementations of DC's and the conversations it generates ;) On-disk caching is a way for vendors to squeeze a little more speed out of the platters. Consider two 15K scsi drives. One provides 10us write commit time (for example) while the other provides 2us write commit time. The difference? Cache. If you can commit to cache vs. the platter, it's much much faster as you buffer the writes until the platter is in an optimal position to write to media. Great for applications that are random r/w types with heavy or equal write signatures i.e. file and print applications or presentation applications. JET db technology can be very disk IO intensive. That's because it's a two-phase commit database technology; a good one too. But as you scale the database you tend to have more disk activity as more and more transactions take place. Microsoft has gotten quite good at figuring out what works and what doesn't and one thing they've learned is when to use JET DB technology; a typical JET db deployment is likely to be more read-intensive than it is write intensive. A good application for JET technology is something that has at least a 2.5 or 3:1 read/write signature. The more read-intensive, the more likely that JET technology will be a good fit. Sound like an application you're familiar with? LDAP is a read-intensive application by design and great read response is required to scale it successfully. Active Directory would be an example of a LDAP database that needs great read performance with some write performance. Some implementations of LDAP have adapted other db technology, such as DB2, Oracle, etc. to house their LDAP data stores. Microsoft chose their JET (JET Blue if I recall correctly, but don't quote me)engine. Since JET DB applications tend to be very read-intensive, the risk/reward of disk cache is not in your favor. Your better bet is to give the application the amount of spindles required to gain the IOPS needed to satisfy the performance needs of your application. In the case of Active Directory, separate the IO types to gain better performance (sequential IO on one set of dedicated spindles being your biggest performance booster) etc. Don't be fooled by the use of battery backup technology. It's not worth it and it usually comes on the array controllers only not on the disk device itself. The array controller battery backup is intended to protect against power failures when data is in the array cache, which of course is there to provide better performance. But the cache is considered flushed when the controller receives a successful commit response from the disk device. The disk device will send a positive response when you write to it's cache. It's at that point that you tend to be vulnerable to problems (i.e. corruption) for very little performance gain. Turn off the disk caching and you'll barely notice a difference if you've laid out your disk appropriately for your
RE: [ActiveDir] Scripting help
Thanks Al. I'm learning one hell of lot but the learning curve is almost an overhang :) :) Regards Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 03 November 2004 16:52 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting help dsquery * domainroot -filter ((objectcategory=group)(!sAMAccountType:1.2.840.113556.1.4.803:=1)) Would return security groups regardless if they are also DG's. What might be easier is to use a filter that looks for legacyExchangeDN which must exist in order for it to be an Exchange object. In this case a DG. Proxyaddresses would also work in place of legacyExchangeDN. The syntax might look something like dsquery * domainroot -filter ((objectCategory=group)(legacyExchangeDN=*)) which will give you all groups that are Exchange mail-enabled, regardless of security group or not and regardless of location in the forest (I'm guessing about the forest location as I'm not that familiar with dsquery to know if it will query the GC or the DC in this case. If it queries the DC you may not get all of the groups. Should be easy to double check though). http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschem a/ad schema/attributes_anr.asp?frame=true Will give you a list of other attributes that might be of interest. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Wednesday, November 03, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting help Thanks Dean. Would that return the Security groups that are also being used as DL by virtue of having the proxy address field set? Sorry if it's an obvious question but I new to this side of AD From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 03 November 2004 16:11 To: Send - AD mailing list Subject: RE: [ActiveDir] Scripting help Here's but two possible ways that sprung to mind. Returns security groups only - dsquery * domainroot -filter ((objectcategory=group)(!sAMAccountType:1.2.840.113556.1.4.803:=1)) Return DLs only - dsquery * domainroot -filter ((objectcategory=group)(sAMAccountType:1.2.840.113556.1.4.803:=1)) Deano -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Wednesday, November 03, 2004 3:55 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting help Hi to all from Darkest Africa!! Can anyone assist me with a scripting issue? I've generated a list of the groups in my AD by using dsquery. I have a text file as output. I've been able read this into a file and extract some information. However my management wants a list of all the Distribution lists only with the Name of the Group and who it's Manager is. My script generates all the requisite info but I can't get it to differentiate between Security and DL's. We have a bunch of Security Groups that have had Exchange E-mail addresses added to them and so are being used as DL's as well. It appears that all the DL's have a proxyAddresses attribute. Is there anyway I can do a script based search through the whole if the domain and extract all groups that have this attribute and return the values that I need. Any help would really appreciated as I'm completely new to this. Regards Peter Johnson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Write Cache Enabled
I will second the thanks to Al for great answer. I'm not an expert in this field but just as addon - according to MS docs on this matter the reason this event is appearing at every boot is that not all HDDs have NVRAM to save changes to Write Cache settings. So this setting falls to HDD's default upon reboot. Al. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 5:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled Not sure why yours wouldn't take when set. NOTE: You want to be careful mucking about at that level with a production machine as you want to ensure that you aren't going to cause any low-level issues when making changes. Check with your hardware vendor to find out what is needed to disable the on-disk caching. The way you're doing this should have worked just fine, but you might have a bios fix or something that needs to be taken into consideration. You may also want to check the log files to see if something else is going on. Here's a reference for how it's expected to be done: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q259716 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Tuesday, November 02, 2004 7:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled Al, Thank you very much for your comprehensive response. I am currently in the process of trying to Disable Write Cache. I have managed to do it via the Adaptec Software but for some reason windows still states that it is enabled. I go into System manager - Devices - Hard Disks - Properties. In the properties I select Disk Properties and there is a tick next to Write Cache Enabled. I remove the tick and save and then go back in and the tick is still there. Any ideas? If you need more info I will supply what ever is needed. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 3 November 2004 1:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled http://www.webopedia.com/TERM/d/disk_cache.html is a reference for what it is. Disk cache is a very dangerous thing when it comes to JET DB technology. The reason is that if the disk device loses power, or corrupts before it can commit to media, then you lose that bit of data likely corrupting the db. If the db is not so far gone that it can't replicate, your problems get worse. You should see SAN implementations of DC's and the conversations it generates ;) On-disk caching is a way for vendors to squeeze a little more speed out of the platters. Consider two 15K scsi drives. One provides 10us write commit time (for example) while the other provides 2us write commit time. The difference? Cache. If you can commit to cache vs. the platter, it's much much faster as you buffer the writes until the platter is in an optimal position to write to media. Great for applications that are random r/w types with heavy or equal write signatures i.e. file and print applications or presentation applications. JET db technology can be very disk IO intensive. That's because it's a two-phase commit database technology; a good one too. But as you scale the database you tend to have more disk activity as more and more transactions take place. Microsoft has gotten quite good at figuring out what works and what doesn't and one thing they've learned is when to use JET DB technology; a typical JET db deployment is likely to be more read-intensive than it is write intensive. A good application for JET technology is something that has at least a 2.5 or 3:1 read/write signature. The more read-intensive, the more likely that JET technology will be a good fit. Sound like an application you're familiar with? LDAP is a read-intensive application by design and great read response is required to scale it successfully. Active Directory would be an example of a LDAP database that needs great read performance with some write performance. Some implementations of LDAP have adapted other db technology, such as DB2, Oracle, etc. to house their LDAP data stores. Microsoft chose their JET (JET Blue if I recall correctly, but don't quote me)engine. Since JET DB applications tend to be very read-intensive, the risk/reward of disk cache is not in your favor. Your better bet is to give the application the amount of spindles required to gain the IOPS needed to satisfy the performance needs of your application. In the case of Active Directory, separate the IO types to gain better performance (sequential IO on one set of dedicated spindles being your biggest performance booster) etc. Don't be fooled by the use of battery backup
RE: [ActiveDir] Install only Active Directory Users and Computers snap-in
To answer the question: http://www.petri.co.il/extract_specific_tools_from_adminpak_msi.htm Al. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Seet Sent: Wednesday, October 13, 2004 8:58 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Install only Active Directory Users and Computers snap-in The articles i find just talk about installing the entire Administrative package into Win 2000/XP professional if I need to get it to connect and make changes in AD. But, what if I only want to install Active Directory Users and Computers for a non-admin staff to create users, contacts? She wouldn't need the rest like DHCP, DNS, Domains and Trusts, etc. Is there an article to show how to install a single snap-in in such situations? thanks, Aaron List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] easiest way to move Distribution Lists across dom ains. hoping for quick response ;)
Return Receipt Your RE: [ActiveDir] easiest way to move Distribution Lists document across dom ains. hoping for quick response ;) : was Lucia Washaya/UNAMSIL received by: at: 03/11/2004 16:07:10 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Scripting question - Net Send command
We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Notification containing new password
Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks.
