RE: [ActiveDir] Password policy change
Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì
RE: [ActiveDir] LDAP Referrals
Yeah, it is unfortunately. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, August 26, 2005 5:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Referrals Is that a big fat no? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Referrals It's time for a code re-write. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Alex Fontana Sent: Fri 8/26/2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP Referrals For what ever reason all of our users are still in the cn=users container. Of course after years of being like this everything ldap refers to cn=users. Part of my master plan is to change this to an OU structure, but I'm looking for a less intrusive method of changing this than having to send an email to all saying, hey, if your imap client is using cn=users for the address book you need to change it. Is there a way to add a referral to ou=myusers from cn=users? Thanks! -Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange issues again(ot)
Love it? People love that thing? Good god, I would beat it with a stick if I could get a good solid view of it. I have to admit, it does deliver messages, when it works that is. That just isn't good enough for me. I seem to see Exchange more when it isn't working or is working half ass though I have finally seen some good running installs but it took a lot of work to get them that way, too much in my opinion. Setting up Exchange to run in a large org (hundreds of thousands) is ridiculously complicated and needlessly over taxed with bad assumptions on what Exchange can and should do and how permissions should work. Anyone who says Exchange is great has not spent much time actually looking at the implementation of the whole ACLing implementation. I find I have no end of bad thoughts when I see more and more new features being dumped into the product when its core basic features are so flipping unstable and difficult to deal with. I think the product has the capability to be great, certainly better than most anything else out there, however it needs to start by bringing it into the light (and the developers) and show key critical people how it is really used and how painful it can be to troubleshoot what should be simple things to troubleshoot, like exactly what queries is DSACCESS choking on right now? What DLs are being expanded right now? Etc. Overall, it would seem that most people think it runs well because they don't know what to look for to see if it is indeed broke. Exchange has this ability to run ok even when multiple things are broken or misconfigured right up until you hit the point where it won't run and then it hits the floor hard and you are sitting there asking yourself, whats wrong and MS is asking for a memory dump. Unfortunately when it gets in this state, most people don't understand how it was supposed to be working, they just knew it worked before, so they have little understanding of what to look at to see why it isn't working. There are very few people, in my opinion, that can really sit down and look at Exchange and the AD Interactions of Exchange and understand what it is doing right and what it is doing wrong at any given moment. I am not one of them. I am slowly trying to become one of them but mostly just from a how is AD being abused side of it. I have no desire to understand mail routing, etc. Anyway, back to people not knowing what to look for to see if it is indeed broke. I just submitted a bug through multiple channels about the Directory Access Tab (and the backend WMI Exchange_DSAccessDC class) being entirely untrustworthy unless you just restarted the Microsoft Exchange Management Service. I posted it in a couple of the Exchange NNTP groups as well with full repro steps as that is what the SP2 CTP said to do. This is something Exchange admins around the world have been using since Exchange 2000 SP2. And it doesn't work right. The funny thing with this bug is nearly everyone (MS and non-MS) I asked about it said one of the following: 1. Yeah I never thought that thing was reporting properly. 2. This is a known issue. 3. This is really familiar to me, I think this is a known issue. 4. I saw this back in Exchange 2000. You mean it isn't fixed in Exchange 2003? I stumbled on this completely by accident in my home lab when testing a theory on how to force an Exchange server to fail its config DC to an out of site DC via IPSEC IP blocking when the insite DC was still responding, but in a piss poor way. I noticed that the failover was occurring because DSACCESS and the event log and a cache dialed down to 1 second turnover were all telling me it was happening not to mention queries going to the out of site DC showing it. But neither WMI nor the Directory Access tab ever reflected a change, even after 26 hours it didn't report a change. I then went off on that tangent to check it out because it quite frankly scared me knowing full well some people monitor their Exchange servers through the WMI interfaces and watch for changes in the dsaccess lists to determine there are DC issues. After a while I finally tied it down to the Exchange Management service and that restarting it, not the SA, would cause the list to immediately update. This meant it wasn't a DSACCESS issue, it was a data reporting issue. DSACCESS could have been completely on fire but the reporting mechanism would say everything was five by five. The reporting mechanism could tell you that DC1 was being used so you take down DC2 for work only to find you blew up Exchange because it was really using DC2... Not only does this bug suck, it is actually dangerous. I would rather have to guess what DCs are being used and know it was a guess than be told incorrectly but in an authoritative way what was being used. On the positive side, the bug I fought to get recognized as a bug back in 2003/2004 has finally been tackled and hopefully killed in SP2. Directory The DSAccess API has been changed to return a
RE: [ActiveDir] Exchange issues again(ot)
