RE: [ActiveDir] Password policy change

2005-08-29 Thread lists 

That should work.  :-)

There are actually many web-, phone- and login-prompt- accessible
password change/synchronization/reset applications out there, some of
which support password updates to multiple types of systems, rather than 
just AD.



  One such is http://psynch.com/


Linking one of these to OWA should be trivial.  With this product, and 
probably others, you should have no trouble detecting password expiry and 
bouncing the user to the 'change now' page either.


Good luck,

-- Idan

On Mon, 29 Aug 2005, Cothern Jeff D. Team EITC wrote:


I have a possible solution for the OWA users.  I havent used this particular 
software but we use one of their other products and it works well.  I'll let 
the website speak for itself.  But I believe this would provide a means via the 
web for your users to change their passwords.

http://www.anixis.com/products/ppeweb/default.htm

Jeff Cothern


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, August 29, 2005 4:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

OWA doesn't have a built in password change function but you can activate the 
standard IIS password changing module called iisadmpwd  which is placed in the 
options section of the OWA interface. However if the password has expired you 
be out of luck.

Once article that covers this is:

http://support.microsoft.com/default.aspx?scid=kb;en-us;297121

Regards
Peter Johnson




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 27 August 2005 08:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in 
Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your 
password is expired (forced or otherwise) you aren't getting into OWA. I also 
don't believe it has a password change function if you just want to go and 
change it, but that could be something that could be enabled.
Alternatively you set up another web page to do it.

As for the OPs original issue. It all comes down to implementation. You told 
the system to not allow people to change the password if the password age was 
less than one day and then were confused when it did exactly that. The reason 
for it is that there is one attribute for password age, pwdLastSet, and it 
doesn't distinguish between a helpdesk set operation or a normal password 
change, they are both password changes and you only want one day between every 
change. The proper way to handle that case is to force the user's to change 
their password on next logon (which sets the pwdLastSet to 0), but as you know, 
that will kill OWA users. So you either need another process to follow for OWA 
only users, install some third party or custom inhouse tool, or drop the 
minimum password aging.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
Sent: Saturday, August 27, 2005 12:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change

Your right Aaron, I didn't know what it meant.!

I am not an outlook sort of person (we use Notes...), but the inferred statement 
surprises me. It suggests that if the "must change password" is set, you can't 
logon to Outlook Web Access.

This would suggest that forcing users to change password after (say) 28 days is 
also a no-no.

And, it would also suggest that Outlook Web Access won't let you change your 
password. If it did, it would surely allow you to logon, then require you to 
change  the password before you do anything..

This all seems unlikely, given Microsoft's recommended use of forcing password 
changes on a regular basis and forcing users to change a password when a new 
user is created.

If it is all true, maybe you have to provide some way that the users can go to 
a Citrix portal and change their password there, then go back and use Outlook 
Web Access.

Alan Cuthbertson


 Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml




- Original Message -
From: "Aaron Visser" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, August 27, 2005 8:59 AM
Subject: Re: [ActiveDir] Password policy change


Nevermind OWA = Outlook Web Access


On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]>
wrote:



I mean, if I use the check box to "user must change password at next

logon"

our users whose only way into the domain is OWA will not prompt them
to

change

their password... Unless I am missing something.

Thanks

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro
Support
Sent: Friday, August 26, 2

RE: [ActiveDir] finding txt in a message

2005-08-29 Thread deji 
If you are thinking of finding them as they arrive or as they are being sent,
eventsink is the way to go. I don't know how to write one that will go
through messages already in the store and look for the keyword. But, writing
one that looks for the keyword as the message is coming in or leaving should
do the trick.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Steve Shaff
Sent: Mon 8/29/2005 5:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding txt in a message



I have Antigen, but will do subject and domain filtering... :(

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, August 29, 2005 5:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding txt in a message

The anti-virus server application (Exchange aware) is a great way to do
that.

Do you have one?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Monday, August 29, 2005 7:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding txt in a message

Group,

Sorry for sending an Exchange question to an AD group, but I really need
an answer to this quick.

Does anyone know how to find a specific string or text in email?  I know
that exmerge can do subjects and system manager can track a message by
sender or receiver.. But, I need to know how to find specific text in an
email.

Thanks
S
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Extend W2K3 Boot Partiton

2005-08-29 Thread Arlo Clizer 
I've been pretty pleased with BootItNG. It has gotten me out of some 
jams in the past.


http://www.terabyteunlimited.com/bootitng.html

I've been lurking here about a week or so. Great content!

Regards,

Arlo

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] finding txt in a message

2005-08-29 Thread Steve Shaff 
I have Antigen, but will do subject and domain filtering... :(

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, August 29, 2005 5:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding txt in a message

The anti-virus server application (Exchange aware) is a great way to do
that. 

