RE: [ActiveDir] Logon issue

2006-01-28 Thread Thommes, Michael M. 
Title: Logon issue








I’ve read this KB a few times and
wonder if it is enough to apply this registry change on the authentication
servers?  If that were done, wouldn’t a client (say XP) be forced to
communicate via TCP with a DC during the logon process?  Thoughts/comments?

 

Mike Thommes

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana
Sent: Friday, January 27, 2006
10:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon
issue

 

Funny…  I just
(5 minutes ago) sent an FYI to our End User Support team regarding this issue.

 

Here’s the KB: http://support.microsoft.com/?id=244474

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, January 27, 2006
6:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon
issue



 

I have seen that several
times and it always tied back to some network device dropping kerberos UDP
packets because they got too large and they started fragmenting. You see lots
of kerb traffic going on, it is just some key critical packets aren't making it
through. There is a KB that allows you to force all kerb traffic to be through
TCP instead of UDP. Next time you encounter that I would slap the reg hack into
place and see if it clears it up. The best way would be to do network traces
from the client and the DC being used but that can be a bit of a trick
especially if you have to call in others to do the tracing.



 



--

O'Reilly Active Directory
Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Friday, January 27, 2006
1:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logon issue

We have an
unusual situation I can’t find a solution for and I wanted to see if
others had experienced it. A few of our remote locations connect to corporate
via DSL and VPN. We normally have a logon script engine
(ScriptLogic) that runs for each logon. PCs run Windows XP, and get DHCP and
logon services from the corporate location.

In several cases, when a specific user (and there are
more than one) logs on to a PC with the problem, the logon takes up to 20
minutes to log on. When another user logs on to the same PC in the same
location, the logon is instantaneous. The same symptoms are
happening in several locations, involving different users, but in each
case, a different user can log on fine on the affected PC.

Our networks folks watched the traffic in Compuware
and determined that in the logons that are a problem, there is significant
Kerberos traffic, back and forth, back and forth.

My first thought was corrupt
or excessively large profile, but we don’t use roaming profiles, and the
PC has been re-imaged. We also recreated accounts for a couple
of users. The problem goes away for a couple of weeks, and then it’s
back.

I’m just now getting involved because the
network team initially thought it was their issue. Is there anything you can
suggest I can look at?

Thanks,

Mark Creamer

Systems Engineer

Cintas Corporation
| 6800 Cintas Boulevard | Mason, OH  45040

Email:
[EMAIL PROTECTED] | http://www.cintas.com


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Suppressed Events in Event Log

2006-01-28 Thread Alan Gendron 








Al,

 

I’ve tried that.  Stopping and starting
the services, and even restarting the server.  It’s occurring on both of our
DNS servers

 



-Alan

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Friday, January 27, 2006
1:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Suppressed Events in Event Log



 



Depending on the error, you may be able to see the errors at time of
service startup.  





 





Al

 





On 1/26/06, Alan
Gendron <[EMAIL PROTECTED]>
wrote: 



I'm
receiving the following event every 3 to 4 hours on my DNS servers:

 

Event
Type:   Warning

Event
Source:    DNS

Event
Category: None

Event
ID:   3000

Description:

The
DNS server has encountered numerous run-time events. To determine the initial
cause of these run-time events, examine the DNS server event log entries that
precede this event. To prevent the DNS server from filling the event log too
quickly, subsequent events with Event IDs higher than 3000 will be suppressed
until events are no longer being generated at a high rate. 

 

I
don't have any record of the original event and can't find any way to get the
server to quit suppressing the event so I can see what's going on.  I've
searched the archives, googled, etc.  Does anyone know of a way to open
this back up so I can see my offending events? 

 

Thanks,

 

Alan J. Gendron

Network Services

Lutheran Church Extension Fund



-- 

 

**

This electronic mail transmission contains confidential
and/or privileged

information intended only for the person(s) named. Any use,
distribution,

copying or disclosure by another person is strictly
prohibited.

 

**

 



 







-- 


**

This electronic mail transmission contains confidential and/or privileged

information intended only for the person(s) named.  Any use, distribution,

copying or disclosure by another person is strictly prohibited.


**

Re: [ActiveDir] Suppressed Events in Event Log

2006-01-28 Thread Al Mulnick 
Just so I have it straight, you have restarted the dns service and immediately following the startup event, you have no errors?  Just a clean startup? 
 
If so, are you auditing for security events?  Have you checked the security log for the same time period?  It sounds like the issue would be related to the client interaction if it doesn't occur at startup, although I guess it could also be related to zone transfers etc. 

 
Another option would be to turn up the DNS logging for a few hours and plow through the resulting file. 
 
