RE: [ActiveDir] Service time-out

[james . masters]

That is exactly what I was after. Thank you, Steve.

-James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, June 27, 2006 2:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Service time-out

You can try

http://support.microsoft.com/?id=824344 "How to debug Windows services"


Specifically the section:

"When a service starts, the service communicates to the Service Control 
Manager how long the service must have to start (the time-out period for
the 
service). If the Service Control Manager does not receive a "service 
started" notice from the service within this time-out period, the Service 
Control Manager terminates the process that hosts the service. This
time-out 
period is typically less than 30 seconds. If you do not adjust this
time-out 
period, the Service Control Manager ends the process and the attached 
debugger while you are trying to debug. To adjust this time-out period, 
follow these steps: "

ServicesPipeTimeout

However - if you have a svc which isnt starting , its better to figure out

why IMO


steve


- Original Message - 
From: <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, June 27, 2006 10:54 AM
Subject: RE: [ActiveDir] Service time-out


> Thanks for the reply, Joe. I am referring to the the timeout of a
service
> on startup. (ie. "The service did not respond in a timely manner"
>
> Thanks,
> James
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, June 27, 2006 11:27 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Service time-out
>
> Do mean timeout for how long a service is allowed to live during a
> shutdown
> before it is just killed? If so that is under the key
> hklm\system\currentcontrolset\control in the value
> WaitToKillServiceTimeout.
>
>  joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Monday, June 26, 2006 10:27 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Service time-out
>
> Does anybody know where the service timeout period is set for NT
services?
>
> Also, is there a global setting for time outs for all services?
>
> Any help would be appreciated - thanks.
>
> James Masters
> Midrange Support
> The Kroger Co.
> (859) 363-2346 - Desk
> (859) 653-8644 - Cell
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Where's that account being used?

[Alex Fontana]

Check out service explorer.  The trial version will do exactly what you
want...for services anyway.

http://www.scriptlogic.com/products/serviceexplorer/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, June 27, 2006 7:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Where's that account being used?

Use something like MOM or some manual solution (e.g. eventcombmt) to
collect all audits for the account logging in - they include the source.
My bet is that it's a handful of apps and you can then deal with them on
a per app basis. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, June 27, 2006 8:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Where's that account being used?
> 
> I swear Dean previously posted a script to this list to go looking for
> machine's using a specific account for one of their services.
> 
> Other than that, I recommend you spin up at least one other ID, then
> start moving services/applications to it. That way when you think you
> got them all you can disable the account and see what breaks.
> 
> Overall I am not a terrible fan of a single ID being shared by people
> or applications. All acocuntability goes straight out the window.  As
> for the ID being a domain admin ID... Well that is just ridiculous and
> highlights some of the conversations on the list recently. Good luck
> cleaning it all up.
> 
>   joe
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of AdamT
> Sent: Tuesday, June 27, 2006 12:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Where's that account being used?
> 
> Dear fountain of knowledge,
> 
> We've inherited a particularly messy AD structure, and we're now
trying
> to find out where a particular account is in use.  There's around 80
> servers in the domain and 3000 workstations, and this account appears
> to be used for pretty much anything that wants to log on as a service,
> or anyone who wants domain admin privs.
> 
> Is there any kind of audit utility to scan servers and see which
> services are using the account, and ideally - any kind of monitoring
> package to flag up an alert each time the account is used to, say, map
> a drive or connect to a SQL db?
> 
> --
> AdamT
> "A casual stroll through the lunatic asylum shows that faith does not
> prove anything." - Nietzsche
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Where's that account being used?

[Brian Desmond]

Use something like MOM or some manual solution (e.g. eventcombmt) to
collect all audits for the account logging in - they include the source.
My bet is that it's a handful of apps and you can then deal with them on
a per app basis. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, June 27, 2006 8:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Where's that account being used?
> 
> I swear Dean previously posted a script to this list to go looking for
> machine's using a specific account for one of their services.
> 
> Other than that, I recommend you spin up at least one other ID, then
> start moving services/applications to it. That way when you think you
> got them all you can disable the account and see what breaks.
> 
> Overall I am not a terrible fan of a single ID being shared by people
> or applications. All acocuntability goes straight out the window.  As
> for the ID being a domain admin ID... Well that is just ridiculous and
> highlights some of the conversations on the list recently. Good luck
> cleaning it all up.
> 
>   joe
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of AdamT
> Sent: Tuesday, June 27, 2006 12:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Where's that account being used?
> 
> Dear fountain of knowledge,
> 
> We've inherited a particularly messy AD structure, and we're now
trying
> to find out where a particular account is in use.  There's around 80
> servers in the domain and 3000 workstations, and this account appears
> to be used for pretty much anything that wants to log on as a service,
> or anyone who wants domain admin privs.
> 
> Is there any kind of audit utility to scan servers and see which
> services are using the account, and ideally - any kind of monitoring
> package to flag up an alert each time the account is used to, say, map
> a drive or connect to a SQL db?
> 
> --
> AdamT
> "A casual stroll through the lunatic asylum shows that faith does not
> prove anything." - Nietzsche
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Where's that account being used?