Do you have one?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Monday, August 29, 2005 7:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding txt in a message

Group,

Sorry for sending an Exchange question to an AD group, but I really need
an answer to this quick.

Does anyone know how to find a specific string or text in email?  I know
that exmerge can do subjects and system manager can track a message by
sender or receiver.. But, I need to know how to find specific text in an
email.

Thanks
S
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] finding txt in a message

2005-08-29 Thread Al Mulnick 
The anti-virus server application (Exchange aware) is a great way to do
that. 

Do you have one?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Monday, August 29, 2005 7:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding txt in a message

Group,

Sorry for sending an Exchange question to an AD group, but I really need
an answer to this quick.

Does anyone know how to find a specific string or text in email?  I know
that exmerge can do subjects and system manager can track a message by
sender or receiver.. But, I need to know how to find specific text in an
email.

Thanks
S
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] finding txt in a message

2005-08-29 Thread Steve Shaff 
Group,

Sorry for sending an Exchange question to an AD group, but I really need
an answer to this quick.

Does anyone know how to find a specific string or text in email?  I know
that exmerge can do subjects and system manager can track a message by
sender or receiver.. But, I need to know how to find specific text in an
email.

Thanks
S
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Grillenmeier, Guido 
good point Brett - I'm not even sure where I picked that up.  Probably
nowhere - must have confused the acronym with that used for Install From
Media... ;-)  Yep, here it should be IM...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Montag, 29. August 2005 13:41
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep

IFM is an odd abbreviation of the Infrstructure Master role.  I think IM
is more typical.

-B

On Mon, 29 Aug 2005, Grillenmeier, Guido wrote:

> Andreas actually teased me with this at the second DEC in US (must
have
> been 2003 in Scottsdale, Arizona), as I also wondered why the IFM
would
> be required for this role.  So after a good discussion about the IFM's
> functions it was clear there was absolutely no technical requirement
> that adprep /domainprep be performed on the IFM FMSO ;-) 
> 
> The only reason the IFM was "chosen" to perform this "special" task
is:
> they had to ensure that the domainprep will only be performed on a
> single DC in a domain and all the other FMSOs already had many more
> special tasks than the IFM - this is why the domainprep was bound to
be
> executed on the IFM FSMO.
> 
> /Guido
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
> E.
> Sent: Montag, 29. August 2005 12:36
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> 
> Yep, that was him.  Drat, dunno why I had Luther in my head as being
his
> first name.  
> 
> 
> - L
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rick
Kingslan
> > Sent: Monday, August 29, 2005 12:32 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> > 
> > Heavy German accent?  I suspect that it was Andreas 
> > Luther  (and looks nothing like Guido)
> > 
> > And - it might have been DEC as Andreas was there for the Identity
> > Management (read:MIIS) portion of the conference.
> > 
> > Rick 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Hunter, Laura E.
> > Sent: Sunday, August 28, 2005 7:02 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> > 
> > Oddly enough, this exact topic came up in a dinner 
> > conversation at Tech Ed this year.[1]  Luther...oh heck somebody
> remind me of his 
> > last name...had apparently quizzed people with this one at a
previous 
> > conference (DEC?), only to utimately reveal that the answer was "You
> know how 
> > people always ask you what the IM FSMO does? Well, now you can tell
> them that 
> > it's responsible for running /domainprep."
> > 
> > 
> > 
> > [1] Please hold the jokes about having dinner conversations 
> > about Active Directory internals until the end, please.  :-)
> > 
> > 
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Tony Murray
> > > > Sent: Sunday, August 28, 2005 7:36 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
> > > > 
> > > > Hi all
> > > >  
> > > > Does anyone know why the documentation suggests that adprep 
> > > > /domainprep be run on the DC holding the IM FSMO role?  I heard
a 
> > > > rumour to the effect that it was only because that DC is
> > > likely to be
> > > > less busy than the other DCs, but I'd like to know for sure.
> > > >  
> > > > Tony
> > > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Extend W2K3 Boot Partiton

2005-08-29 Thread Medeiros, Jose 



Hi Devon, 

 
PowerQuest Volume Manager ( Formerly 
server magic ) and now Symantec Volume manger does indeed work on a 2003 
server volume.
 
Jose 
:-)

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. 
  SmithSent: Monday, August 29, 2005 8:45 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Extend 
  W2K3 Boot Partiton
  Partition Manager
   
  (I'm a satisfied customer of the 
  product.)
   
  http://www.partition-manager.com/
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
  DevonSent: Monday, August 29, 2005 11:28 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Extend W2K3 
  Boot Partiton
  
  
  Is there a way to 
  extend boot & system partitions on Windows 2003?  Diskpart.exe only 
  does data partions and PowerQuest Volume Manager stops at Windows 
  2000.
   