Al 
On 1/28/06, Alan Gendron <[EMAIL PROTECTED]> wrote:


Al,
 
I've tried that.  Stopping and starting the services, and even restarting the server.  It's occurring on both of our DNS servers

 

-Alan
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Al MulnickSent: Friday, January 27, 2006 1:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Suppressed Events in Event Log

 

Depending on the error, you may be able to see the errors at time of service startup.  

 

Al 

On 1/26/06, Alan Gendron <
[EMAIL PROTECTED]> wrote: 

I'm receiving the following event every 3 to 4 hours on my DNS servers:
 
Event Type:   Warning
Event Source:    DNS
Event Category: None
Event ID:   3000
Description:
The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate. 

 
I don't have any record of the original event and can't find any way to get the server to quit suppressing the event so I can see what's going on.  I've searched the archives, googled, etc.  Does anyone know of a way to open this back up so I can see my offending events? 

 
Thanks,
 
Alan J. Gendron
Network Services
Lutheran
 Church Extension Fund
-- 
 
**
This electronic mail transmission contains confidential and/or privileged
information intended only for the person(s) named. Any use, distribution,
copying or disclosure by another person is strictly prohibited.
 
**
 
 

-- 
**
This electronic mail transmission contains confidential and/or privileged
information intended only for the person(s) named. Any use, distribution,
copying or disclosure by another person is strictly prohibited.
**

[ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
There have been times in recent past that certain installs or 
applications only work under the "500" account aka the real admin 
account down here in SBSland.


In Big server land... do you also find this to be true with apps that 
need to be installed on the server?


For many of you you are obviously remote admin'ing.

Do you ..when using that 500 account... accept the risk of that Admin 
account/password over TS/3389?


Only over VPN?  Only use that 500 account in certain 
vlans/subnets/whatevers that obviously we in SBSland never carve up our 
domain structures in?


For SOX purposes only have a documented use of that 500 account?

For all other times do you use admin equivalent?


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread joe 
I haven't used the builtin admin account in an enterprise setting in at
least 7 or 8 years after initial configuration of the server (you have to
log on with something!). You set a nasty exceedingly long password no one
could remember, test it, and then put it in an envelope and put it in a
locked drawer or safe of a very high level IT person in the company that
would be painful to get it from so it is only used in absolute disaster
situations. Then monitor the account for password changes and logins to
verify something bad hasn't happened. Alternatively if that is too much
work, set the password to some long random password and if you ever need in,
you crack it. This works better for non-DCs but is possible in that
situation too, just more involved.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SBSland folks ask Big server land people a question
about the use and risk of the "500" account.

There have been times in recent past that certain installs or applications
only work under the "500" account aka the real admin account down here in
SBSland.

In Big server land... do you also find this to be true with apps that need
to be installed on the server?

For many of you you are obviously remote admin'ing.

Do you ..when using that 500 account... accept the risk of that Admin
account/password over TS/3389?

Only over VPN?  Only use that 500 account in certain vlans/subnets/whatevers
that obviously we in SBSland never carve up our domain structures in?

For SOX purposes only have a documented use of that 500 account?

For all other times do you use admin equivalent?


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Logon issue

2006-01-28 Thread joe 
Title: Logon issue



I believe this is required to be done from the client side. 
I seem to recall a bunch of hoo ha about it. 
 
You generally don't want to force all of this traffic to 
TCP because it is considerably more traffic than UDP. You might use it say at a 
site level that has an older router or is behind some device that has issues 
with fragmented UDP - I seem to recall the Cisco CSM having an issue with this 
several years back too.
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.Sent: Saturday, January 28, 2006 7:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Logon 
issue


I’ve read this KB a few 
times and wonder if it is enough to apply this registry change on the 
authentication servers?  If that were done, wouldn’t a client (say XP) be 
forced to communicate via TCP with a DC during the logon process?  
Thoughts/comments?
 
Mike 
Thommes
 
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Alex 
FontanaSent: Friday, January 
27, 2006 10:01 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Logon 
issue
 
Funny…  I just (5 
minutes ago) sent an FYI to our End Us  er Support team regarding this 
issue.
 
Here’s the 
KB: http://support.microsoft.com/?id=244474
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, January 27, 2006 6:21 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Logon 
issue
 
I have 
seen that several times and it always tied back to some network device dropping 
kerberos UDP packets because they got too large and they started fragmenting. 
You see lots of kerb traffic going on, it is just some key critical packets 
aren't making it through. There is a KB that allows you to force all kerb 
traffic to be through TCP instead of UDP. Next time you encounter that I would 
slap the reg hack into place and see if it clears it up. The best way would be 
to do network traces from the client and the DC being used but that can be a bit 
of a trick especially if you have to call in others to do the 
tracing.