Re: [ActiveDir] Notification containing new password
~ I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. ~ ALARM! ALARM!! I don't *ever* want to know someone else's password. I don't *ever* want someone else to have reason to believe that I have their password, as this violates all sorts of security principles. This violates the whole purpose of having a password in the first place. If I ever need to get into an end-user system as their specific account, when they happen to be unavailable, I'll change their password at that time. (Ensuring that I have good key recovery in place for EFS usage) Suffice it to say, your plans has Bad-Idea written all over it. I would highly recommend that you pursue a different course of action. ~ Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? ~ This only sounds worse... Not incidentally, the NET USER /RANDOM command supports the generation of random passwords. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Wed, 3 Nov 2004 13:21:39 -0500, Matthew Crape [EMAIL PROTECTED] wrote: Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Notification containing new password
In order to meet your requirement of being able to login as the user with their profile, why not just login to the DC as admin, reset the password on that user account so you can login and then when the user gets back have them change it? You have a small enough shop where this would seem feasibleand you wouldnt have the additional headache of trying to manage all their passwords. r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Crape Sent: Wednesday, November 03, 2004 1:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks.
RE: [ActiveDir] Notification containing new password
I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Notification containing new password
Omg, Deji...here we go mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Notification containing new password
Yup, you brought it on Deji. :) To add to the fodder: Keep in mind that passwords are stored in a way that prevents you from getting them back out without cracking them. That's not a foolproof way to gather the data you want. I agree it is a bad idea to do that. However, if you wanted to get them and let them change their own passwords, you would want a web based system that collects the data at the beginning of the cycle. You could then use the web interface to change passwords on other systems as well providing additional benefit. Something like IISADMPWD in a modified version might be useful for such a solution. If you haven't heard it enough already, it's a bad idea to collect user passwords though. It defeats a ton of safeguards and puts you at risk for finger pointing etc. Better to just reset passwords and tell the user of their new password should you need to access the services as that user, as suggested by plenty of others on this thread. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Omg, Deji...here we go mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting question - Net Send command
As a security feature on w2k3, the IUSR_ user id has no permissions to any files (including net.exe). Either give the IUSR_ account permissions to net.exe, or configure the web site to run under a user id that has permission. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Notification containing new password
Not to mention illegal, if you're under Sarbanes-Oxley controls, right? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Yup, you brought it on Deji. :) To add to the fodder: Keep in mind that passwords are stored in a way that prevents you from getting them back out without cracking them. That's not a foolproof way to gather the data you want. I agree it is a bad idea to do that. However, if you wanted to get them and let them change their own passwords, you would want a web based system that collects the data at the beginning of the cycle. You could then use the web interface to change passwords on other systems as well providing additional benefit. Something like IISADMPWD in a modified version might be useful for such a solution. If you haven't heard it enough already, it's a bad idea to collect user passwords though. It defeats a ton of safeguards and puts you at risk for finger pointing etc. Better to just reset passwords and tell the user of their new password should you need to access the services as that user, as suggested by plenty of others on this thread. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Omg, Deji...here we go mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting question - Net Send command
Try this: dim oWSH, msg Set oWSH = CreateObject(WScript.Shell) msg = %comspec% /c net send sendto description oWSH.Run msg Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
FW: [ActiveDir] Scripting question - Net Send command
Oops had one too many after the sendto... sorry about that. note to self read msg before sending... Rick T. Dale, Computer Services General Council Credit Union -Original Message- From: Dale, Rick Sent: Wednesday, November 03, 2004 1:41 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Scripting question - Net Send command Try this: dim oWSH, msg Set oWSH = CreateObject(WScript.Shell) msg = %comspec% /c net send sendto description oWSH.Run msg Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting question - Net Send command
Yeah; that's kinda what I ran into. Two things... One, if we provide access to net.exe to the IUSR account, how ugly is that hole? If they can run net send, they can run net anything, right? Not sure I like that, but I'm not sure how ugly it really is. Two, how do we provide the perms on net.exe? I tried copying it to another directory and applying read and execute perms to that directory, but it didn't change anything. Is there a how-to anywhere for us non-IIS gurus? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, November 03, 2004 11:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command As a security feature on w2k3, the IUSR_ user id has no permissions to any files (including net.exe). Either give the IUSR_ account permissions to net.exe, or configure the web site to run under a user id that has permission. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting question - Net Send command
Return Receipt Your RE: [ActiveDir] Scripting question - Net Send command document: wasJustin Leney/US/DCI received by: at:11/03/2004 02:42:55 PM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Notification containing new password
I'll go along with ASB and say that it's a bad idea. That being said, rainbow crack and ophcrack take about 30 GB of disk space for the crack files (a full set) and can crack several hundred passwords an hour. There are online websites that present these interfaces, as long as you know the password hash (see pwdump3 for obtaining those). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Notification containing new password
I noticed the Canadian domain though and figure he has other issues to contend with. EU and US rules and regs aren't likely high among them yet (ofa.on.ca is the senders domain). But that would likely be true for that and many other regulations around the world. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Not to mention illegal, if you're under Sarbanes-Oxley controls, right? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Yup, you brought it on Deji. :) To add to the fodder: Keep in mind that passwords are stored in a way that prevents you from getting them back out without cracking them. That's not a foolproof way to gather the data you want. I agree it is a bad idea to do that. However, if you wanted to get them and let them change their own passwords, you would want a web based system that collects the data at the beginning of the cycle. You could then use the web interface to change passwords on other systems as well providing additional benefit. Something like IISADMPWD in a modified version might be useful for such a solution. If you haven't heard it enough already, it's a bad idea to collect user passwords though. It defeats a ton of safeguards and puts you at risk for finger pointing etc. Better to just reset passwords and tell the user of their new password should you need to access the services as that user, as suggested by plenty of others on this thread. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Omg, Deji...here we go mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] ProxyAddress Verification Tools
