RE: [ActiveDir] Password policy change
That should work. :-) There are actually many web-, phone- and login-prompt- accessible password change/synchronization/reset applications out there, some of which support password updates to multiple types of systems, rather than just AD. One such is http://psynch.com/ Linking one of these to OWA should be trivial. With this product, and probably others, you should have no trouble detecting password expiry and bouncing the user to the 'change now' page either. Good luck, -- Idan On Mon, 29 Aug 2005, Cothern Jeff D. Team EITC wrote: I have a possible solution for the OWA users. I havent used this particular software but we use one of their other products and it works well. I'll let the website speak for itself. But I believe this would provide a means via the web for your users to change their passwords. http://www.anixis.com/products/ppeweb/default.htm Jeff Cothern -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, August 29, 2005 4:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change OWA doesn't have a built in password change function but you can activate the standard IIS password changing module called iisadmpwd which is placed in the options section of the OWA interface. However if the password has expired you be out of luck. Once article that covers this is: http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 27 August 2005 08:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the "must change password" is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml - Original Message - From: "Aaron Visser" <[EMAIL PROTECTED]> To: Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]> wrote: I mean, if I use the check box to "user must change password at next logon" our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2
RE: [ActiveDir] finding txt in a message
If you are thinking of finding them as they arrive or as they are being sent, eventsink is the way to go. I don't know how to write one that will go through messages already in the store and look for the keyword. But, writing one that looks for the keyword as the message is coming in or leaving should do the trick. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Steve Shaff Sent: Mon 8/29/2005 5:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding txt in a message I have Antigen, but will do subject and domain filtering... :( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, August 29, 2005 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding txt in a message The anti-virus server application (Exchange aware) is a great way to do that. Do you have one? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Monday, August 29, 2005 7:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding txt in a message Group, Sorry for sending an Exchange question to an AD group, but I really need an answer to this quick. Does anyone know how to find a specific string or text in email? I know that exmerge can do subjects and system manager can track a message by sender or receiver.. But, I need to know how to find specific text in an email. Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Extend W2K3 Boot Partiton
I've been pretty pleased with BootItNG. It has gotten me out of some jams in the past. http://www.terabyteunlimited.com/bootitng.html I've been lurking here about a week or so. Great content! Regards, Arlo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] finding txt in a message
I have Antigen, but will do subject and domain filtering... :( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, August 29, 2005 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding txt in a message The anti-virus server application (Exchange aware) is a great way to do that. Do you have one? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Monday, August 29, 2005 7:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding txt in a message Group, Sorry for sending an Exchange question to an AD group, but I really need an answer to this quick. Does anyone know how to find a specific string or text in email? I know that exmerge can do subjects and system manager can track a message by sender or receiver.. But, I need to know how to find specific text in an email. Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] finding txt in a message
The anti-virus server application (Exchange aware) is a great way to do that. Do you have one? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Monday, August 29, 2005 7:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding txt in a message Group, Sorry for sending an Exchange question to an AD group, but I really need an answer to this quick. Does anyone know how to find a specific string or text in email? I know that exmerge can do subjects and system manager can track a message by sender or receiver.. But, I need to know how to find specific text in an email. Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] finding txt in a message
Group, Sorry for sending an Exchange question to an AD group, but I really need an answer to this quick. Does anyone know how to find a specific string or text in email? I know that exmerge can do subjects and system manager can track a message by sender or receiver.. But, I need to know how to find specific text in an email. Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Infrastucture Master and adprep /domainprep