 
--
O'Reilly 
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Friday, January 27, 
2006 1:27 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Logon 
issue
We 
have an unusual situation I can’t find a solution for and I wanted to see if 
others had experienced it. A few of our remote locations connect to corporate 
via DSL and VPN. We normally have a 
logon 
script engine (ScriptLogic) that runs for each logon. PCs run 
Windows XP, and get DHCP and logon services from the corporate 
location.
In several cases, when a specific 
user (and there are more than one) logs on to a PC with the problem, the logon 
takes up to 20 minutes to log on. When another user logs on to the same PC in 
the same location, the logon is instantaneous. The same symptoms are 
happening in several locations, involving different users, but 
in 
each case, a different user can log on fine on the affected 
PC.
Our networks folks watched the 
traffic in Compuware and determined that in the logons that are a problem, there 
is significant Kerberos traffic, back and forth, back and 
forth.
My first 
thought was corrupt or excessively 
large profile, but we don’t use roaming profiles, and the PC has been 
re-imaged. We also recreated accounts for a 
couple of users. The problem goes away for a couple of weeks, and then it’s 
back.
I’m just now getting involved 
because the network team initially thought it was their issue. Is there anything 
you can suggest I can look at?
Thanks,
Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation | 6800 Cintas Boulevard | Mason, 
OH  45040
Email: 
[EMAIL PROTECTED] | http://www.cintas.com
This e-mail transmission contains 
information that is intended to be confidential and privileged. If you receive 
this e-mail and you are not a named addressee you are hereby notified that you 
are not authorized to read, print, retain, copy or disseminate this 
communication without the consent of the sender and that doing so is prohibited 
and may be unlawful. Please reply to the message immediately by informing the 
sender that the message was misdirected. After replying, please delete and 
otherwise erase it and any attachments from your computer system. Your 
assistance in correcting this error is 
appreciated.

Re: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread Al Mulnick 
I can honestly think of no plausible reason that any vendor I want to do business with would require that I use that or any specific account.  There is never a time when that's acceptable.  Wait.  I want to be clear about this. There is never a time when it is acceptable to tell me that I MUST install and run under a specific named account.  

 
Any time I've been faced with that concept, I and my colleagues have always pushed back on the vendor to specify exactly what rights and any other pertinent details were needed.  If they couldn't or otherwise wouldn't provide the details, then we emphatically recommend no sale.  If that doesn't prevent the sale, we loop in the security folks to accept responsibility for the compliance and other security issues that this may introduce. If they were fine with it, then I no longer have a stake in the game for that.  Instead, I no have a scape goat for anything to goes wrong ;)

 
There is never a time when it is acceptable to tell me that I MUST install and run under a specific named account. Never.    
On 1/28/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
There have been times in recent past that certain installs orapplications only work under the "500" account aka the real admin
account down here in SBSland.In Big server land... do you also find this to be true with apps thatneed to be installed on the server?For many of you you are obviously remote admin'ing.Do you ..when using that 500 account... accept the risk of that Admin
account/password over TS/3389?Only over VPN?  Only use that 500 account in certainvlans/subnets/whatevers that obviously we in SBSland never carve up ourdomain structures in?For SOX purposes only have a documented use of that 500 account?
For all other times do you use admin equivalent?--Letting your vendors set your risk analysis these days?http://www.threatcode.comList info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

:-)

Don't install the 5th part of the SBS sp1 service pack bundle then. 
'cause it kinda wants to be only run under that "500" account.


I've got a SBSer installing WSUS under an alternative Admin account and 
the installs that he's done under the "500" account the computers check 
in just fine...the ones under the alternative account are having 
issues.  He's applied the compression hotfix and done client side 
targeting and still no go.  He's redoing the group policy settings under 
the "500" account now.


Al Mulnick wrote:

I can honestly think of no plausible reason that any vendor I want to 
do business with would require that I use that or any specific 
account.  There is never a time when that's acceptable.  Wait.  I want 
to be clear about this. There is never a time when it is acceptable to 
tell me that I MUST install and run under a specific named account. 
 
Any time I've been faced with that concept, I and my colleagues have 
always pushed back on the vendor to specify exactly what rights and 
any other pertinent details were needed.  If they couldn't or 
otherwise wouldn't provide the details, then we emphatically recommend 
no sale.  If that doesn't prevent the sale, we loop in the security 
folks to accept responsibility for the compliance and other security 
issues that this may introduce. If they were fine with it, then I no 
longer have a stake in the game for that.  Instead, I no have a scape 
goat for anything to goes wrong ;)
 
There is never a time when it is acceptable to tell me that I MUST 
install and run under a specific named account. Never.  