We do our own stuff here too. We have some custom S.DS applications that we use to try to find and fix. Sorry, but I cant share. We also use web apps or other custom code to control what proxyAddresses get set on users, groups and contacts, and thus try to ensure that we dont screw things up anyway. For security principals, we try hard to make sure that cn, sAMAccountName, UPN prefix (if applicable) and SMTP alias (mailNickname) are all the same and meet the validation rules for each of these. This makes life in AD and Exchange much easier. On this particular note, one thing we recently discovered is that Exchange 2003 hates it when it tries to build the OAB and there are mismatches between the mail attribute and the primary SMTP proxyAddresses value. Spits out many errors and wont build. Exchange 2000 didnt seem to mind this. Hence, that is an additional validation that needs to be performed now (some of you may have already known about this). I think a joeware tool that could at least detect issues would be greatly helpful. Resolving them automatically is pretty hard, but finding them is more possible. This could even be a pretty efficient app if it worked based on change polling so that it didnt have to scan the entire directory every time, but could just validate the deltas. The validations we do are duplicate proxyAddresses, invalid SMTP address formats (Exchange is very picky about these. Read the RFC VERY carefully. Most regexes arent tight enough!), and now mail/proxyAddresses mismatches. Are these others we are missing? Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 03, 2004 5:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] ProxyAddress Verification Tools What is the best tool out there that checks and verifies proxyaddresses are good (format and info)and not duplicated in a forest? I have a perl script to do it, but would like something faster and don't really want to write it but will if I have to. You are verifying your proxyaddresses right? If not, you might consider it. In my last position at a world class widget factory company that was a huge issue and caused Exchange great stress. We found thousands of issues in the proxyaddresses. joe This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Notification containing new password
Many Canadian companies are affected by stuff like Sarbanes-Oxley, although granted a small shop here in Ontario probably isn't. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I noticed the Canadian domain though and figure he has other issues to contend with. EU and US rules and regs aren't likely high among them yet (ofa.on.ca is the senders domain). But that would likely be true for that and many other regulations around the world. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Not to mention illegal, if you're under Sarbanes-Oxley controls, right? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Yup, you brought it on Deji. :) To add to the fodder: Keep in mind that passwords are stored in a way that prevents you from getting them back out without cracking them. That's not a foolproof way to gather the data you want. I agree it is a bad idea to do that. However, if you wanted to get them and let them change their own passwords, you would want a web based system that collects the data at the beginning of the cycle. You could then use the web interface to change passwords on other systems as well providing additional benefit. Something like IISADMPWD in a modified version might be useful for such a solution. If you haven't heard it enough already, it's a bad idea to collect user passwords though. It defeats a ton of safeguards and puts you at risk for finger pointing etc. Better to just reset passwords and tell the user of their new password should you need to access the services as that user, as suggested by plenty of others on this thread. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Omg, Deji...here we go mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Notification containing new password
A small Canadian lobby organization likely won't have that issue unless they lobby in the US, right? Or is there something that says a Canadian org needs to comply with US regulations even if they don't do business with a US company? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Wednesday, November 03, 2004 3:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Many Canadian companies are affected by stuff like Sarbanes-Oxley, although granted a small shop here in Ontario probably isn't. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I noticed the Canadian domain though and figure he has other issues to contend with. EU and US rules and regs aren't likely high among them yet (ofa.on.ca is the senders domain). But that would likely be true for that and many other regulations around the world. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Not to mention illegal, if you're under Sarbanes-Oxley controls, right? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Yup, you brought it on Deji. :) To add to the fodder: Keep in mind that passwords are stored in a way that prevents you from getting them back out without cracking them. That's not a foolproof way to gather the data you want. I agree it is a bad idea to do that. However, if you wanted to get them and let them change their own passwords, you would want a web based system that collects the data at the beginning of the cycle. You could then use the web interface to change passwords on other systems as well providing additional benefit. Something like IISADMPWD in a modified version might be useful for such a solution. If you haven't heard it enough already, it's a bad idea to collect user passwords though. It defeats a ton of safeguards and puts you at risk for finger pointing etc. Better to just reset passwords and tell the user of their new password should you need to access the services as that user, as suggested by plenty of others on this thread. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Omg, Deji...here we go mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I
RE: [ActiveDir] Scripting question - Net Send command
We tried that, too. Still chokes on the WSH.Run line... Same error... Unless the script can run with elevated privileges, it can't run the net command. I'm thinking maybe there's a way to have the script call something else that runs under elevated privileges... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dale, Rick Sent: Wednesday, November 03, 2004 11:42 AM To: '[EMAIL PROTECTED]' Subject: FW: [ActiveDir] Scripting question - Net Send command Oops had one too many after the sendto... sorry about that. note to self read msg before sending... Rick T. Dale, Computer Services General Council Credit Union -Original Message- From: Dale, Rick Sent: Wednesday, November 03, 2004 1:41 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Scripting question - Net Send command Try this: dim oWSH, msg Set oWSH = CreateObject(WScript.Shell) msg = %comspec% /c net send sendto description oWSH.Run msg Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Notification containing new password
Hi All, Me again (the original poster). I wanted to thank you all for backing up what I already believe. I have already asked in the past to abolish the old system, but as of yet that hasn't happened. Also of note is the fact that the password list isn't centralized. For the most part I know all of them off the top of my head, and we keep 1 hard copy in a sealed envelope in safe (with extremely limited access). Although still not my liking, its better than keeping them in a Word document on my desktop though ;) As for the regulations, I am glad that they were brought up. I am looking into those right now. Anything that I can use to change these habits is more than welcome for my fight. Thanks again to all these quick quite frankly intelligent posts. Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password A small Canadian lobby organization likely won't have that issue unless they lobby in the US, right? Or is there something that says a Canadian org needs to comply with US regulations even if they don't do business with a US company? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Wednesday, November 03, 2004 3:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Many Canadian companies are affected by stuff like Sarbanes-Oxley, although granted a small shop here in Ontario probably isn't. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I noticed the Canadian domain though and figure he has other issues to contend with. EU and US rules and regs aren't likely high among them yet (ofa.on.ca is the senders domain). But that would likely be true for that and many other regulations around the world. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Not to mention illegal, if you're under Sarbanes-Oxley controls, right? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Yup, you brought it on Deji. :) To add to the fodder: Keep in mind that passwords are stored in a way that prevents you from getting them back out without cracking them. That's not a foolproof way to gather the data you want. I agree it is a bad idea to do that. However, if you wanted to get them and let them change their own passwords, you would want a web based system that collects the data at the beginning of the cycle. You could then use the web interface to change passwords on other systems as well providing additional benefit. Something like IISADMPWD in a modified version might be useful for such a solution. If you haven't heard it enough already, it's a bad idea to collect user passwords though. It defeats a ton of safeguards and puts you at risk for finger pointing etc. Better to just reset passwords and tell the user of their new password should you need to access the services as that user, as suggested by plenty of others on this thread. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Omg, Deji...here we go mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group,
RE: [ActiveDir] Notification containing new password