  Devon Harding
  Windows Systems 
  Engineer
  Southern Wine & 
  Spirits - BSG
  954-602-2469
   
  
  

  
  __This message and any 
  attachments are solely for the intended recipientand may contain 
  confidential or privileged information. If you are notthe intended 
  recipient, any disclosure, copying, use or distribution ofthe information 
  included in the message and any attachments isprohibited. If you have 
  received this communication in error, pleasenotify us by reply e-mail and 
  immediately and permanently delete thismessage and any attachments. Thank 
  You.

RE: [ActiveDir] OT: Extend W2K3 Boot Partiton

2005-08-29 Thread Joe Pochedley 



Note that with Version 7, Paragon now has a Partition Manager Server 
Edition that is required to work with Windows Server versions.   The 
software is well worth the money though
Joe 
Pochedley A computer terminal is not some clunky old television 
with a typewriter in 
front of it. It is an interface where the mind and body can connect with the 
universe and move bits of it about. -Douglas Adams 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Monday, August 29, 2005 11:45 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Extend W2K3 
Boot Partiton

Partition Manager
 
(I'm a satisfied customer of the 
product.)
 
http://www.partition-manager.com/


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Monday, August 29, 2005 11:28 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Extend W2K3 Boot 
Partiton


Is there a way to 
extend boot & system partitions on Windows 2003?  Diskpart.exe only 
does data partions and PowerQuest Volume Manager stops at Windows 
2000.
 
Devon 
Harding
Windows Systems 
Engineer
Southern Wine & Spirits 
- BSG
954-602-2469
 




__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You.

RE: [ActiveDir] Exchange 2k hotfix issue(OT)

2005-08-29 Thread Hunter, Laura E. 
You might want to fire up regmon to see what is causing the setup to fail. I 
had a similar situation a few weeks ago and we figured out (*waves at Dean*) 
that there was a "ServicePackBuild" registry entry under 
HKLM\Software\Exchange\Setup that didn't get correctly re-populated during the 
recovery install.

- Laura

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
> Sent: Monday, August 29, 2005 12:20 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Exchange 2k hotfix issue(OT)
> 
> I reinstalled exchange 2k with the /diasterrecovery swtich.
> Did the same with sp3 for exchange.
>  
> however when i try to install the post sp3 rollup, it tells 
> me i'm not at sp 3.
>  
> Also there is no M: drive created and when i try to do a db 
> restore, the store won't mount with eventid 619.
>  
> Event id 619 suggests to me that exchange thinks its not at 
> sp3 but the restore is from a sp3 info store, thus creating 
> an inconsistency.
> However, sp3 installed with the dr switch without error and 
> in ESM, it says SP3 under the restored server.
>  
> Any ideas would be great.
>  
> thanks
> .BövrzÊryi
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Exchange 2k hotfix issue(OT)

2005-08-29 Thread Kern, Tom 
I reinstalled exchange 2k with the /diasterrecovery swtich.
Did the same with sp3 for exchange.
 
however when i try to install the post sp3 rollup, it tells me i'm not at sp 3.
 
Also there is no M: drive created and when i try to do a db restore, the store 
won't mount with eventid 619.
 
Event id 619 suggests to me that exchange thinks its not at sp3 but the restore 
is from a sp3 info store, thus creating an inconsistency.
However, sp3 installed with the dr switch without error and in ESM, it says SP3 
under the restored server.
 
Any ideas would be great.
 
thanks

RE: [ActiveDir] Permissions for a user to add users to a group

2005-08-29 Thread Fugleberg, David A 
A taskpad is one way to do it.  Another way is to tell the manager to
find the group using the Search function on the start menu - when they
double-click the group, the membership list is displayed and buttons are
provided to add and remove members.  The buttons are only active if they
have the permissions to do so, as mentioned below.  No additional
software install/config required.

Dave 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 7:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group


Ok that is what I figured.  SO if I install just aduc from the adminpak
and create a custom task pad for the manager.  It would be the easier
and best method to alliviate confusion etc?

Jeff
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, August 27, 2005 2:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group

It means the manager can add or remove DNs to the member attribute of
the group. So they will be able to add or remove members of the group.
They won't actually be able to add/remove users from AD with just those
rights.

ADUC can be used, as can a script or anything else that modifies the
member attribute of the group in question.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Friday, August 26, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Permissions for a user to add users to a group

If I set a group to managed by to a particular user and check the box
Manger can update member list.  

That means the Manager can add or delete users correct?

Does he need ADUC or is there another way he can add those users?  