[joe]

I swear Dean previously posted a script to this list to go looking for
machine's using a specific account for one of their services. 

Other than that, I recommend you spin up at least one other ID, then start
moving services/applications to it. That way when you think you got them all
you can disable the account and see what breaks. 

Overall I am not a terrible fan of a single ID being shared by people or
applications. All acocuntability goes straight out the window.  As for the
ID being a domain admin ID... Well that is just ridiculous and highlights
some of the conversations on the list recently. Good luck cleaning it all
up.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Tuesday, June 27, 2006 12:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Where's that account being used?

Dear fountain of knowledge,

We've inherited a particularly messy AD structure, and we're now
trying to find out where a particular account is in use.  There's
around 80 servers in the domain and 3000 workstations, and this
account appears to be used for pretty much anything that wants to log
on as a service, or anyone who wants domain admin privs.

Is there any kind of audit utility to scan servers and see which
services are using the account, and ideally - any kind of monitoring
package to flag up an alert each time the account is used to, say, map
a drive or connect to a SQL db?

-- 
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: RE : Re: [ActiveDir] Question regarding compacting AD DB.

[joe]

I wondered if that would catch your eye. It caught mine but I figured he was
probably baiting you. :) 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, June 27, 2006 5:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: RE : Re: [ActiveDir] Question regarding compacting AD DB.

Just curious, Al, where did you hear this from:
 > doing this. Online defrag can be a wonderful thing, and off-line is
 > typically recommended if online is not going to be able to finish
 > during it's run time.

Because I've never recommended that.  online defrag actually saves off
where it stopped, so it picks up on it's next run where it stopped last
run, and thus can finish over multiple runs.  Or were you calling a
complete pass a run, and saying if it never finishes a complete pass?

Cheers,
BrettSh

On Tue, 27 Jun 2006, Yann wrote:

> Hello Al,
>
>   Good links u pointed to me, especially the link to automate the process
.
>   Thanks again for clarification on this subject.
>
>   Yann
> 
> Al Mulnick <[EMAIL PROTECTED]> a écrit :
>
http://technet2.microsoft.com/WindowsServer/en/Library/5dd6f9eb-0533-4474-ac
52-dca78c5471dd1033.mspx?mfr=true 
>
>
http://technet2.microsoft.com/WindowsServer/en/Library/975c456e-8b79-4ace-83
63-82543236dbb31033.mspx?mfr=true 
>
>
http://technet2.microsoft.com/WindowsServer/f/?en/Library/5b1d983d-ffab-4514
-a95e-6aa0420dacb51033.mspx 
>
>   Compacting is a local dit thing.  You'll need to deal with it local
> to each machine.  IIRC, you can automate/semi-automate this and can
> off-set it to not take out your entire forest at the same time. The
> above links should help.
>
>   I've just never seen a big reason to do this on an automated basis.  
> Even with similar amounts of DC's I didn't have enough of a reason to
> do this.  You may want to verify that there is much free space before
> doing this. Online defrag can be a wonderful thing, and off-line is
> typically recommended if online is not going to be able to finish
> during it's run time.
>
>
>
>   Al
> 
>  
>   On 6/27/06, Yann <[EMAIL PROTECTED]> wrote:   Hello,
>
>   It may be a silly question, but when u perform a migration from
winNT/w2k to a w2k3 domain, do i have next to compact+defrag  the ntds.dit
on *EACH* DC2k3 that have been migrated ? or may i do the operation on only
one DC and this DC will replicate the state (compact&defrag) on all other
DCs ? 
>   I have at least 60 DCs :(
>   I think the answer will be "compact & defrag each DC that have been
upgraded", but just to be 100 % sure.
>
>   Thanks for answer.
> 
> Yann
> 
>  
>
> 
> -
>   Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son
interface révolutionnaire.   
>   
> 
> 
> 
> 
> 
>   
> -
>  Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son
interface révolutionnaire.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Self vs. the object name / effective permissions

[joe]

Title: Self vs. the object name / effective permissions



It doesn't even require that, the various builtin well 
known "groups" send it for a loop. How can it possibly know when someone may be 
interactive or network or what not? 
 
  joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Guy 
TeverovskySent: Tuesday, June 27, 2006 8:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Self vs. the 
object name / effective permissions 


 
I just call it "best 
effort". It's totally ineffective over cross forest 
trusts.
 