 
On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
<[EMAIL PROTECTED] > wrote:


There have been times in recent past that certain installs or
applications only work under the "500" account aka the real admin
account down here in SBSland.

In Big server land... do you also find this to be true with apps that
need to be installed on the server?

For many of you you are obviously remote admin'ing.

Do you ..when using that 500 account... accept the risk of that Admin
account/password over TS/3389?

Only over VPN?  Only use that 500 account in certain
vlans/subnets/whatevers that obviously we in SBSland never carve
up our
domain structures in?

For SOX purposes only have a documented use of that 500 account?

For all other times do you use admin equivalent?


--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread joe 
Does it actually say it must be run from that account or is it a possible
lack of some sort of access that he isn't aware of? 

I have seen apps that have locked into a specific profile which is also bad.
Whatever was used for the initial install had to be used for any updates
because critical info was stored in the profile of the ID that did the
install. 

   joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question
about the use and risk of the "500" account.

:-)

Don't install the 5th part of the SBS sp1 service pack bundle then. 
'cause it kinda wants to be only run under that "500" account.

I've got a SBSer installing WSUS under an alternative Admin account and the
installs that he's done under the "500" account the computers check in just
fine...the ones under the alternative account are having issues.  He's
applied the compression hotfix and done client side targeting and still no
go.  He's redoing the group policy settings under the "500" account now.

Al Mulnick wrote:

> I can honestly think of no plausible reason that any vendor I want to 
> do business with would require that I use that or any specific 
> account.  There is never a time when that's acceptable.  Wait.  I want 
> to be clear about this. There is never a time when it is acceptable to 
> tell me that I MUST install and run under a specific named account.
>  
> Any time I've been faced with that concept, I and my colleagues have 
> always pushed back on the vendor to specify exactly what rights and 
> any other pertinent details were needed.  If they couldn't or 
> otherwise wouldn't provide the details, then we emphatically recommend 
> no sale.  If that doesn't prevent the sale, we loop in the security 
> folks to accept responsibility for the compliance and other security 
> issues that this may introduce. If they were fine with it, then I no 
> longer have a stake in the game for that.  Instead, I no have a scape 
> goat for anything to goes wrong ;)
>  
> There is never a time when it is acceptable to tell me that I MUST 
> install and run under a specific named account. Never.
>
>  
> On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
> <[EMAIL PROTECTED] > wrote:
>
> There have been times in recent past that certain installs or
> applications only work under the "500" account aka the real admin
> account down here in SBSland.
>
> In Big server land... do you also find this to be true with apps that
> need to be installed on the server?
>
> For many of you you are obviously remote admin'ing.
>
> Do you ..when using that 500 account... accept the risk of that Admin
> account/password over TS/3389?
>
> Only over VPN?  Only use that 500 account in certain
> vlans/subnets/whatevers that obviously we in SBSland never carve
> up our
> domain structures in?
>
> For SOX purposes only have a documented use of that 500 account?
>
> For all other times do you use admin equivalent?
>
>
> --
> Letting your vendors set your risk analysis these days?
> http://www.threatcode.com
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread Creamer, Mark 
What's the 5th part? I just did a full SBS sp1 install, and I *think* I ran 
everything under my own
account - maybe not, but I generally do.

As far as RDP, I usually disable everyone's ability to TS in, and enable only 
my own account. But I
always change the port to some weird random number, just to thwart the majority 
of the script kiddies.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question 
about the use and risk of
the "500" account.

:-)

Don't install the 5th part of the SBS sp1 service pack bundle then. 
'cause it kinda wants to be only run under that "500" account.

I've got a SBSer installing WSUS under an alternative Admin account and 
the installs that he's done under the "500" account the computers check 
in just fine...the ones under the alternative account are having 
issues.  He's applied the compression hotfix and done client side 
targeting and still no go.  He's redoing the group policy settings under 
the "500" account now.