good point Brett - I'm not even sure where I picked that up. Probably nowhere - must have confused the acronym with that used for Install From Media... ;-) Yep, here it should be IM... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Montag, 29. August 2005 13:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep IFM is an odd abbreviation of the Infrstructure Master role. I think IM is more typical. -B On Mon, 29 Aug 2005, Grillenmeier, Guido wrote: > Andreas actually teased me with this at the second DEC in US (must have > been 2003 in Scottsdale, Arizona), as I also wondered why the IFM would > be required for this role. So after a good discussion about the IFM's > functions it was clear there was absolutely no technical requirement > that adprep /domainprep be performed on the IFM FMSO ;-) > > The only reason the IFM was "chosen" to perform this "special" task is: > they had to ensure that the domainprep will only be performed on a > single DC in a domain and all the other FMSOs already had many more > special tasks than the IFM - this is why the domainprep was bound to be > executed on the IFM FSMO. > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura > E. > Sent: Montag, 29. August 2005 12:36 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > Yep, that was him. Drat, dunno why I had Luther in my head as being his > first name. > > > - L > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > > Sent: Monday, August 29, 2005 12:32 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > Heavy German accent? I suspect that it was Andreas > > Luther (and looks nothing like Guido) > > > > And - it might have been DEC as Andreas was there for the Identity > > Management (read:MIIS) portion of the conference. > > > > Rick > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Hunter, Laura E. > > Sent: Sunday, August 28, 2005 7:02 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > Oddly enough, this exact topic came up in a dinner > > conversation at Tech Ed this year.[1] Luther...oh heck somebody > remind me of his > > last name...had apparently quizzed people with this one at a previous > > conference (DEC?), only to utimately reveal that the answer was "You > know how > > people always ask you what the IM FSMO does? Well, now you can tell > them that > > it's responsible for running /domainprep." > > > > > > > > [1] Please hold the jokes about having dinner conversations > > about Active Directory internals until the end, please. :-) > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Tony Murray > > > > Sent: Sunday, August 28, 2005 7:36 PM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > > > > > Hi all > > > > > > > > Does anyone know why the documentation suggests that adprep > > > > /domainprep be run on the DC holding the IM FSMO role? I heard a > > > > rumour to the effect that it was only because that DC is > > > likely to be > > > > less busy than the other DCs, but I'd like to know for sure. > > > > > > > > Tony > > > > > > > > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Extend W2K3 Boot Partiton
Hi Devon, PowerQuest Volume Manager ( Formerly server magic ) and now Symantec Volume manger does indeed work on a 2003 server volume. Jose :-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. SmithSent: Monday, August 29, 2005 8:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Extend W2K3 Boot Partiton Partition Manager (I'm a satisfied customer of the product.) http://www.partition-manager.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, August 29, 2005 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Extend W2K3 Boot Partiton Is there a way to extend boot & system partitions on Windows 2003? Diskpart.exe only does data partions and PowerQuest Volume Manager stops at Windows 2000. Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] OT: Extend W2K3 Boot Partiton
Note that with Version 7, Paragon now has a Partition Manager Server Edition that is required to work with Windows Server versions. The software is well worth the money though Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Monday, August 29, 2005 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Extend W2K3 Boot Partiton Partition Manager (I'm a satisfied customer of the product.) http://www.partition-manager.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, August 29, 2005 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Extend W2K3 Boot Partiton Is there a way to extend boot & system partitions on Windows 2003? Diskpart.exe only does data partions and PowerQuest Volume Manager stops at Windows 2000. Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] Exchange 2k hotfix issue(OT)
You might want to fire up regmon to see what is causing the setup to fail. I had a similar situation a few weeks ago and we figured out (*waves at Dean*) that there was a "ServicePackBuild" registry entry under HKLM\Software\Exchange\Setup that didn't get correctly re-populated during the recovery install. - Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Monday, August 29, 2005 12:20 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Exchange 2k hotfix issue(OT) > > I reinstalled exchange 2k with the /diasterrecovery swtich. > Did the same with sp3 for exchange. > > however when i try to install the post sp3 rollup, it tells > me i'm not at sp 3. > > Also there is no M: drive created and when i try to do a db > restore, the store won't mount with eventid 619. > > Event id 619 suggests to me that exchange thinks its not at > sp3 but the restore is from a sp3 info store, thus creating > an inconsistency. > However, sp3 installed with the dr switch without error and > in ESM, it says SP3 under the restored server. > > Any ideas would be great. > > thanks > .BövrzÊryi > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Exchange 2k hotfix issue(OT)
I reinstalled exchange 2k with the /diasterrecovery swtich. Did the same with sp3 for exchange. however when i try to install the post sp3 rollup, it tells me i'm not at sp 3. Also there is no M: drive created and when i try to do a db restore, the store won't mount with eventid 619. Event id 619 suggests to me that exchange thinks its not at sp3 but the restore is from a sp3 info store, thus creating an inconsistency. However, sp3 installed with the dr switch without error and in ESM, it says SP3 under the restored server. Any ideas would be great. thanks
RE: [ActiveDir] Permissions for a user to add users to a group