Thanks

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Extend W2K3 Boot Partiton

2005-08-29 Thread Michael B. Smith 



Partition Manager
 
(I'm a satisfied customer of the 
product.)
 
http://www.partition-manager.com/


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Monday, August 29, 2005 11:28 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Extend W2K3 Boot 
Partiton


Is there a way to 
extend boot & system partitions on Windows 2003?  Diskpart.exe only 
does data partions and PowerQuest Volume Manager stops at Windows 
2000.
 
Devon 
Harding
Windows Systems 
Engineer
Southern Wine & Spirits 
- BSG
954-602-2469
 




__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You.

[ActiveDir] OT: Extend W2K3 Boot Partiton

2005-08-29 Thread Harding, Devon 





Is there a way to 
extend boot & system partitions on Windows 2003?  Diskpart.exe only 
does data partions and PowerQuest Volume Manager stops at Windows 
2000.
 
Devon 
Harding
Windows Systems 
Engineer
Southern Wine & Spirits 
- BSG
954-602-2469
 




__This message and any attachments are solely for the intended recipientand may contain confidential or privileged information.  If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited.  If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments.  Thank You.

RE: [ActiveDir] determine number of users logged on last 60 days

2005-08-29 Thread Al Mulnick 
It's possible, but not absolute.  Are you trying to automate user
management?
Can you give some more details about what you want and what you want to
do with the data?  That might help to spur some better information.

Basically, you can use lastlogontimestamp (dsquery makes it pretty easy
if you want to use that) to find out about when the last time a user
logged on assuming they triggered an update to this.  Some actions don't
trigger this update so a second data point is a useful thing to have to
narrow it down even more.  pwdLastSet is a useful data point IIRC. 

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] determine number of users logged on last 60 days

Is there query I could run that would tell me the number of users -minus
service accounts (guess filter by OU) that have logged on in the last 60
days.

Jeff Cothern

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] determine number of users logged on last 60 days

2005-08-29 Thread Cothern Jeff D. Team EITC 
Is there query I could run that would tell me the number of users -minus
service accounts (guess filter by OU) that have logged on in the last 60
days.

Jeff Cothern

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Rick Kingslan 
Guido is doing that for me, I'm quite sure.  Any time anyone mentions IM to
me, I want to add them to my contact list.  I'm much like a teenage little
girl in that regard (and scream like one too, when frightened! :-)



Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, August 29, 2005 6:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep

IFM is an odd abbreviation of the Infrstructure Master role.  I think IM is
more typical.

-B

On Mon, 29 Aug 2005, Grillenmeier, Guido wrote:

> Andreas actually teased me with this at the second DEC in US (must 
> have been 2003 in Scottsdale, Arizona), as I also wondered why the IFM 
> would be required for this role.  So after a good discussion about the 
> IFM's functions it was clear there was absolutely no technical 
> requirement that adprep /domainprep be performed on the IFM FMSO ;-)
> 
> The only reason the IFM was "chosen" to perform this "special" task is:
> they had to ensure that the domainprep will only be performed on a 
> single DC in a domain and all the other FMSOs already had many more 
> special tasks than the IFM - this is why the domainprep was bound to 
> be executed on the IFM FSMO.
> 
> /Guido
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura 
> E.
> Sent: Montag, 29. August 2005 12:36
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> 
> Yep, that was him.  Drat, dunno why I had Luther in my head as being 
> his first name.
> 
> 
> - L
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rick 
> > Kingslan
> > Sent: Monday, August 29, 2005 12:32 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> > 
> > Heavy German accent?  I suspect that it was Andreas Luther  (and 
> > looks nothing like Guido)
> > 
> > And - it might have been DEC as Andreas was there for the Identity 
> > Management (read:MIIS) portion of the conference.
> > 
> > Rick
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, 
> > Laura E.
> > Sent: Sunday, August 28, 2005 7:02 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> > 
> > Oddly enough, this exact topic came up in a dinner conversation at 
> > Tech Ed this year.[1]  Luther...oh heck somebody
> remind me of his
> > last name...had apparently quizzed people with this one at a 
> > previous conference (DEC?), only to utimately reveal that the answer 
> > was "You
> know how
> > people always ask you what the IM FSMO does? Well, now you can tell
> them that
> > it's responsible for running /domainprep."
> > 
> > 
> > 
> > [1] Please hold the jokes about having dinner conversations about 
> > Active Directory internals until the end, please.  :-)
> > 
> > 
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Tony Murray
> > > > Sent: Sunday, August 28, 2005 7:36 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
> > > > 
> > > > Hi all
> > > >  
> > > > Does anyone know why the documentation suggests that adprep 
> > > > /domainprep be run on the DC holding the IM FSMO role?  I heard 
> > > > a rumour to the effect that it was only because that DC is
> > > likely to be
> > > > less busy than the other DCs, but I'd like to know for sure.
> > > >  
> > > > Tony
> > > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Rick Kingslan 
I suppose it's much like my gaff of a couple weeks ago with our good friend
Bernard Aric (sic) from HP.