I would bet along those lines as well. I have seen multiple similar cases in Exchange where the Schema rights were needed, I think ADC comes to mind right off as I seem to recall getting into a rather pissy mood one day when I had to give Exchange admins Schema Admin rights to install another ADC instance. If it were simply a case of I need to look that is fine, you don't need schema admin for that. The fact that they say, I need to look, and you need to be a schema admin in the off chance that I need to update something is crap and in my opinion poor design though if I were the designer I would rather it be called a bug. This whole thing gets back to assumptions made in that system. More times than not I am usually trying to figure out why in the world the assumptions are what they are. It sometimes makes me think that they polled the customers by going into three local mom and pop stores and asked them how they configured their Exchange systems. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, August 26, 2005 4:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange issues again(ot) I've asked "Those Who Should Know". If they deign to respond, I'll let you know. :-) If I were a betting man (and I usually am, but not on this), I would bet that Exchange setup connects specifically to the schema master role holder in order to verify that the schema has been updated with forestprep. It would choose the schema master in order to avoid the potential replication delays that could be associated with consulting the "local DC" (that is, that the changes may not have replicated from the schema master to the local DC). While it's arguable that it should check the local DC first, and if it doesn't find it there, then check the schema master -- I could see some developer saying "screw that". That's my best guess. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Friday, August 26, 2005 3:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange issues again(ot) I have no rights nor connectivity. I ran adsiedit.msc as localsystem on a child dc and changed the fSMORoleHolder attrib on the schema NC to point to the child dc i do have connectivity to and it worked. Mind you- THIS IS A TEST FOREST. I WOULD NEVER DO THIS IN PRODUCTION. still, i'd like to know why setup needs to write to the schema AFTER exchange has already been installed and set up and you have an org and exchange servers running. Does it do this everytime you set up a new exchange server? what is it writing? I'd love to know. Thanks alot! -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Fri 8/26/2005 3:25 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] Exchange issues again(ot)
RE: [ActiveDir] Permissions for a user to add users to a group
It means the manager can add or remove DNs to the member attribute of the group. So they will be able to add or remove members of the group. They won't actually be able to add/remove users from AD with just those rights. ADUC can be used, as can a script or anything else that modifies the member attribute of the group in question. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Friday, August 26, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Permissions for a user to add users to a group If I set a group to managed by to a particular user and check the box Manger can update member list. That means the Manager can add or delete users correct? Does he need ADUC or is there another way he can add those users? Thanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
FW: [Fwd: RE: [ActiveDir] Password policy change]
From a shy lurker MVP It appears it is something you can enable. It isn't strictly part of OWA but the old IIS Password change tool. I recall there being issues with that tool and that is why they stopped enabling it by default but can't recall what they were this late at night or this early in the morning whatever it may be. ;o) Thanks for the assist Mom. :) -Original Message- Sent: Saturday, August 27, 2005 2:24 AM To: [EMAIL PROTECTED] Subject: [Fwd: RE: [ActiveDir] Password policy change] http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003 .htm Original Message Subject:RE: [ActiveDir] Password policy change Date: Sat, 27 Aug 2005 02:16:14 -0400 From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.sht ml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE:
RE: [Fwd: RE: [ActiveDir] Password policy change]
The original Password Change functionality used HTRs, and there was a buffer overflow vulnerability in the ISAPI Extension that handled HTRs (ism.dll). There's a download on the MS Downloads page that substitutes ASP pages: http://support.microsoft.com/?id=331834 Change password functionality replaced with Active Server Pages Cheers Ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of joe : Sent: Saturday, 27 August 2005 5:08 PM : To: ActiveDir@mail.activedir.org : Subject: FW: [Fwd: RE: [ActiveDir] Password policy change] : : From a shy lurker MVP : : It appears it is something you can enable. It isn't strictly part of OWA : but : the old IIS Password change tool. I recall there being issues with that : tool : and that is why they stopped enabling it by default but can't recall what : they were this late at night or this early in the morning whatever it may : be. ;o) : : Thanks for the assist Mom. :) : : : : -Original Message- : Sent: Saturday, August 27, 2005 2:24 AM : To: [EMAIL PROTECTED] : Subject: [Fwd: RE: [ActiveDir] Password policy change] : : http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_20 : 03 : .htm : : : Original Message : Subject: RE: [ActiveDir] Password policy change : Date: Sat, 27 Aug 2005 02:16:14 -0400 : From: joe [EMAIL PROTECTED] : Reply-To: ActiveDir@mail.activedir.org : To: ActiveDir@mail.activedir.org : : : : Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in : Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if : your : password is expired (forced or otherwise) you aren't getting into OWA. I : also don't believe it has a password change function if you just want to : go : and change it, but that could be something that could be enabled. : Alternatively you set up another web page to do it. : : As for the OPs original issue. It all