A taskpad is one way to do it. Another way is to tell the manager to find the group using the Search function on the start menu - when they double-click the group, the membership list is displayed and buttons are provided to add and remove members. The buttons are only active if they have the permissions to do so, as mentioned below. No additional software install/config required. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, August 29, 2005 7:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Permissions for a user to add users to a group Ok that is what I figured. SO if I install just aduc from the adminpak and create a custom task pad for the manager. It would be the easier and best method to alliviate confusion etc? Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, August 27, 2005 2:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Permissions for a user to add users to a group It means the manager can add or remove DNs to the member attribute of the group. So they will be able to add or remove members of the group. They won't actually be able to add/remove users from AD with just those rights. ADUC can be used, as can a script or anything else that modifies the member attribute of the group in question. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Friday, August 26, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Permissions for a user to add users to a group If I set a group to managed by to a particular user and check the box Manger can update member list. That means the Manager can add or delete users correct? Does he need ADUC or is there another way he can add those users? Thanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Extend W2K3 Boot Partiton
Partition Manager (I'm a satisfied customer of the product.) http://www.partition-manager.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, August 29, 2005 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Extend W2K3 Boot Partiton Is there a way to extend boot & system partitions on Windows 2003? Diskpart.exe only does data partions and PowerQuest Volume Manager stops at Windows 2000. Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
[ActiveDir] OT: Extend W2K3 Boot Partiton
Is there a way to extend boot & system partitions on Windows 2003? Diskpart.exe only does data partions and PowerQuest Volume Manager stops at Windows 2000. Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] determine number of users logged on last 60 days
It's possible, but not absolute. Are you trying to automate user management? Can you give some more details about what you want and what you want to do with the data? That might help to spur some better information. Basically, you can use lastlogontimestamp (dsquery makes it pretty easy if you want to use that) to find out about when the last time a user logged on assuming they triggered an update to this. Some actions don't trigger this update so a second data point is a useful thing to have to narrow it down even more. pwdLastSet is a useful data point IIRC. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, August 29, 2005 10:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] determine number of users logged on last 60 days Is there query I could run that would tell me the number of users -minus service accounts (guess filter by OU) that have logged on in the last 60 days. Jeff Cothern List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] determine number of users logged on last 60 days
Is there query I could run that would tell me the number of users -minus service accounts (guess filter by OU) that have logged on in the last 60 days. Jeff Cothern List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Infrastucture Master and adprep /domainprep
Guido is doing that for me, I'm quite sure. Any time anyone mentions IM to me, I want to add them to my contact list. I'm much like a teenage little girl in that regard (and scream like one too, when frightened! :-) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, August 29, 2005 6:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep IFM is an odd abbreviation of the Infrstructure Master role. I think IM is more typical. -B On Mon, 29 Aug 2005, Grillenmeier, Guido wrote: > Andreas actually teased me with this at the second DEC in US (must > have been 2003 in Scottsdale, Arizona), as I also wondered why the IFM > would be required for this role. So after a good discussion about the > IFM's functions it was clear there was absolutely no technical > requirement that adprep /domainprep be performed on the IFM FMSO ;-) > > The only reason the IFM was "chosen" to perform this "special" task is: > they had to ensure that the domainprep will only be performed on a > single DC in a domain and all the other FMSOs already had many more > special tasks than the IFM - this is why the domainprep was bound to > be executed on the IFM FSMO. > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura > E. > Sent: Montag, 29. August 2005 12:36 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > Yep, that was him. Drat, dunno why I had Luther in my head as being > his first name. > > > - L > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rick > > Kingslan > > Sent: Monday, August 29, 2005 12:32 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > Heavy German accent? I suspect that it was Andreas Luther (and > > looks nothing like Guido) > > > > And - it might have been DEC as Andreas was there for the Identity > > Management (read:MIIS) portion of the conference. > > > > Rick > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, > > Laura E. > > Sent: Sunday, August 28, 2005 7:02 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > Oddly enough, this exact topic came up in a dinner conversation at > > Tech Ed this year.[1] Luther...oh heck somebody > remind me of his > > last name...had apparently quizzed people with this one at a > > previous conference (DEC?), only to utimately reveal that the answer > > was "You > know how > > people always ask you what the IM FSMO does? Well, now you can tell > them that > > it's responsible for running /domainprep." > > > > > > > > [1] Please hold the jokes about having dinner conversations about > > Active Directory internals until the end, please. :-) > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Tony Murray > > > > Sent: Sunday, August 28, 2005 7:36 PM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > > > > > Hi all > > > > > > > > Does anyone know why the documentation suggests that adprep > > > > /domainprep be run on the DC holding the IM FSMO role? I heard > > > > a rumour to the effect that it was only because that DC is > > > likely to be > > > > less busy than the other DCs, but I'd like to know for sure. > > > > > > > > Tony > > > > > > > > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Infrastucture Master and adprep /domainprep