(Cheers, Aric! )

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Monday, August 29, 2005 5:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep

Yep, that was him.  Drat, dunno why I had Luther in my head as being his
first name.  


- L

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> Sent: Monday, August 29, 2005 12:32 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> 
> Heavy German accent?  I suspect that it was Andreas Luther  (and 
> looks nothing like Guido)
> 
> And - it might have been DEC as Andreas was there for the Identity 
> Management (read:MIIS) portion of the conference.
> 
> Rick
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura 
> E.
> Sent: Sunday, August 28, 2005 7:02 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> 
> Oddly enough, this exact topic came up in a dinner conversation at 
> Tech Ed this year.[1]  Luther...oh heck somebody
remind me of his 
> last name...had apparently quizzed people with this one at a previous 
> conference (DEC?), only to utimately reveal that the answer was "You
know how 
> people always ask you what the IM FSMO does? Well, now you can tell
them that 
> it's responsible for running /domainprep."
> 
> 
> 
> [1] Please hold the jokes about having dinner conversations about 
> Active Directory internals until the end, please.  :-)
> 
> 
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of
> Tony Murray
> > > Sent: Sunday, August 28, 2005 7:36 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
> > > 
> > > Hi all
> > >  
> > > Does anyone know why the documentation suggests that adprep 
> > > /domainprep be run on the DC holding the IM FSMO role?  I heard a 
> > > rumour to the effect that it was only because that DC is
> > likely to be
> > > less busy than the other DCs, but I'd like to know for sure.
> > >  
> > > Tony
> > > 
> > 
> > 
> > 
> > 
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GP setting for IE lockdown

2005-08-29 Thread Cothern Jeff D. Team EITC 
If I read you right they will only be accessing the website thru this
Terminal Service.  If this is the case there are a few settings you
would need to set to lock down the system.  It is not just IE you have
to think about.  

User Configuration > Windows Components > Windows Explorer

Hide These Drives in My Computer Enabled
Restrict a,b,c,d drives only
Remove "Map Network drive and disconnect network  Enabled
Remove CD Burning Features
Enabled
Remove Hardware tab
Enabled

Start Menu and Taskbar

Remove Run menu from Start Menu Enabled


Another area to look at is 

http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebb
f834fc6f7/Win2003_Teminal_Server_Lockdown.doc

I found that document invaluable when I had to create a locked down TS
system.

One Item to note.  Your gonna want to make the TS system part of the
domain definitely and use group policies to apply the settings as it
makes it hard to change settings once you lock it down if you do it on
the local policy.

Jeff Cothern


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Friday, August 26, 2005 6:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GP setting for IE lockdown

I've been tasked with the following project...

Provide access for partner company personnel to a LOB app and our
intranet via a terminal server session [1]. The IE session should allow
access to the intranet site and nothing else, no internet, no local
machine, no customization.

Plan is to create a VM with the appropriate restricted desktop access
and the LOB app. That part's ok; however, I'm having trouble finding
good info on securing IE so that it can only get to our intranet. 
I can set a non-existent proxy and add our intranet to the proxy bypass
sites; that's easy enough.

What I can't remember is how to lock down IE so no one can type "c:\" or
some other folder name and get to the local file system. I tried the
NoFileURL setting under
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, but
it's not restricting the test user.
Anyone remember a good way to prevent local file system access through
IE?

A good ADM file that chokes IE to the bone would be nice, too, but I
haven't found one of those lately either.

My Google Mojo isn't working today...

Thanks!

[1] I know; running IE on a server is bad juju. That's why it's going to
be in a snapshotted VM I can wipe daily. :-) You don't want to know how
ugly the other alternatives were...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Permissions for a user to add users to a group

2005-08-29 Thread Cothern Jeff D. Team EITC 
Ok that is what I figured.  SO if I install just aduc from the adminpak
and create a custom task pad for the manager.  It would be the easier
and best method to alliviate confusion etc?

Jeff
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, August 27, 2005 2:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group

It means the manager can add or remove DNs to the member attribute of
the group. So they will be able to add or remove members of the group.
They won't actually be able to add/remove users from AD with just those
rights.

ADUC can be used, as can a script or anything else that modifies the
member attribute of the group in question.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Friday, August 26, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Permissions for a user to add users to a group

If I set a group to managed by to a particular user and check the box
Manger can update member list.  

That means the Manager can add or delete users correct?

Does he need ADUC or is there another way he can add those users?  