comes down to implementation. You : told : the system to not allow people to change the password if the password age : was less than one day and then were confused when it did exactly that. The : reason for it is that there is one attribute for password age, pwdLastSet, : and it doesn't distinguish between a helpdesk set operation or a normal : password change, they are both password changes and you only want one day : between every change. The proper way to handle that case is to force the : user's to change their password on next logon (which sets the pwdLastSet : to : 0), but as you know, that will kill OWA users. So you either need another : process to follow for OWA only users, install some third party or custom : inhouse tool, or drop the minimum password aging. : :joe : : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support : Sent: Saturday, August 27, 2005 12:09 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Password policy change : : Your right Aaron, I didn't know what it meant.! : : I am not an outlook sort of person (we use Notes...), but the inferred : statement surprises me. It suggests that if the must change password is : set, you can't logon to Outlook Web Access. : : This would suggest that forcing users to change password after (say) 28 : days : is also a no-no. : : And, it would also suggest that Outlook Web Access won't let you change : your : password. If it did, it would surely allow you to logon, then require you : to : change the password before you do anything.. : : This all seems unlikely, given Microsoft's recommended use of forcing : password changes on a regular basis and forcing users to change a password : when a new user is created. : : If it is all true, maybe you have to provide some way that the users can : go : to a Citrix portal and change their password there, then go back and use : Outlook Web Access. : : Alan Cuthbertson : : : Policy Management Software:- : http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml : ADM Template Editor:- : http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml : Policy Log Reporter(Free) : http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml : : : : : - Original Message - : From: Aaron Visser [EMAIL PROTECTED] : To: ActiveDir@mail.activedir.org : Sent: Saturday, August 27, 2005 8:59 AM : Subject: Re: [ActiveDir] Password policy change : : : Nevermind OWA = Outlook Web Access : : : On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] : wrote: : : : I mean, if I use the check box to user must change password at next : logon : our users whose only way into the domain is OWA will not prompt them : to : change : their password... Unless I am missing something. : : Thanks : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of SysPro : Support : Sent: Friday, August 26, 2005
[ActiveDir] Binding OS X
Title: Binding OS X Recently, I have been unable to bind my OS X 3.8 and later clients. I was having no problems before. I can bind the same Mac to our other domain. When attempting it gives Unknow error. The console says LDAP server mappings error. What diagnostics can I run on the DC to isolate the problem? Thanks.
Re: FW: [Fwd: RE: [ActiveDir] Password policy change]
Yes that enables the password change functionality through OWA, but I don't believe that will help this particular situation. When you set the User Must Change Password at Next Logon bit then logon to OWA I don't think OWA will dump you to a password change screen. That Password Change screen is only something you can access once in OWA as far as I know. To address the question about password expiry and OWA users, when you log in with OWA it will tell you that your password is getting close to expiring so it gives you a heads up that you need to change your password soon, whether that is through the IIS Password change tool or some other password change facility. Phil On 8/27/05, joe [EMAIL PROTECTED] wrote: From a shy lurker MVP It appears it is something you can enable. It isn't strictly part of OWA but the old IIS Password change tool. I recall there being issues with that tool and that is why they stopped enabling it by default but can't recall what they were this late at night or this early in the morning whatever it may be. ;o) Thanks for the assist Mom. :) -Original Message- Sent: Saturday, August 27, 2005 2:24 AM To: [EMAIL PROTECTED] Subject: [Fwd: RE: [ActiveDir] Password policy change] http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003 .htm Original Message Subject:RE: [ActiveDir] Password policy change Date: Sat, 27 Aug 2005 02:16:14 -0400 From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To:
RE: [ActiveDir] OU permissions for user object
sounds to me as if you've not set the permission to _inherit_ down to existing objects - check in the Advanced tab of the security editor (the tab that displays the permissions on your OU in ADUC) and see if your Full Control permission are set for User Objects (which will then automatically inherit down to user objects within this OU). If you've set the permission to all object, you'll explicitely have to set the scope of the permission to apply to "This object and all child objects" (or just to the child objects) - this will then inherit the permission to objects within the OU. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Donnerstag, 25. August 2005 10:46To: ActiveSubject: [ActiveDir] OU permissions for user object Hi, I've created an OU and I have delegated a security group the Create/DeleteUser Object with Full Permissions. I have also delegated the 'Create, Delete Manage User Account' right with F/C I only want this security group to be able to manage user accounts in this OU and modify the users details/group membership. The problem I have is that I can't enable/disable a user or modify the user's details on an account which already exists. If Icreate a new account, I can do all the delegated tasks set, but on existing accounts I get error messages such as "you haveinsufficient rights to perform this operation"or the details are greyed out. Any idea's where I can check? Iain __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com