I suppose it's much like my gaff of a couple weeks ago with our good friend Bernard Aric (sic) from HP. (Cheers, Aric! ) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Monday, August 29, 2005 5:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep Yep, that was him. Drat, dunno why I had Luther in my head as being his first name. - L > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Monday, August 29, 2005 12:32 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > Heavy German accent? I suspect that it was Andreas Luther (and > looks nothing like Guido) > > And - it might have been DEC as Andreas was there for the Identity > Management (read:MIIS) portion of the conference. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura > E. > Sent: Sunday, August 28, 2005 7:02 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > Oddly enough, this exact topic came up in a dinner conversation at > Tech Ed this year.[1] Luther...oh heck somebody remind me of his > last name...had apparently quizzed people with this one at a previous > conference (DEC?), only to utimately reveal that the answer was "You know how > people always ask you what the IM FSMO does? Well, now you can tell them that > it's responsible for running /domainprep." > > > > [1] Please hold the jokes about having dinner conversations about > Active Directory internals until the end, please. :-) > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Tony Murray > > > Sent: Sunday, August 28, 2005 7:36 PM > > > To: ActiveDir@mail.activedir.org > > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > > > Hi all > > > > > > Does anyone know why the documentation suggests that adprep > > > /domainprep be run on the DC holding the IM FSMO role? I heard a > > > rumour to the effect that it was only because that DC is > > likely to be > > > less busy than the other DCs, but I'd like to know for sure. > > > > > > Tony > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GP setting for IE lockdown
If I read you right they will only be accessing the website thru this Terminal Service. If this is the case there are a few settings you would need to set to lock down the system. It is not just IE you have to think about. User Configuration > Windows Components > Windows Explorer Hide These Drives in My Computer Enabled Restrict a,b,c,d drives only Remove "Map Network drive and disconnect network Enabled Remove CD Burning Features Enabled Remove Hardware tab Enabled Start Menu and Taskbar Remove Run menu from Start Menu Enabled Another area to look at is http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebb f834fc6f7/Win2003_Teminal_Server_Lockdown.doc I found that document invaluable when I had to create a locked down TS system. One Item to note. Your gonna want to make the TS system part of the domain definitely and use group policies to apply the settings as it makes it hard to change settings once you lock it down if you do it on the local policy. Jeff Cothern -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, August 26, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GP setting for IE lockdown I've been tasked with the following project... Provide access for partner company personnel to a LOB app and our intranet via a terminal server session [1]. The IE session should allow access to the intranet site and nothing else, no internet, no local machine, no customization. Plan is to create a VM with the appropriate restricted desktop access and the LOB app. That part's ok; however, I'm having trouble finding good info on securing IE so that it can only get to our intranet. I can set a non-existent proxy and add our intranet to the proxy bypass sites; that's easy enough. What I can't remember is how to lock down IE so no one can type "c:\" or some other folder name and get to the local file system. I tried the NoFileURL setting under HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, but it's not restricting the test user. Anyone remember a good way to prevent local file system access through IE? A good ADM file that chokes IE to the bone would be nice, too, but I haven't found one of those lately either. My Google Mojo isn't working today... Thanks! [1] I know; running IE on a server is bad juju. That's why it's going to be in a snapshotted VM I can wipe daily. :-) You don't want to know how ugly the other alternatives were... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Permissions for a user to add users to a group
Ok that is what I figured. SO if I install just aduc from the adminpak and create a custom task pad for the manager. It would be the easier and best method to alliviate confusion etc? Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, August 27, 2005 2:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Permissions for a user to add users to a group It means the manager can add or remove DNs to the member attribute of the group. So they will be able to add or remove members of the group. They won't actually be able to add/remove users from AD with just those rights. ADUC can be used, as can a script or anything else that modifies the member attribute of the group in question. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Friday, August 26, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Permissions for a user to add users to a group If I set a group to managed by to a particular user and check the box Manger can update member list. That means the Manager can add or delete users correct? Does he need ADUC or is there another way he can add those users? Thanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy change