Thanks

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Password policy change

2005-08-29 Thread Cothern Jeff D. Team EITC 
I have a possible solution for the OWA users.  I havent used this particular 
software but we use one of their other products and it works well.  I'll let 
the website speak for itself.  But I believe this would provide a means via the 
web for your users to change their passwords.

http://www.anixis.com/products/ppeweb/default.htm 

Jeff Cothern


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, August 29, 2005 4:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

OWA doesn't have a built in password change function but you can activate the 
standard IIS password changing module called iisadmpwd  which is placed in the 
options section of the OWA interface. However if the password has expired you 
be out of luck. 

Once article that covers this is:

http://support.microsoft.com/default.aspx?scid=kb;en-us;297121

Regards
Peter Johnson




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 27 August 2005 08:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in 
Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your 
password is expired (forced or otherwise) you aren't getting into OWA. I also 
don't believe it has a password change function if you just want to go and 
change it, but that could be something that could be enabled.
Alternatively you set up another web page to do it.

As for the OPs original issue. It all comes down to implementation. You told 
the system to not allow people to change the password if the password age was 
less than one day and then were confused when it did exactly that. The reason 
for it is that there is one attribute for password age, pwdLastSet, and it 
doesn't distinguish between a helpdesk set operation or a normal password 
change, they are both password changes and you only want one day between every 
change. The proper way to handle that case is to force the user's to change 
their password on next logon (which sets the pwdLastSet to 0), but as you know, 
that will kill OWA users. So you either need another process to follow for OWA 
only users, install some third party or custom inhouse tool, or drop the 
minimum password aging. 

   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
Sent: Saturday, August 27, 2005 12:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change

Your right Aaron, I didn't know what it meant.!

I am not an outlook sort of person (we use Notes...), but the inferred 
statement surprises me. It suggests that if the "must change password" is set, 
you can't logon to Outlook Web Access.

This would suggest that forcing users to change password after (say) 28 days is 
also a no-no.

And, it would also suggest that Outlook Web Access won't let you change your 
password. If it did, it would surely allow you to logon, then require you to 
change  the password before you do anything..

This all seems unlikely, given Microsoft's recommended use of forcing password 
changes on a regular basis and forcing users to change a password when a new 
user is created.

If it is all true, maybe you have to provide some way that the users can go to 
a Citrix portal and change their password there, then go back and use Outlook 
Web Access.

 Alan Cuthbertson


  Policy Management Software:-
 http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
 ADM Template Editor:-
 http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
 Policy Log Reporter(Free)
 http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml




- Original Message -
From: "Aaron Visser" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, August 27, 2005 8:59 AM
Subject: Re: [ActiveDir] Password policy change


Nevermind OWA = Outlook Web Access


On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]>
wrote:

>
> I mean, if I use the check box to "user must change password at next
logon"
> our users whose only way into the domain is OWA will not prompt them 
> to
change
> their password... Unless I am missing something.
>
> Thanks
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of SysPro 
> Support
> Sent: Friday, August 26, 2005 3:19 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Password policy change
>
> Johnny,
>
> We do exactly what you suggest, change the password and set the "user 
> must change password at next logon" and they are able to change it, 
> even within
the
> "password cannot be changed period".
>
> What do you mean by "that would effectively lock out the OWA only users"?
>
>
>  Alan Cuthbertson
>
>
>  Policy Management Software:-
> http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
> ADM

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Brett Shirley 
IFM is an odd abbreviation of the Infrstructure Master role.  I think IM
is more typical.

-B

On Mon, 29 Aug 2005, Grillenmeier, Guido wrote:

> Andreas actually teased me with this at the second DEC in US (must have
> been 2003 in Scottsdale, Arizona), as I also wondered why the IFM would
> be required for this role.  So after a good discussion about the IFM's
> functions it was clear there was absolutely no technical requirement
> that adprep /domainprep be performed on the IFM FMSO ;-) 
> 
> The only reason the IFM was "chosen" to perform this "special" task is:
> they had to ensure that the domainprep will only be performed on a
> single DC in a domain and all the other FMSOs already had many more
> special tasks than the IFM - this is why the domainprep was bound to be
> executed on the IFM FSMO.
> 
> /Guido
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
> E.
> Sent: Montag, 29. August 2005 12:36
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> 
> Yep, that was him.  Drat, dunno why I had Luther in my head as being his
> first name.  
> 
> 
> - L
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> > Sent: Monday, August 29, 2005 12:32 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> > 
> > Heavy German accent?  I suspect that it was Andreas 
> > Luther  (and looks nothing like Guido)
> > 
> > And - it might have been DEC as Andreas was there for the Identity
> > Management (read:MIIS) portion of the conference.
> > 
> > Rick 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Hunter, Laura E.
> > Sent: Sunday, August 28, 2005 7:02 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> > 
> > Oddly enough, this exact topic came up in a dinner 
> > conversation at Tech Ed this year.[1]  Luther...oh heck somebody
> remind me of his 
> > last name...had apparently quizzed people with this one at a previous 
> > conference (DEC?), only to utimately reveal that the answer was "You
> know how 
> > people always ask you what the IM FSMO does? Well, now you can tell
> them that 
> > it's responsible for running /domainprep."
> > 
> > 
> > 
> > [1] Please hold the jokes about having dinner conversations 
> > about Active Directory internals until the end, please.  :-)
> > 
> > 
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Tony Murray
> > > > Sent: Sunday, August 28, 2005 7:36 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
> > > > 
> > > > Hi all
> > > >  
> > > > Does anyone know why the documentation suggests that adprep 
> > > > /domainprep be run on the DC holding the IM FSMO role?  I heard a 
> > > > rumour to the effect that it was only because that DC is
> > > likely to be
> > > > less busy than the other DCs, but I'd like to know for sure.
> > > >  
> > > > Tony
> > > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Grillenmeier, Guido 
Andreas actually teased me with this at the second DEC in US (must have
been 2003 in Scottsdale, Arizona), as I also wondered why the IFM would
be required for this role.  So after a good discussion about the IFM's
functions it was clear there was absolutely no technical requirement
that adprep /domainprep be performed on the IFM FMSO ;-) 

The only reason the IFM was "chosen" to perform this "special" task is:
they had to ensure that the domainprep will only be performed on a
single DC in a domain and all the other FMSOs already had many more
special tasks than the IFM - this is why the domainprep was bound to be
executed on the IFM FSMO.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Montag, 29. August 2005 12:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep

Yep, that was him.  Drat, dunno why I had Luther in my head as being his
first name.  


- L

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> Sent: Monday, August 29, 2005 12:32 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> 
> Heavy German accent?  I suspect that it was Andreas 
> Luther  (and looks nothing like Guido)
> 
> And - it might have been DEC as Andreas was there for the Identity
> Management (read:MIIS) portion of the conference.
> 
> Rick 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Hunter, Laura E.
> Sent: Sunday, August 28, 2005 7:02 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> 
> Oddly enough, this exact topic came up in a dinner 
> conversation at Tech Ed this year.[1]  Luther...oh heck somebody
remind me of his 
> last name...had apparently quizzed people with this one at a previous 
> conference (DEC?), only to utimately reveal that the answer was "You
know how 
> people always ask you what the IM FSMO does? Well, now you can tell
them that 
> it's responsible for running /domainprep."
> 
> 
> 
> [1] Please hold the jokes about having dinner conversations 
> about Active Directory internals until the end, please.  :-)
> 
> 
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Tony Murray
> > > Sent: Sunday, August 28, 2005 7:36 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
> > > 
> > > Hi all
> > >  
> > > Does anyone know why the documentation suggests that adprep 
> > > /domainprep be run on the DC holding the IM FSMO role?  I heard a 
> > > rumour to the effect that it was only because that DC is
> > likely to be
> > > less busy than the other DCs, but I'd like to know for sure.
> > >  
> > > Tony
> > > 
> > 
> > 
> > 
> > 
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Urgent:Access Denied to Password Resets

2005-08-29 Thread Aramide Adebanjo 
Hi All,

Apologies for my silence on this issue. I have checked these support
pages and it involves installing a hotfix on the PDC to modify the
effects of the AdminSDHolder on protected groups. However I don't
believe this solves my issue because the problems stated in the article
was the issue of users with delegated rights not being able to reset
some user accounts under protected groups. In addition, this hotfix is
still under testing. I need to know if there is anyone out there who is
experiencing my challenges as well

BR

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, August 22, 2005 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Urgent:Access Denied to Password Resets

Could be the AdminSDHolder:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q232199

..and some words on this from Ulf:

http://msmvps.com/ulfbsimonweidner/archive/2005/05/29/49659.aspx

Tony 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aramide
Adebanjo
Sent: Monday, 22 August 2005 8:37 p.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Urgent:Access Denied to Password Resets


Hi All,

We have a delegation model we just adopted and part of the
responsibilites handed over to our helpdesk support staff is password
reset of users accounts. However this delegated right goes off every 48
hrs and I had to redo the delegation again. We have a 2003 domain and I
have searched the technet site to no avail for problems similiar to
this. In addition, helpdesk is not prompted to force password change at
next logon...
Any ideas guys..??
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Hunter, Laura E. 
Yep, that was him.  Drat, dunno why I had Luther in my head as being his
first name.  