You are correct. Canadian companies doing business in the US (and some doing business with US companies) will have to comply with Sarbanes-Oxley. A Canadian company only doing business in Canada won't. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password A small Canadian lobby organization likely won't have that issue unless they lobby in the US, right? Or is there something that says a Canadian org needs to comply with US regulations even if they don't do business with a US company? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Wednesday, November 03, 2004 3:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Many Canadian companies are affected by stuff like Sarbanes-Oxley, although granted a small shop here in Ontario probably isn't. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I noticed the Canadian domain though and figure he has other issues to contend with. EU and US rules and regs aren't likely high among them yet (ofa.on.ca is the senders domain). But that would likely be true for that and many other regulations around the world. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Not to mention illegal, if you're under Sarbanes-Oxley controls, right? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Yup, you brought it on Deji. :) To add to the fodder: Keep in mind that passwords are stored in a way that prevents you from getting them back out without cracking them. That's not a foolproof way to gather the data you want. I agree it is a bad idea to do that. However, if you wanted to get them and let them change their own passwords, you would want a web based system that collects the data at the beginning of the cycle. You could then use the web interface to change passwords on other systems as well providing additional benefit. Something like IISADMPWD in a modified version might be useful for such a solution. If you haven't heard it enough already, it's a bad idea to collect user passwords though. It defeats a ton of safeguards and puts you at risk for finger pointing etc. Better to just reset passwords and tell the user of their new password should you need to access the services as that user, as suggested by plenty of others on this thread. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Omg, Deji...here we go mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their
RE: [ActiveDir] Scripting question - Net Send command
That was my thought; I'd prefer not to have IUSR running that type of executable. Any pointers towards how we could run it in another account context? I thought about RunAs, but didn't want to pass pwds in an asp script... Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 12:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command It's an ugly hole. My option would be to have the tool run in the context of another account (like a service account). Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Wed 11/3/2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command Yeah; that's kinda what I ran into. Two things... One, if we provide access to net.exe to the IUSR account, how ugly is that hole? If they can run net send, they can run net anything, right? Not sure I like that, but I'm not sure how ugly it really is. Two, how do we provide the perms on net.exe? I tried copying it to another directory and applying read and execute perms to that directory, but it didn't change anything. Is there a how-to anywhere for us non-IIS gurus? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, November 03, 2004 11:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command As a security feature on w2k3, the IUSR_ user id has no permissions to any files (including net.exe). Either give the IUSR_ account permissions to net.exe, or configure the web site to run under a user id that has permission. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Scripting question - Net Send command
Create a virtual directory for the web page, and configure it to run as the local or domain user of your choice. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command That was my thought; I'd prefer not to have IUSR running that type of executable. Any pointers towards how we could run it in another account context? I thought about RunAs, but didn't want to pass pwds in an asp script... Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 12:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command It's an ugly hole. My option would be to have the tool run in the context of another account (like a service account). Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Wed 11/3/2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command Yeah; that's kinda what I ran into. Two things... One, if we provide access to net.exe to the IUSR account, how ugly is that hole? If they can run net send, they can run net anything, right? Not sure I like that, but I'm not sure how ugly it really is. Two, how do we provide the perms on net.exe? I tried copying it to another directory and applying read and execute perms to that directory, but it didn't change anything. Is there a how-to anywhere for us non-IIS gurus? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, November 03, 2004 11:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command As a security feature on w2k3, the IUSR_ user id has no permissions to any files (including net.exe). Either give the IUSR_ account permissions to net.exe, or configure the web site to run under a user id that has permission. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List
Re: [ActiveDir] login scripts
The issue was one of time. The workstations were setting their clocks via one server and the servers another. They got out of sync enough that workstations were using cached creds. Running the scripts off of the netlogon share worked fine. Once we had everyone syncing from the same place all was good. Jordan On Tue, 2 Nov 2004 09:38:42 -0500, ASB [EMAIL PROTECTED] wrote: What does your script look like? Have you considered running the logon scripts via GPO? http://www.ultratech-llc.com/KB/?File=LogonScripts.TXT http://www.ultratech-llc.com/KB/?File=GroupPol.TXT - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 1 Nov 2004 14:35:41 -0600, Jordan Arendt [EMAIL PROTECTED] wrote: We've recently upgraded from NT 4 to 2K3. Our logon scripts have stoppped running on clients. Logon scripts are specified in ADUC in the profile tab of each user. When I logon to my XP machine the scripts do not run. When I logon to a server through RDP, they do run. I was thinking GPO, but only the default domain policy is currently applied, and it is applied to both the servers OU and the OU my PC is in. I've looked at the following: http://support.microsoft.com/default.aspx?scid=kb;en-us;329709 (this is not the case, my netlogon shares point to the correct place) and http://support.microsoft.com/default.aspx?scid=kb;en-us;302104 I made the suggested changes, to no avail. Anyone have any suggestions? Thanks in Advance. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Write Cache Enabled
Thanks Al, thought I was doing it correctly and had spoken to the company that the Server was brought off and whom set it up. They stated it should be like I have done, just as you have. A long shot, but it would not have anything to do with having to be disabled before I made it a DC would it? The server is a data share server only but also a DC. I believe that it has a graphics card problem. This will be resolved very soon. Log file to date have looked fine to me but will be further investigating. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, 4 November 2004 1:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled Not sure why yours wouldn't take when set. NOTE: You want to be careful mucking about at that level with a production machine as you want to ensure that you aren't going to cause any low-level issues when making changes. Check with your hardware vendor to find out what is needed to disable the on-disk caching. The way you're doing this should have worked just fine, but you might have a bios fix or something that needs to be taken into consideration. You may also want to check the log files to see if something else is going on. Here's a reference for how it's expected to be done: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q259716 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Tuesday, November 02, 2004 7:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled Al, Thank you very much for your comprehensive response. I am currently in the process of trying to Disable Write Cache. I have managed to do it via the Adaptec Software but for some reason windows still states that it is enabled. I go into System manager - Devices - Hard Disks - Properties. In the properties I select Disk Properties and there is a tick next to Write Cache Enabled. I remove the tick and save and then go back in and the tick is still there. Any ideas? If you need more info I will supply what ever is needed. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 3 November 2004 1:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled http://www.webopedia.com/TERM/d/disk_cache.html is a reference for what it is. Disk cache is a very dangerous thing when it comes to JET DB technology. The reason is that if the disk device loses power, or corrupts before it can commit to media, then you lose that bit of data likely corrupting the db. If the db is not so far gone that it can't replicate, your problems get worse. You should see SAN implementations of DC's and the conversations it generates ;) On-disk caching is a way for vendors to squeeze a little more speed out of the platters. Consider two 15K scsi drives. One provides 10us write commit time (for example) while the other provides 2us write commit time. The difference? Cache. If you can commit to cache vs. the platter, it's much much faster as you buffer the writes until the platter is in an optimal position to write to media. Great for applications that are random r/w types with heavy or equal write signatures i.e. file and print applications or presentation applications. JET db technology can be very disk IO intensive. That's because it's a two-phase commit database technology; a good one too. But as you scale the database you tend to have more disk activity as more and more transactions take place. Microsoft has gotten quite good at figuring out what works and what doesn't and one thing they've learned is when to use JET DB technology; a typical JET db deployment is likely to be more read-intensive than it is write intensive. A good application for JET technology is something that has at least a 2.5 or 3:1 read/write signature. The more read-intensive, the more likely that JET technology will be a good fit. Sound like an application you're familiar with? LDAP is a read-intensive application by design and great read response is required to scale it successfully. Active Directory would be an example of a LDAP database that needs great read performance with some write performance. Some implementations of LDAP have adapted other db technology, such as DB2, Oracle, etc. to house their LDAP data stores. Microsoft chose their JET (JET Blue if I recall correctly, but don't quote me)engine. Since JET DB applications tend to be very read-intensive, the risk/reward of disk cache is not in your favor. Your better bet is to give the application the amount of spindles required to gain the IOPS needed to satisfy the performance needs of your application. In the case of Active Directory, separate the IO types to gain better performance (sequential IO on one set of dedicated spindles being your biggest performance booster) etc. Don't be fooled by the use of
RE: [ActiveDir] Write Cache Enabled
I wouldn't think it has to be disabled prior. I honestly don't know the answer to that though. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, November 03, 2004 5:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled Thanks Al, thought I was doing it correctly and had spoken to the company that the Server was brought off and whom set it up. They stated it should be like I have done, just as you have. A long shot, but it would not have anything to do with having to be disabled before I made it a DC would it? The server is a data share server only but also a DC. I believe that it has a graphics card problem. This will be resolved very soon. Log file to date have looked fine to me but will be further investigating. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, 4 November 2004 1:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled Not sure why yours wouldn't take when set. NOTE: You want to be careful mucking about at that level with a production machine as you want to ensure that you aren't going to cause any low-level issues when making changes. Check with your hardware vendor to find out what is needed to disable the on-disk caching. The way you're doing this should have worked just fine, but you might have a bios fix or something that needs to be taken into consideration. You may also want to check the log files to see if something else is going on. Here's a reference for how it's expected to be done: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q259716 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Tuesday, November 02, 2004 7:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled Al, Thank you very much for your comprehensive response. I am currently in the process of trying to Disable Write Cache. I have managed to do it via the Adaptec Software but for some reason windows still states that it is enabled. I go into System manager - Devices - Hard Disks - Properties. In the properties I select Disk Properties and there is a tick next to Write Cache Enabled. I remove the tick and save and then go back in and the tick is still there. Any ideas? If you need more info I will supply what ever is needed. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 3 November 2004 1:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled http://www.webopedia.com/TERM/d/disk_cache.html is a reference for what it is. Disk cache is a very dangerous thing when it comes to JET DB technology. The reason is that if the disk device loses power, or corrupts before it can commit to media, then you lose that bit of data likely corrupting the db. If the db is not so far gone that it can't replicate, your problems get worse. You should see SAN implementations of DC's and the conversations it generates ;) On-disk caching is a way for vendors to squeeze a little more speed out of the platters. Consider two 15K scsi drives. One provides 10us write commit time (for example) while the other provides 2us write commit time. The difference? Cache. If you can commit to cache vs. the platter, it's much much faster as you buffer the writes until the platter is in an optimal position to write to media. Great for applications that are random r/w types with heavy or equal write signatures i.e. file and print applications or presentation applications. JET db technology can be very disk IO intensive. That's because it's a two-phase commit database technology; a good one too. But as you scale the database you tend to have more disk activity as more and more transactions take place. Microsoft has gotten quite good at figuring out what works and what doesn't and one thing they've learned is when to use JET DB technology; a typical JET db deployment is likely to be more read-intensive than it is write intensive. A good application for JET technology is something that has at least a 2.5 or 3:1 read/write signature. The more read-intensive, the more likely that JET technology will be a good fit. Sound like an application you're familiar with? LDAP is a read-intensive application by design and great read response is required to scale it successfully. Active Directory would be an example of a LDAP database that needs great read performance with some write performance. Some implementations of LDAP have adapted other db technology, such as DB2, Oracle, etc. to house their LDAP data stores. Microsoft chose their JET (JET Blue if I recall correctly, but don't quote me)engine. Since JET DB applications tend to be very read-intensive, the risk/reward of disk cache is not in your favor. Your better bet is to give the application
RE: [ActiveDir] Notification containing new password
Dragging out obligatory stick Whap whap whap whap. There is no good reason to do this. Honestly. If you really need it you can crack most passwords very quickly with rainbow tables but you really don't need it if you are the admin, you reset the password. That way, anyone you tag knows you had access to their stuff. If you just need access to company docs when the person is on vacation, put the info on servers in project areas where the person and their backup has access to the files. If you openly have the passwords there is nothing to stop someone for blaming you for doing something as them unless you have the most incredible auditing imaginable and you are on Windows and don't have that logging. No, you don't have that logging. No. One other thing I would point out, if you can memorize all of the user's passwords, those are sucky passwords or you have a photographic memory. I know that security may seem more like a burden to your company than anything, but weak passwords and documented clear text passwords anywhere is extremely bad and dangerous and could be a cause of loss or tampering of data of your company. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Notification containing new password
They used to track passwords here at a time before my arrival. And most users had the same 4 character password! Needless to say there is now a password policy that encourages the use of passphrases (passwords are bad, evil things). With the minimum password length we have set, users have to use a passphrase. They can remember My dog's name is Red Rover easily and no amount of current computing power of rainbow tables. For any user that attempts to tell me their password/passphrase, I tell them that if they do I will logon as them and send an eMail to the entire company (as them) inviting everyone to an adult toy party at their house this Friday night. - Original Message - From: ASB [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 10:34 AM Subject: Re: [ActiveDir] Notification containing new password ~ I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. ~ ALARM! ALARM!! I don't *ever* want to know someone else's password. I don't *ever* want someone else to have reason to believe that I have their password, as this violates all sorts of security principles. This violates the whole purpose of having a password in the first place. If I ever need to get into an end-user system as their specific account, when they happen to be unavailable, I'll change their password at that time. (Ensuring that I have good key recovery in place for EFS usage) Suffice it to say, your plans has Bad-Idea written all over it. I would highly recommend that you pursue a different course of action. ~ Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? ~ This only sounds worse... Not incidentally, the NET USER /RANDOM command supports the generation of random passwords. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Wed, 3 Nov 2004 13:21:39 -0500, Matthew Crape [EMAIL PROTECTED] wrote: Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting question - Net Send command