Al Mulnick wrote:

> I can honestly think of no plausible reason that any vendor I want to 
> do business with would require that I use that or any specific 
> account.  There is never a time when that's acceptable.  Wait.  I want 
> to be clear about this. There is never a time when it is acceptable to 
> tell me that I MUST install and run under a specific named account. 
>  
> Any time I've been faced with that concept, I and my colleagues have 
> always pushed back on the vendor to specify exactly what rights and 
> any other pertinent details were needed.  If they couldn't or 
> otherwise wouldn't provide the details, then we emphatically recommend 
> no sale.  If that doesn't prevent the sale, we loop in the security 
> folks to accept responsibility for the compliance and other security 
> issues that this may introduce. If they were fine with it, then I no 
> longer have a stake in the game for that.  Instead, I no have a scape 
> goat for anything to goes wrong ;)
>  
> There is never a time when it is acceptable to tell me that I MUST 
> install and run under a specific named account. Never.  
>
>  
> On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
> <[EMAIL PROTECTED] > wrote:
>
> There have been times in recent past that certain installs or
> applications only work under the "500" account aka the real admin
> account down here in SBSland.
>
> In Big server land... do you also find this to be true with apps that
> need to be installed on the server?
>
> For many of you you are obviously remote admin'ing.
>
> Do you ..when using that 500 account... accept the risk of that Admin
> account/password over TS/3389?
>
> Only over VPN?  Only use that 500 account in certain
> vlans/subnets/whatevers that obviously we in SBSland never carve
> up our
> domain structures in?
>
> For SOX purposes only have a documented use of that 500 account?
>
> For all other times do you use admin equivalent?
>
>
> --
> Letting your vendors set your risk analysis these days?
> http://www.threatcode.com
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
SBS sp1 last patch 'has' to be run on the 500 account, no ifs or buts on 
that one.


We're still in investigation on the WSUS install... so far all WSUS 
installs done under the 500 account work fine, those done under an 
alternative account, the workstations are not checking in to the WSUS 
server and so far the only thing he can think of that he's done 
differently is the lack of the use of the 500 account while installing WSUS.


joe wrote:


Does it actually say it must be run from that account or is it a possible
lack of some sort of access that he isn't aware of? 


I have seen apps that have locked into a specific profile which is also bad.
Whatever was used for the initial install had to be used for any updates
because critical info was stored in the profile of the ID that did the
install. 


  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question
about the use and risk of the "500" account.

:-)

Don't install the 5th part of the SBS sp1 service pack bundle then. 
'cause it kinda wants to be only run under that "500" account.


I've got a SBSer installing WSUS under an alternative Admin account and the
installs that he's done under the "500" account the computers check in just
fine...the ones under the alternative account are having issues.  He's
applied the compression hotfix and done client side targeting and still no
go.  He's redoing the group policy settings under the "500" account now.

Al Mulnick wrote:

 

I can honestly think of no plausible reason that any vendor I want to 
do business with would require that I use that or any specific 
account.  There is never a time when that's acceptable.  Wait.  I want 
to be clear about this. There is never a time when it is acceptable to 
tell me that I MUST install and run under a specific named account.


Any time I've been faced with that concept, I and my colleagues have 
always pushed back on the vendor to specify exactly what rights and 
any other pertinent details were needed.  If they couldn't or 
otherwise wouldn't provide the details, then we emphatically recommend 
no sale.  If that doesn't prevent the sale, we loop in the security 
folks to accept responsibility for the compliance and other security 
issues that this may introduce. If they were fine with it, then I no 
longer have a stake in the game for that.  Instead, I no have a scape 
goat for anything to goes wrong ;)


There is never a time when it is acceptable to tell me that I MUST 
install and run under a specific named account. Never.



On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
<[EMAIL PROTECTED] > wrote:


   There have been times in recent past that certain installs or
   applications only work under the "500" account aka the real admin
   account down here in SBSland.

   In Big server land... do you also find this to be true with apps that
   need to be installed on the server?

   For many of you you are obviously remote admin'ing.

   Do you ..when using that 500 account... accept the risk of that Admin
   account/password over TS/3389?

   Only over VPN?  Only use that 500 account in certain
   vlans/subnets/whatevers that obviously we in SBSland never carve
   up our
   domain structures in?

   For SOX purposes only have a documented use of that 500 account?

   For all other times do you use admin equivalent?


   --
   Letting your vendors set your risk analysis these days?
   http://www.threatcode.com

   List info   : http://www.activedir.org/List.aspx
   List FAQ: http://www.activedir.org/ListFAQ.aspx
   List archive:
   http://www.mail-archive.com/activedir%40mail.activedir.org/


   



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

Windows 2003 sp1
Sharepoint sp1 [can use sp2 instead]
Exchange sp1 [can use sp2 instead]
XP sp2
SBS specific SP1  << this is the one we've found has needed the 500 account

---

If premium
SQL server 2000 sp4
ISA 2004 [must have media..CANNOT be done remotely]

Creamer, Mark wrote:


What's the 5th part? I just did a full SBS sp1 install, and I *think* I ran 
everything under my own
account - maybe not, but I generally do.

As far as RDP, I usually disable everyone's ability to TS in, and enable only 
my own account. But I
always change the port to some weird random number, just to thwart the majority 
of the script kiddies.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question 
about the use and risk of
the "500" account.