- L

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> Sent: Monday, August 29, 2005 12:32 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> 
> Heavy German accent?  I suspect that it was Andreas 
> Luther  (and looks nothing like Guido)
> 
> And - it might have been DEC as Andreas was there for the Identity
> Management (read:MIIS) portion of the conference.
> 
> Rick 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Hunter, Laura E.
> Sent: Sunday, August 28, 2005 7:02 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> 
> Oddly enough, this exact topic came up in a dinner 
> conversation at Tech Ed this year.[1]  Luther...oh heck somebody
remind me of his 
> last name...had apparently quizzed people with this one at a previous 
> conference (DEC?), only to utimately reveal that the answer was "You
know how 
> people always ask you what the IM FSMO does? Well, now you can tell
them that 
> it's responsible for running /domainprep."
> 
> 
> 
> [1] Please hold the jokes about having dinner conversations 
> about Active Directory internals until the end, please.  :-)
> 
> 
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Tony Murray
> > > Sent: Sunday, August 28, 2005 7:36 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
> > > 
> > > Hi all
> > >  
> > > Does anyone know why the documentation suggests that adprep 
> > > /domainprep be run on the DC holding the IM FSMO role?  I heard a 
> > > rumour to the effect that it was only because that DC is
> > likely to be
> > > less busy than the other DCs, but I'd like to know for sure.
> > >  
> > > Tony
> > > 
> > 
> > 
> > 
> > 
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Password policy change

2005-08-29 Thread Peter Johnson 
OWA doesn't have a built in password change function but you can activate the 
standard IIS password changing module called iisadmpwd  which is placed in the 
options section of the OWA interface. However if the password has expired you 
be out of luck. 

Once article that covers this is:

http://support.microsoft.com/default.aspx?scid=kb;en-us;297121

Regards
Peter Johnson




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 27 August 2005 08:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in
Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your
password is expired (forced or otherwise) you aren't getting into OWA. I
also don't believe it has a password change function if you just want to go
and change it, but that could be something that could be enabled.
Alternatively you set up another web page to do it.

As for the OPs original issue. It all comes down to implementation. You told
the system to not allow people to change the password if the password age
was less than one day and then were confused when it did exactly that. The
reason for it is that there is one attribute for password age, pwdLastSet,
and it doesn't distinguish between a helpdesk set operation or a normal
password change, they are both password changes and you only want one day
between every change. The proper way to handle that case is to force the
user's to change their password on next logon (which sets the pwdLastSet to
0), but as you know, that will kill OWA users. So you either need another
process to follow for OWA only users, install some third party or custom
inhouse tool, or drop the minimum password aging. 

   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
Sent: Saturday, August 27, 2005 12:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change

Your right Aaron, I didn't know what it meant.!

I am not an outlook sort of person (we use Notes...), but the inferred
statement surprises me. It suggests that if the "must change password" is
set, you can't logon to Outlook Web Access.

This would suggest that forcing users to change password after (say) 28 days
is also a no-no.

And, it would also suggest that Outlook Web Access won't let you change your
password. If it did, it would surely allow you to logon, then require you to
change  the password before you do anything..

This all seems unlikely, given Microsoft's recommended use of forcing
password changes on a regular basis and forcing users to change a password
when a new user is created.

If it is all true, maybe you have to provide some way that the users can go
to a Citrix portal and change their password there, then go back and use
Outlook Web Access.

 Alan Cuthbertson


  Policy Management Software:-
 http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
 ADM Template Editor:-
 http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
 Policy Log Reporter(Free)
 http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml




- Original Message -
From: "Aaron Visser" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, August 27, 2005 8:59 AM
Subject: Re: [ActiveDir] Password policy change


Nevermind OWA = Outlook Web Access


On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]>
wrote:

>
> I mean, if I use the check box to "user must change password at next
logon"
> our users whose only way into the domain is OWA will not prompt them to
change
> their password... Unless I am missing something.
>
> Thanks
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
> Sent: Friday, August 26, 2005 3:19 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Password policy change
>
> Johnny,
>
> We do exactly what you suggest, change the password and set the "user must
> change password at next logon" and they are able to change it, even within
the
> "password cannot be changed period".
>
> What do you mean by "that would effectively lock out the OWA only users"?
>
>
>  Alan Cuthbertson
>
>
>  Policy Management Software:-
> http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
> ADM Template Editor:-
> http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
> Policy Log Reporter(Free)
> http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
>
>
>
> - Original Message -
> From: "Figueroa, Johnny" <[EMAIL PROTECTED]>
> To: 
> Sent: Saturday, August 27, 2005 2:56 AM
> Subject: RE: [ActiveDir] Password policy change
>
>
>
> Help desk sets he password to something "something", tells the user to
> change their password to whatever they want it to be and the user can not.
I
> thought about having the HD check the box that makes it so the user has