Those popups are simply mailslot messages. You might be able to find a bit of perl or (doubtfully) vbscript to do that directly. The one thing I really wanted to say is that those messages aren't guaranteed, you might push in that direction to your management. If it is important for the people to get the messages you should use some method that you can 1. Verify when they got the message 2. Pretty much guarantee they got it The NET SEND messages don't fit either category. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Notification containing new password
mutter Someday I'll learn to type in complete sentences. They can remember My dog's name is Red Rover easily and no amount of current computing power can crack it even with rainbow tables. - Original Message - From: Doug Hampshire [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 3:39 PM Subject: Re: [ActiveDir] Notification containing new password They used to track passwords here at a time before my arrival. And most users had the same 4 character password! Needless to say there is now a password policy that encourages the use of passphrases (passwords are bad, evil things). With the minimum password length we have set, users have to use a passphrase. They can remember My dog's name is Red Rover easily and no amount of current computing power of rainbow tables. For any user that attempts to tell me their password/passphrase, I tell them that if they do I will logon as them and send an eMail to the entire company (as them) inviting everyone to an adult toy party at their house this Friday night. - Original Message - From: ASB [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 10:34 AM Subject: Re: [ActiveDir] Notification containing new password ~ I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. ~ ALARM! ALARM!! I don't *ever* want to know someone else's password. I don't *ever* want someone else to have reason to believe that I have their password, as this violates all sorts of security principles. This violates the whole purpose of having a password in the first place. If I ever need to get into an end-user system as their specific account, when they happen to be unavailable, I'll change their password at that time. (Ensuring that I have good key recovery in place for EFS usage) Suffice it to say, your plans has Bad-Idea written all over it. I would highly recommend that you pursue a different course of action. ~ Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? ~ This only sounds worse... Not incidentally, the NET USER /RANDOM command supports the generation of random passwords. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Wed, 3 Nov 2004 13:21:39 -0500, Matthew Crape [EMAIL PROTECTED] wrote: Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ProxyAddress Verification Tools
Verify as in verify that garbage isn't in the proxyaddresses field. What does that mean to me? Things I have commonly seen 1. Values that mean nothing (i.e. value but no label), like say the whole value is @domain.com or alice or something else silly. 2. A label but no value, like SMTP: or X400: 3. Duped labels like X400:X400 4. Duplicate addresses, x400 or smtp or ms or ccmail or ? Any dupes are bad. At the Widget factory we had 50+ conference room mailboxes sharing x400 addresses that were migrated from 5.5, it was a mess. Whether that was due to the special provisioning and such or something in the migration I never heard and not sure anyone figured it out, I identified them, they fixed them. 5. Invalid characters in smtp addresses like spaces, unicode, special characters. 6. Invalid smtp address format like [EMAIL PROTECTED]@joeware.net or joe@ 7. Invalid x400... Though this one I have had to do manually in terms of what the proper values for the pieces are, would like to work that out programmatically as well to make it more generic. Also what characters aren't valid for x400? Then there is bloat, like having SNADS or PROFS or CCMAIL or MSMAIL entries and you only have Exchange email. Most of this could be attributed to provisioning systems gone bad or bad scripts or people just putting garbage in through interfaces that allow it (proxyAddresses is simply a MV attribute in AD). I wouldn't put it past the system in various versions making a mistake and putting something there. I haven't known of anything in particular doing it but have run into occasions where there was no other simple explanation and could never be duplicated using any methods allegedly being used. I don't think the best practices analyzer does it though I should positively rule it out. It seems as a rule AD tends to get messy as most people aren't looking at cleaning it up. The Exchange attributes seem to be even more ripe in some environments because people are positively afraid to touch anything in the Exchange attributes. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 7:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ProxyAddress Verification Tools When you say verify, what do you mean exactly. That means multiple things to me, such as whether one was created, whether there are dups, whether it conforms to the naming standards, and so on. Can you provide some boundaries? Personally, I haven't seen anything that does this as a tool. Although it's expected that this is built in to the creation process, there are ways this can get messed up and there are ways to circumvent even the safe-guards built into the Exchange product. There are ways to prevent it as well such as having a good system of unique id's for user LHS of the SMTP addresses etc. In practice, you never see users with unfriendly smtp addresses for very long though :) Haven't looked at the new health checker to see if it identifies proxy-address issues. Probably should. I would think a perl or vbscript with regular expressions would be helpful, but for dups it would require a little more effort to catch before monitoring does especially in a large environment. Some sort of database app would be most efficient I would think. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 03, 2004 6:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] ProxyAddress Verification Tools What is the best tool out there that checks and verifies proxyaddresses are good (format and info) and not duplicated in a forest? I have a perl script to do it, but would like something faster and don't really want to write it but will if I have to. You are verifying your proxyaddresses right? If not, you might consider it. In my last position at a world class widget factory company that was a huge issue and caused Exchange great stress. We found thousands of issues in the proxyaddresses. joe List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Notification containing new password
I would sort of a agree on the rainbow table unless someone builds some tables where the tokens are words instead of characters. Some of the recent chatter on FD makes me wonder if someone is going to start doing that. Of course the intermixing of CAPS helps tremendously. I would still recommend mixing character cases, numbers, and special chars into the mix. If you, for instance, have your password policy set to 25+ characters an intelligent hacking system could automatically go into Word Token mode instead of character token mode. At least if I wrote a cracker that is what it would do. My personal choice would be to set the domain policy to password length of 1 character min and then enforce something like 15-20-25 via password filter. The downside is obviously the horrible system of passing back information to the client when a password fails complexity rules... I.E. It doesn't pass back anything useful for custom filters. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Hampshire Sent: Wednesday, November 03, 2004 4:52 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Notification containing new password mutter Someday I'll learn to type in complete sentences. They can remember My dog's name is Red Rover easily and no amount of current computing power can crack it even with rainbow tables. - Original Message - From: Doug Hampshire [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 3:39 PM Subject: Re: [ActiveDir] Notification containing new password They used to track passwords here at a time before my arrival. And most users had the same 4 character password! Needless to say there is now a password policy that encourages the use of passphrases (passwords are bad, evil things). With the minimum password length we have set, users have to use a passphrase. They can remember My dog's name is Red Rover easily and no amount of current computing power of rainbow tables. For any user that attempts to tell me their password/passphrase, I tell them that if they do I will logon as them and send an eMail to the entire company (as them) inviting everyone to an adult toy party at their house this Friday night. - Original Message - From: ASB [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 10:34 AM Subject: Re: [ActiveDir] Notification containing new password ~ I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. ~ ALARM! ALARM!! I don't *ever* want to know someone else's password. I don't *ever* want someone else to have reason to believe that I have their password, as this violates all sorts of security principles. This violates the whole purpose of having a password in the first place. If I ever need to get into an end-user system as their specific account, when they happen to be unavailable, I'll change their password at that time. (Ensuring that I have good key recovery in place for EFS usage) Suffice it to say, your plans has Bad-IdeaT written all over it. I would highly recommend that you pursue a different course of action. ~ Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? ~ This only sounds worse... Not incidentally, the NET USER /RANDOM command supports the generation of random passwords. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Wed, 3 Nov 2004 13:21:39 -0500, Matthew Crape [EMAIL PROTECTED] wrote: Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an
RE: [ActiveDir] Notification containing new password
BTW, I loved this piece: them that if they do I will logon as them and send an eMail to the entire company (as them) inviting everyone to an adult toy party at their house this Friday night. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Hampshire Sent: Wednesday, November 03, 2004 4:52 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Notification containing new password mutter Someday I'll learn to type in complete sentences. They can remember My dog's name is Red Rover easily and no amount of current computing power can crack it even with rainbow tables. - Original Message - From: Doug Hampshire [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 3:39 PM Subject: Re: [ActiveDir] Notification containing new password They used to track passwords here at a time before my arrival. And most users had the same 4 character password! Needless to say there is now a password policy that encourages the use of passphrases (passwords are bad, evil things). With the minimum password length we have set, users have to use a passphrase. They can remember My dog's name is Red Rover easily and no amount of current computing power of rainbow tables. For any user that attempts to tell me their password/passphrase, I tell them that if they do I will logon as them and send an eMail to the entire company (as them) inviting everyone to an adult toy party at their house this Friday night. - Original Message - From: ASB [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 10:34 AM Subject: Re: [ActiveDir] Notification containing new password ~ I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. ~ ALARM! ALARM!! I don't *ever* want to know someone else's password. I don't *ever* want someone else to have reason to believe that I have their password, as this violates all sorts of security principles. This violates the whole purpose of having a password in the first place. If I ever need to get into an end-user system as their specific account, when they happen to be unavailable, I'll change their password at that time. (Ensuring that I have good key recovery in place for EFS usage) Suffice it to say, your plans has Bad-IdeaT written all over it. I would highly recommend that you pursue a different course of action. ~ Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? ~ This only sounds worse... Not incidentally, the NET USER /RANDOM command supports the generation of random passwords. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Wed, 3 Nov 2004 13:21:39 -0500, Matthew Crape [EMAIL PROTECTED] wrote: Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ
RE: [ActiveDir] Scripting question - Net Send command
Well runas doesn't script well but obviously you could use cpau or something else like that. However, MS did some funky things around that so if the context that would fire it is localsystem, it will fail due to how MS Implemented the backend of the API. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command That was my thought; I'd prefer not to have IUSR running that type of executable. Any pointers towards how we could run it in another account context? I thought about RunAs, but didn't want to pass pwds in an asp script... Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 12:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command It's an ugly hole. My option would be to have the tool run in the context of another account (like a service account). Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Wed 11/3/2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command Yeah; that's kinda what I ran into. Two things... One, if we provide access to net.exe to the IUSR account, how ugly is that hole? If they can run net send, they can run net anything, right? Not sure I like that, but I'm not sure how ugly it really is. Two, how do we provide the perms on net.exe? I tried copying it to another directory and applying read and execute perms to that directory, but it didn't change anything. Is there a how-to anywhere for us non-IIS gurus? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, November 03, 2004 11:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command As a security feature on w2k3, the IUSR_ user id has no permissions to any files (including net.exe). Either give the IUSR_ account permissions to net.exe, or configure the web site to run under a user id that has permission. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] RESOLVED: A weird one (or Joeware vs. MS)
Cool thanks for the update. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, November 03, 2004 6:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RESOLVED: A weird one (or Joeware vs. MS) If anyone here is interested, I have been able to nail the issue. After deeper investigation, I found that moving the W2K3 servers into client's OU (different GPOs that force the client to Send NTLMv2 response only) resolved the issue. The problem was caused by domain member servers of forestA.com not being able to negotiate NTLM dialect with forestA.com DCs. forestA.com DCs are configured to Send NTLMv2 response only. Windows servers (if not explicitly configured) default to Send LMNTLM responses (see http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/ proddocs/en-us/576.asp http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/p roddocs/en-us/576.asp for details) forestB.com DCs are using less strict Domain Controllers GPO, hence servers in forestA.com were able to negotiate NTLM dialect with forestB.com DCs, but not with forestA.com DCs. The interesting part is that apparently Task Scheduler is not capable of doing Kerberos and tries only NTLM (and I was trying to chase Kerberos) So for the sake of others: if you configure your DCs to Send NTLMv2 only, the default settings of W2K3 member servers will prevent them from talking to DCs using NTLM. Forcing the clients to Send NTLMv2 will make the problem disappear. Guy _ From: [EMAIL PROTECTED] on behalf of Guy Teverovsky Sent: Thu 10/28/2004 5:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS) Hi Eric, All W2K3. And yes, as I wanted to eliminate any other issues, I was using forestA's domain accounts, which are members of local Administrators group (and the member servers GPO regarding user rights is at defaults). I even tried forestA's Admnistrator account. 2 W2K3 forests. Both at W2K3 FFL with all domains at W2K3 Native mode. forestB.com has 3 child domains ([EMAIL PROTECTED] can schedule the job on host.forestA.com) forestA.com is a single domain (this is where the W2K3 hosts are) forestA.com trusts forestB.com The problem is observed only on W2K3 member servers. The following works against W2K member server or XP (with the same RSoP), but fails against W2K3 (Standard and Enterprise): C:\schtasks /Create /RU ForestA\administrator /RP password /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X X.X.X.X is a host in ForestA.com. Tell me if you need more info (DC's RSoP, member servers RSoP ?). Thanks a lot ! Guy On Wed, 2004-10-27 at 19:22 -0700, Eric Fleischman wrote: Silly question perhaps: does the acct in question have log on as a batch job (and any other rights required, perhaps log on locally?) that it needs for the job to run? I can set this up in my lab tomorrow to see if it works/fails and take a peak, just let me know what OSs are involved (all 2003, since it is a forest trust I think you said below?). ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, October 27, 2004 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS) Already tried most of what you mentioned. Same error when using forestA account on the console of host.forestA.com box. Scheduling remotely - same error. Nothing in event log and the sniffer does not even show Kerb traffic (I'll do more tests tomorrow, but meanwhile I was not successful at catching any authentication traffic between the host and DCs from either forest, but it could be the hour...). It looks like the API just fails and says: Hey! I am not aware of the account domain you are trying to make me look at ! (tried ForestA\user, upn and kerb principal - same result) Tried both by IP and by hostname. The error I get: C:\schtasks /Create /RU ForestA\administrator /RP password /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X WARNING: The task name test1 already exists. Do you want to replace it (Y/N)?y WARNING: The scheduled task test1 has been created, but may not run because the account information could not be set. Clocks are synced and alright across the forests. The event logs are perfectly clean. Actually this is the only issue I have with the server (and it's ALL W2K3 member servers in the forestA that show this behavior). The strange thing that I have found right now is that the forestA DCs are immune to this weirdness (forestA accounts can be used to schedule jobs on forestA DCs). Guy On Wed, 2004-10-27 at 16:29 -0400, joe wrote: I have to say that seems to be a weird one... But I am glad that cpau helps it work for you. :o) Are you doing this remotely? What happens if you sit down on host.forestA.com with a forestA userid and try