:-)

Don't install the 5th part of the SBS sp1 service pack bundle then. 
'cause it kinda wants to be only run under that "500" account.


I've got a SBSer installing WSUS under an alternative Admin account and 
the installs that he's done under the "500" account the computers check 
in just fine...the ones under the alternative account are having 
issues.  He's applied the compression hotfix and done client side 
targeting and still no go.  He's redoing the group policy settings under 
the "500" account now.


Al Mulnick wrote:

 

I can honestly think of no plausible reason that any vendor I want to 
do business with would require that I use that or any specific 
account.  There is never a time when that's acceptable.  Wait.  I want 
to be clear about this. There is never a time when it is acceptable to 
tell me that I MUST install and run under a specific named account. 

Any time I've been faced with that concept, I and my colleagues have 
always pushed back on the vendor to specify exactly what rights and 
any other pertinent details were needed.  If they couldn't or 
otherwise wouldn't provide the details, then we emphatically recommend 
no sale.  If that doesn't prevent the sale, we loop in the security 
folks to accept responsibility for the compliance and other security 
issues that this may introduce. If they were fine with it, then I no 
longer have a stake in the game for that.  Instead, I no have a scape 
goat for anything to goes wrong ;)


There is never a time when it is acceptable to tell me that I MUST 
install and run under a specific named account. Never.  



On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
<[EMAIL PROTECTED] > wrote:


   There have been times in recent past that certain installs or
   applications only work under the "500" account aka the real admin
   account down here in SBSland.

   In Big server land... do you also find this to be true with apps that
   need to be installed on the server?

   For many of you you are obviously remote admin'ing.

   Do you ..when using that 500 account... accept the risk of that Admin
   account/password over TS/3389?

   Only over VPN?  Only use that 500 account in certain
   vlans/subnets/whatevers that obviously we in SBSland never carve
   up our
   domain structures in?

   For SOX purposes only have a documented use of that 500 account?

   For all other times do you use admin equivalent?


   --
   Letting your vendors set your risk analysis these days?
   http://www.threatcode.com

   List info   : http://www.activedir.org/List.aspx
   List FAQ: http://www.activedir.org/ListFAQ.aspx
   List archive:
   http://www.mail-archive.com/activedir%40mail.activedir.org/


   



 



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread Creamer, Mark 
OK, I must have logged in that way then. I was local that day, not remote. 
Very, very good to know...I
have a couple more coming up next week.



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 4:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question 
about the use and risk of
the "500" account.

Windows 2003 sp1
Sharepoint sp1 [can use sp2 instead]
Exchange sp1 [can use sp2 instead]
XP sp2
SBS specific SP1  << this is the one we've found has needed the 500 account

---

If premium
SQL server 2000 sp4
ISA 2004 [must have media..CANNOT be done remotely]

Creamer, Mark wrote:

>What's the 5th part? I just did a full SBS sp1 install, and I *think* I ran 
>everything under my own
>account - maybe not, but I generally do.
>
>As far as RDP, I usually disable everyone's ability to TS in, and enable only 
>my own account. But I
>always change the port to some weird random number, just to thwart the 
>majority of the script
kiddies.
>
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
>Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Saturday, January 28, 2006 3:20 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question 
>about the use and risk
of
>the "500" account.
>
>:-)
>
>Don't install the 5th part of the SBS sp1 service pack bundle then. 
>'cause it kinda wants to be only run under that "500" account.
>
>I've got a SBSer installing WSUS under an alternative Admin account and 
>the installs that he's done under the "500" account the computers check 
>in just fine...the ones under the alternative account are having 
>issues.  He's applied the compression hotfix and done client side 
>targeting and still no go.  He's redoing the group policy settings under 
>the "500" account now.
>
>Al Mulnick wrote:
>
>  
>
>>I can honestly think of no plausible reason that any vendor I want to 
>>do business with would require that I use that or any specific 
>>account.  There is never a time when that's acceptable.  Wait.  I want 
>>to be clear about this. There is never a time when it is acceptable to 
>>tell me that I MUST install and run under a specific named account. 
>> 
>>Any time I've been faced with that concept, I and my colleagues have 
>>always pushed back on the vendor to specify exactly what rights and 
>>any other pertinent details were needed.  If they couldn't or 
>>otherwise wouldn't provide the details, then we emphatically recommend 
>>no sale.  If that doesn't prevent the sale, we loop in the security 
>>folks to accept responsibility for the compliance and other security 
>>issues that this may introduce. If they were fine with it, then I no 
>>longer have a stake in the game for that.  Instead, I no have a scape 
>>goat for anything to goes wrong ;)
>> 
>>There is never a time when it is acceptable to tell me that I MUST 
>>install and run under a specific named account. Never.  
>>
>> 
>>On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
>><[EMAIL PROTECTED] > wrote:
>>
>>There have been times in recent past that certain installs or
>>applications only work under the "500" account aka the real admin
>>account down here in SBSland.
>>
>>In Big server land... do you also find this to be true with apps that
>>need to be installed on the server?
>>
>>For many of you you are obviously remote admin'ing.
>>
>>Do you ..when using that 500 account... accept the risk of that Admin
>>account/password over TS/3389?
>>
>>Only over VPN?  Only use that 500 account in certain
>>vlans/subnets/whatevers that obviously we in SBSland never carve
>>up our
>>domain structures in?
>>
>>For SOX purposes only have a documented use of that 500 account?
>>
>>For all other times do you use admin equivalent?
>>
>>
>>--
>>Letting your vendors set your risk analysis these days?
>>http://www.threatcode.com
>>
>>List info   : http://www.activedir.org/List.aspx
>>List FAQ: http://www.activedir.org/ListFAQ.aspx
>>List archive:
>>http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>>
>
>  
>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and m