I have a possible solution for the OWA users. I havent used this particular software but we use one of their other products and it works well. I'll let the website speak for itself. But I believe this would provide a means via the web for your users to change their passwords. http://www.anixis.com/products/ppeweb/default.htm Jeff Cothern -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, August 29, 2005 4:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change OWA doesn't have a built in password change function but you can activate the standard IIS password changing module called iisadmpwd which is placed in the options section of the OWA interface. However if the password has expired you be out of luck. Once article that covers this is: http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 27 August 2005 08:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the "must change password" is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml - Original Message - From: "Aaron Visser" <[EMAIL PROTECTED]> To: Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]> wrote: > > I mean, if I use the check box to "user must change password at next logon" > our users whose only way into the domain is OWA will not prompt them > to change > their password... Unless I am missing something. > > Thanks > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of SysPro > Support > Sent: Friday, August 26, 2005 3:19 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Password policy change > > Johnny, > > We do exactly what you suggest, change the password and set the "user > must change password at next logon" and they are able to change it, > even within the > "password cannot be changed period". > > What do you mean by "that would effectively lock out the OWA only users"? > > > Alan Cuthbertson > > > Policy Management Software:- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > ADM
RE: [ActiveDir] Infrastucture Master and adprep /domainprep
IFM is an odd abbreviation of the Infrstructure Master role. I think IM is more typical. -B On Mon, 29 Aug 2005, Grillenmeier, Guido wrote: > Andreas actually teased me with this at the second DEC in US (must have > been 2003 in Scottsdale, Arizona), as I also wondered why the IFM would > be required for this role. So after a good discussion about the IFM's > functions it was clear there was absolutely no technical requirement > that adprep /domainprep be performed on the IFM FMSO ;-) > > The only reason the IFM was "chosen" to perform this "special" task is: > they had to ensure that the domainprep will only be performed on a > single DC in a domain and all the other FMSOs already had many more > special tasks than the IFM - this is why the domainprep was bound to be > executed on the IFM FSMO. > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura > E. > Sent: Montag, 29. August 2005 12:36 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > Yep, that was him. Drat, dunno why I had Luther in my head as being his > first name. > > > - L > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > > Sent: Monday, August 29, 2005 12:32 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > Heavy German accent? I suspect that it was Andreas > > Luther (and looks nothing like Guido) > > > > And - it might have been DEC as Andreas was there for the Identity > > Management (read:MIIS) portion of the conference. > > > > Rick > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Hunter, Laura E. > > Sent: Sunday, August 28, 2005 7:02 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > Oddly enough, this exact topic came up in a dinner > > conversation at Tech Ed this year.[1] Luther...oh heck somebody > remind me of his > > last name...had apparently quizzed people with this one at a previous > > conference (DEC?), only to utimately reveal that the answer was "You > know how > > people always ask you what the IM FSMO does? Well, now you can tell > them that > > it's responsible for running /domainprep." > > > > > > > > [1] Please hold the jokes about having dinner conversations > > about Active Directory internals until the end, please. :-) > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Tony Murray > > > > Sent: Sunday, August 28, 2005 7:36 PM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > > > > > Hi all > > > > > > > > Does anyone know why the documentation suggests that adprep > > > > /domainprep be run on the DC holding the IM FSMO role? I heard a > > > > rumour to the effect that it was only because that DC is > > > likely to be > > > > less busy than the other DCs, but I'd like to know for sure. > > > > > > > > Tony > > > > > > > > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Infrastucture Master and adprep /domainprep
Andreas actually teased me with this at the second DEC in US (must have been 2003 in Scottsdale, Arizona), as I also wondered why the IFM would be required for this role. So after a good discussion about the IFM's functions it was clear there was absolutely no technical requirement that adprep /domainprep be performed on the IFM FMSO ;-) The only reason the IFM was "chosen" to perform this "special" task is: they had to ensure that the domainprep will only be performed on a single DC in a domain and all the other FMSOs already had many more special tasks than the IFM - this is why the domainprep was bound to be executed on the IFM FSMO. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Montag, 29. August 2005 12:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep Yep, that was him. Drat, dunno why I had Luther in my head as being his first name. - L > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Monday, August 29, 2005 12:32 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > Heavy German accent? I suspect that it was Andreas > Luther (and looks nothing like Guido) > > And - it might have been DEC as Andreas was there for the Identity > Management (read:MIIS) portion of the conference. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Hunter, Laura E. > Sent: Sunday, August 28, 2005 7:02 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > Oddly enough, this exact topic came up in a dinner > conversation at Tech Ed this year.[1] Luther...oh heck somebody remind me of his > last name...had apparently quizzed people with this one at a previous > conference (DEC?), only to utimately reveal that the answer was "You know how > people always ask you what the IM FSMO does? Well, now you can tell them that > it's responsible for running /domainprep." > > > > [1] Please hold the jokes about having dinner conversations > about Active Directory internals until the end, please. :-) > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Tony Murray > > > Sent: Sunday, August 28, 2005 7:36 PM > > > To: ActiveDir@mail.activedir.org > > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > > > Hi all > > > > > > Does anyone know why the documentation suggests that adprep > > > /domainprep be run on the DC holding the IM FSMO role? I heard a > > > rumour to the effect that it was only because that DC is > > likely to be > > > less busy than the other DCs, but I'd like to know for sure. > > > > > > Tony > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgent:Access Denied to Password Resets