[ActiveDir] OT: Computer Browser service questions
Two Wins servers, 10 subnets, all clients point to both Wins servers, mix of Windows clients Is there an issue with disabling the Computer Browser service on all clients (assuming they are all Wins clients)? Theoretically speaking, however, I'm a bit unsure. Also, would turning off the Computer Browser service on (1) the Wins servers and/or (2) Domain Controllers be problematic? Again, all would be Wins clients vs. Computer Browser broadcast clients. Any advice or assistance here would be appreciated. I've done a fair amount of research, but can't really find anything pertaining to eliminating the Computer Browser service in lieu of using Wins only. Methods to fully populate our Network Neighborhood is really what I'm trying to achieve here... ~Brian
RE: [ActiveDir] OT: Computer Browser service questions
WINS is name resolution. The browser service doesn't do name resolution, it is a directory of NetBIOS resources and machine names. The services aren't the same, WINS is used to resolve names that the browser service maintains. For your specific question, you can disable browser everywhere and Windows will be fine. However if your users browse to resources, they may have an issue... What exactly is your goal? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L.Sent: Wednesday, November 03, 2004 5:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Computer Browser service questions Two Wins servers, 10 subnets, all clients point to both Wins servers, mix of Windows clients Is there an issue with disabling the Computer Browser service on all clients (assuming they are all Wins clients)? Theoretically speaking, however, I'm a bit unsure. Also, would turning off the Computer Browser service on (1) the Wins servers and/or (2) Domain Controllers be problematic? Again, all would be Wins clients vs. Computer Browser "broadcast" clients. Any advice or assistance here would be appreciated. I've done a fair amount of research, but can't really find anything pertaining to eliminating the Computer Browser service in lieu of using Wins only. Methods to "fully" populate our Network Neighborhood is really what I'm trying to achieve here... ~Brian
Re: [ActiveDir] Scripting help
csvde is a nifty utility for exporting a wide variety of data, munching with access databases, pulling in external data sources and then updating via script. I had the lovely chore of writing a process to keep distribution lists and membership in sync between GroupWise and Exchange 2003. Now that was an interesting program, csvde was my friend on the AD side. can't say too many bad things about the API gateway for groupwise even though it was a bit odd. Steve Schofield [EMAIL PROTECTED] - Original Message - From: Dean Wells To: Send - AD mailing list Sent: Wednesday, November 03, 2004 9:46 AM Subject: RE: [ActiveDir] Scripting help No, had I read your question more thoroughly I'd have known that was useful to you ;) It currently differentiates the group types by querying on the bit used by AD to maintain the difference. Proxy address doesn't come into play. Maybe this will do as you ask - dsquery * domainroot -filter "((objectcategory=group)(proxyAddresses=*))" Does that solve your problem? -- Dean Wells MSEtechnology* Email: dwells@msetechnology.com http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Wednesday, November 03, 2004 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Scripting help Thanks Dean. Would that return the Security groups that are also being used as DL by virtue of having the proxy address field set? Sorry if its an obvious question but I new to this side of AD From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: 03 November 2004 16:11To: Send - AD mailing listSubject: RE: [ActiveDir] Scripting help Here's but two possible ways that sprung to mind. Returns security groups only - dsquery * domainroot -filter "((objectcategory=group)(!sAMAccountType:1.2.840.113556.1.4.803:=1))" Return DLs only - dsquery * domainroot -filter "((objectcategory=group)(sAMAccountType:1.2.840.113556.1.4.803:=1))" Deano -- Dean Wells MSEtechnology* Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Wednesday, November 03, 2004 3:55 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Scripting help Hi to all from Darkest Africa!! Can anyone assist me with a scripting issue? Ive generated a list of the groups in my AD by using dsquery. I have a text file as output. Ive been able read this into a file and extract some information. However my management wants a list of all the Distribution lists only with the Name of the Group and who its Manager is. My script generates all the requisite info but I cant get it to differentiate between Security and DLs. We have a bunch of Security Groups that have had Exchange E-mail addresses added to them and so are being used as DLs as well. It appears that all the DLs have a proxyAddresses attribute. Is there anyway I can do a script based search through the whole if the domain and extract all groups that have this attribute and return the values that I need. Any help would really appreciated as Im completely new to this. Regards Peter Johnson
RE: [ActiveDir] OT: Computer Browser service questions
Yes this I know about WINS and browser service being different. My first question is, is it OK to shutdown browser service on domain controllers and WINS servers and not affect WINS and DC functionality? I realize it is an obscure question but it was posed to me and I am not sure how to best answer it. The second question is, what is a best practice method to fully populate Network Neighborhood either in Windows or in an app such as Veritas or Symantec that look to browse a network to find clients. The issue is not all clients are showing up why? How can I get them to all show up? Sorry for the confusion and I hope this attempt makes more sense. ~Brian From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 6:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Computer Browser service questions WINS is name resolution. The browser service doesn't do name resolution, it is a directory of NetBIOS resources and machine names. The services aren't the same, WINS is used to resolve names that the browser service maintains. For your specific question, you can disable browser everywhere and Windows will be fine. However if your users browse to resources, they may have an issue... What exactly is your goal? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Wednesday, November 03, 2004 5:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Computer Browser service questions Two Wins servers, 10 subnets, all clients point to both Wins servers, mix of Windows clients Is there an issue with disabling the Computer Browser service on all clients (assuming they are all Wins clients)? Theoretically speaking, however, I'm a bit unsure. Also, would turning off the Computer Browser service on (1) the Wins servers and/or (2) Domain Controllers be problematic? Again, all would be Wins clients vs. Computer Browser broadcast clients. Any advice or assistance here would be appreciated. I've done a fair amount of research, but can't really find anything pertaining to eliminating the Computer Browser service in lieu of using Wins only. Methods to fully populate our Network Neighborhood is really what I'm trying to achieve here... ~Brian
[ActiveDir] Enumerating users and groups from ADS.
Hello Folks, Greetings. I have a deployment of ADS using Windows 2000 SP4. There are around 300 Security groups in the ADS. Each group has around 20-25 users, some are unique to each group and some have membership to more the two groups. I have been assigned the task to enumerate the group membership of each and every user in an Excel - .xls or perhaps a.txtfile. I am not good at scripting and would require the kind co-operation of scriptexperts in this group. Is there anyone who could advise me on the script which could help me. Also, is there any tool which could be of help to me. Thank you. Kind regards, Abhishek.