Re: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
(for the benefit of folks who might go ... SBS puts XP sp2 on the 
server?  No it's a client deployment point so that all XP workstations 
get XP sp2 offered up to them when attached to the domain)


How to install Service Pack 1 for SBS 2003:
http://www.smallbizserver.net/Default.aspx?tabid=236

We've typically done everything but the ISA 2004 install remotely.

Creamer, Mark wrote:


OK, I must have logged in that way then. I was local that day, not remote. 
Very, very good to know...I
have a couple more coming up next week.



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 4:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question 
about the use and risk of
the "500" account.

Windows 2003 sp1
Sharepoint sp1 [can use sp2 instead]
Exchange sp1 [can use sp2 instead]
XP sp2
SBS specific SP1  << this is the one we've found has needed the 500 account

---

If premium
SQL server 2000 sp4
ISA 2004 [must have media..CANNOT be done remotely]

Creamer, Mark wrote:

 


What's the 5th part? I just did a full SBS sp1 install, and I *think* I ran 
everything under my own
account - maybe not, but I generally do.

As far as RDP, I usually disable everyone's ability to TS in, and enable only 
my own account. But I
always change the port to some weird random number, just to thwart the majority 
of the script
   


kiddies.
 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question 
about the use and risk
   


of
 


the "500" account.

:-)

Don't install the 5th part of the SBS sp1 service pack bundle then. 
'cause it kinda wants to be only run under that "500" account.


I've got a SBSer installing WSUS under an alternative Admin account and 
the installs that he's done under the "500" account the computers check 
in just fine...the ones under the alternative account are having 
issues.  He's applied the compression hotfix and done client side 
targeting and still no go.  He's redoing the group policy settings under 
the "500" account now.


Al Mulnick wrote:



   

I can honestly think of no plausible reason that any vendor I want to 
do business with would require that I use that or any specific 
account.  There is never a time when that's acceptable.  Wait.  I want 
to be clear about this. There is never a time when it is acceptable to 
tell me that I MUST install and run under a specific named account. 

Any time I've been faced with that concept, I and my colleagues have 
always pushed back on the vendor to specify exactly what rights and 
any other pertinent details were needed.  If they couldn't or 
otherwise wouldn't provide the details, then we emphatically recommend 
no sale.  If that doesn't prevent the sale, we loop in the security 
folks to accept responsibility for the compliance and other security 
issues that this may introduce. If they were fine with it, then I no 
longer have a stake in the game for that.  Instead, I no have a scape 
goat for anything to goes wrong ;)


There is never a time when it is acceptable to tell me that I MUST 
install and run under a specific named account. Never.  



On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
<[EMAIL PROTECTED] > wrote:


  There have been times in recent past that certain installs or
  applications only work under the "500" account aka the real admin
  account down here in SBSland.

  In Big server land... do you also find this to be true with apps that
  need to be installed on the server?

  For many of you you are obviously remote admin'ing.

  Do you ..when using that 500 account... accept the risk of that Admin
  account/password over TS/3389?

  Only over VPN?  Only use that 500 account in certain
  vlans/subnets/whatevers that obviously we in SBSland never carve
  up our
  domain structures in?

  For SOX purposes only have a documented use of that 500 account?

  For all other times do you use admin equivalent?


  --
  Letting your vendors set your risk analysis these days?
  http://www.threatcode.com

  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/


  

 




   



 



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.