Hi All, Apologies for my silence on this issue. I have checked these support pages and it involves installing a hotfix on the PDC to modify the effects of the AdminSDHolder on protected groups. However I don't believe this solves my issue because the problems stated in the article was the issue of users with delegated rights not being able to reset some user accounts under protected groups. In addition, this hotfix is still under testing. I need to know if there is anyone out there who is experiencing my challenges as well BR -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 22, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgent:Access Denied to Password Resets Could be the AdminSDHolder: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q232199 ..and some words on this from Ulf: http://msmvps.com/ulfbsimonweidner/archive/2005/05/29/49659.aspx Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Monday, 22 August 2005 8:37 p.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Urgent:Access Denied to Password Resets Hi All, We have a delegation model we just adopted and part of the responsibilites handed over to our helpdesk support staff is password reset of users accounts. However this delegated right goes off every 48 hrs and I had to redo the delegation again. We have a 2003 domain and I have searched the technet site to no avail for problems similiar to this. In addition, helpdesk is not prompted to force password change at next logon... Any ideas guys..?? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Infrastucture Master and adprep /domainprep
Yep, that was him. Drat, dunno why I had Luther in my head as being his first name. - L > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Monday, August 29, 2005 12:32 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > Heavy German accent? I suspect that it was Andreas > Luther (and looks nothing like Guido) > > And - it might have been DEC as Andreas was there for the Identity > Management (read:MIIS) portion of the conference. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Hunter, Laura E. > Sent: Sunday, August 28, 2005 7:02 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep > > Oddly enough, this exact topic came up in a dinner > conversation at Tech Ed this year.[1] Luther...oh heck somebody remind me of his > last name...had apparently quizzed people with this one at a previous > conference (DEC?), only to utimately reveal that the answer was "You know how > people always ask you what the IM FSMO does? Well, now you can tell them that > it's responsible for running /domainprep." > > > > [1] Please hold the jokes about having dinner conversations > about Active Directory internals until the end, please. :-) > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Tony Murray > > > Sent: Sunday, August 28, 2005 7:36 PM > > > To: ActiveDir@mail.activedir.org > > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep > > > > > > Hi all > > > > > > Does anyone know why the documentation suggests that adprep > > > /domainprep be run on the DC holding the IM FSMO role? I heard a > > > rumour to the effect that it was only because that DC is > > likely to be > > > less busy than the other DCs, but I'd like to know for sure. > > > > > > Tony > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy change
OWA doesn't have a built in password change function but you can activate the standard IIS password changing module called iisadmpwd which is placed in the options section of the OWA interface. However if the password has expired you be out of luck. Once article that covers this is: http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 27 August 2005 08:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the "must change password" is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml - Original Message - From: "Aaron Visser" <[EMAIL PROTECTED]> To: Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]> wrote: > > I mean, if I use the check box to "user must change password at next logon" > our users whose only way into the domain is OWA will not prompt them to change > their password... Unless I am missing something. > > Thanks > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support > Sent: Friday, August 26, 2005 3:19 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Password policy change > > Johnny, > > We do exactly what you suggest, change the password and set the "user must > change password at next logon" and they are able to change it, even within the > "password cannot be changed period". > > What do you mean by "that would effectively lock out the OWA only users"? > > > Alan Cuthbertson > > > Policy Management Software:- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > ADM Template Editor:- > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > Policy Log Reporter(Free) > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml > > > > - Original Message - > From: "Figueroa, Johnny" <[EMAIL PROTECTED]> > To: > Sent: Saturday, August 27, 2005 2:56 AM > Subject: RE: [ActiveDir] Password policy change > > > > Help desk sets he password to something "something", tells the user to > change their password to whatever they want it to be and the user can not. I > thought about having the HD check the box that makes it so the user has