2006-01-28 Thread joe 
Anyone know if sysdiff still works? I think there was a problem with the DTC
service so if you shut that down you are good to go. Anyway, I would run the
upgrade under 500 with sysdiff and also under a normal account, then windiff
the output from both sysdiffs to see what is different.

Alternately you could try to use file and reg mon tools from sysinternals.

  joe 

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question
about the use and risk of the "500" account.

SBS sp1 last patch 'has' to be run on the 500 account, no ifs or buts on
that one.

We're still in investigation on the WSUS install... so far all WSUS installs
done under the 500 account work fine, those done under an alternative
account, the workstations are not checking in to the WSUS server and so far
the only thing he can think of that he's done differently is the lack of the
use of the 500 account while installing WSUS.

joe wrote:

>Does it actually say it must be run from that account or is it a 
>possible lack of some sort of access that he isn't aware of?
>
>I have seen apps that have locked into a specific profile which is also
bad.
>Whatever was used for the initial install had to be used for any 
>updates because critical info was stored in the profile of the ID that 
>did the install.
>
>   joe
>
>
>--
>O'Reilly Active Directory Third Edition - 
>http://www.joeware.net/win/ad3e.htm
> 
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Saturday, January 28, 2006 3:20 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBSland folks ask Big server land people a 
>question about the use and risk of the "500" account.
>
>:-)
>
>Don't install the 5th part of the SBS sp1 service pack bundle then. 
>'cause it kinda wants to be only run under that "500" account.
>
>I've got a SBSer installing WSUS under an alternative Admin account and 
>the installs that he's done under the "500" account the computers check 
>in just fine...the ones under the alternative account are having 
>issues.  He's applied the compression hotfix and done client side 
>targeting and still no go.  He's redoing the group policy settings under
the "500" account now.
>
>Al Mulnick wrote:
>
>  
>
>>I can honestly think of no plausible reason that any vendor I want to 
>>do business with would require that I use that or any specific 
>>account.  There is never a time when that's acceptable.  Wait.  I want 
>>to be clear about this. There is never a time when it is acceptable to 
>>tell me that I MUST install and run under a specific named account.
>> 
>>Any time I've been faced with that concept, I and my colleagues have 
>>always pushed back on the vendor to specify exactly what rights and 
>>any other pertinent details were needed.  If they couldn't or 
>>otherwise wouldn't provide the details, then we emphatically recommend 
>>no sale.  If that doesn't prevent the sale, we loop in the security 
>>folks to accept responsibility for the compliance and other security 
>>issues that this may introduce. If they were fine with it, then I no 
>>longer have a stake in the game for that.  Instead, I no have a scape 
>>goat for anything to goes wrong ;)
>> 
>>There is never a time when it is acceptable to tell me that I MUST 
>>install and run under a specific named account. Never.
>>
>> 
>>On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
>><[EMAIL PROTECTED] > wrote:
>>
>>There have been times in recent past that certain installs or
>>applications only work under the "500" account aka the real admin
>>account down here in SBSland.
>>
>>In Big server land... do you also find this to be true with apps that
>>need to be installed on the server?
>>
>>For many of you you are obviously remote admin'ing.
>>
>>Do you ..when using that 500 account... accept the risk of that Admin
>>account/password over TS/3389?
>>
>>Only over VPN?  Only use that 500 account in certain
>>vlans/subnets/whatevers that obviously we in SBSland never carve
>>up our
>>domain structures in?
>>
>>For SOX purposes only have a documented use of that 500 account?
>>
>>For all other times do you use admin equivalent?
>>
>>
>>--
>>Letting your vendors set your risk analysis these days?
>>http://www.threatcode.com
>>
>>List info   : http://www.activedir.org/List.aspx
>>List FAQ: http://www.activedir.org/ListFAQ.aspx
>>List archive:
>>http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>>
>
>--
>Letting your vendors set your risk analysis these

[ActiveDir] Single Sign-on

2006-01-28 Thread Rimmerman, Russ 
--- Begin Message ---
Is anyone using any single sign-on products that they can recommend?  Our new 
CIO is interested in bringing this project back to life.  We looked into it 
awhile back and it was cost prohibitive.  We've looked at Protocom and 
Passlogix in the past, and they both seemed to be OK but expensive.  Mgmt 
basically wants to sign into AD and not have to sign into anything else when 
prompted.  
Any recommendations?  
<>--- End Message ---
~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

[ActiveDir] IE and group policy

2006-01-28 Thread shereen naser 
I have a group policy that adds specific links to the favorites for all the users, users who log in to specific computers do not see the favorites that they should see, if I upgrade those machines from IE5 to IE6 the group policy is applied and the users can see the favorites, why does that happen? and do I have to upgrade all the IE5 machines in this case or there is a work around?

thank you