Guy
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Tuesday, June 27, 2006 10:56 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Self vs. the 
object name / effective permissions 
 
Without knowing the 
details I would start off by saying effective permissions isn't 
the greatest[1] and is very likely to be incorrect because without an 
actual security token to work from on the machine that you need to know the 
effective rights it is very easy to miss something and not get it right. I 
don't even bother looking at effective rights ever, I look at the ACLs myself 
and work it through. 
 
If you want, email me 
the DSACLS dump to my home address and what isn't working and I will give you a 
free opinion. :)  
 
  
joe

 

 

[1] I was going to say 
sucks but I tried to write my own version of it once and it is really really 
really hard.

 
--
O'Reilly Active 
Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Bernier, Brandon 
(.)Sent: Tuesday, June 27, 
2006 10:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Self vs. the object 
name / effective permissions 
 
Someone came by my cube and said 
they were having permission issues. They assigned Self some rights for computer 
objects and in ADUC the effective permissions are correct. However, they also 
did effective permissions on the name of the computer object and it has 
different results….Why is this?? I know Self represents the object…so where is 
it getting different permissions from? DSAcls is retrieving correct information 
for me, but this seems like a bug to me.
-Brandon 

RE: [ActiveDir] Self vs. the object name / effective permissions

[Guy Teverovsky]

Title: Self vs. the object name / effective permissions








 

I just call it "best effort". It's
totally ineffective over cross forest trusts.

 

Guy

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 27, 2006 10:56
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Self vs.
the object name / effective permissions 



 

Without knowing the details I would start
off by saying effective permissions isn't the greatest[1] and is very
likely to be incorrect because without an actual security token to work
from on the machine that you need to know the effective rights it is very easy
to miss something and not get it right. I don't even bother looking at
effective rights ever, I look at the ACLs myself and work it through. 

 

If you want, email me the DSACLS dump to
my home address and what isn't working and I will give you a free opinion.
:)  

 

  joe



 





 





[1] I was going to say sucks but I tried
to write my own version of it once and it is really really really hard.





 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
Sent: Tuesday, June 27, 2006 10:16
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Self vs. the
object name / effective permissions 

 



Someone
came by my cube and said they were having permission issues. They assigned Self
some rights for computer objects and in ADUC the effective permissions are
correct. However, they also did effective permissions on the name of the
computer object and it has different results….Why is this?? I know Self
represents the object…so where is it getting different permissions from?
DSAcls is retrieving correct information for me, but this seems like a bug to
me.

-Brandon 

Re: RE : Re: [ActiveDir] Question regarding compacting AD DB.

[Brett Shirley]

Just curious, Al, where did you hear this from:
 > doing this. Online defrag can be a wonderful thing, and off-line is
 > typically recommended if online is not going to be able to finish
 > during it's run time.

Because I've never recommended that.  online defrag actually saves off
where it stopped, so it picks up on it's next run where it stopped last
run, and thus can finish over multiple runs.  Or were you calling a
complete pass a run, and saying if it never finishes a complete pass?

Cheers,
BrettSh

On Tue, 27 Jun 2006, Yann wrote:

> Hello Al,
>
>   Good links u pointed to me, especially the link to automate the process 
> .
>   Thanks again for clarification on this subject.
>
>   Yann
> 
> Al Mulnick <[EMAIL PROTECTED]> a ?crit :
> 
> http://technet2.microsoft.com/WindowsServer/en/Library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.mspx?mfr=true
>  
>
>   
> http://technet2.microsoft.com/WindowsServer/en/Library/975c456e-8b79-4ace-8363-82543236dbb31033.mspx?mfr=true
>  
>
>   
> http://technet2.microsoft.com/WindowsServer/f/?en/Library/5b1d983d-ffab-4514-a95e-6aa0420dacb51033.mspx
>  
>
>   Compacting is a local dit thing.  You'll need to deal with it local
> to each machine.  IIRC, you can automate/semi-automate this and can
> off-set it to not take out your entire forest at the same time. The
> above links should help.
>
>   I've just never seen a big reason to do this on an automated basis.  
> Even with similar amounts of DC's I didn't have enough of a reason to
> do this.  You may want to verify that there is much free space before
> doing this. Online defrag can be a wonderful thing, and off-line is
> typically recommended if online is not going to be able to finish
> during it's run time.
>
>
>
>   Al
> 
>  
>   On 6/27/06, Yann <[EMAIL PROTECTED]> wrote:   Hello,
>
>   It may be a silly question, but when u perform a migration from winNT/w2k 
> to a w2k3 domain, do i have next to compact+defrag  the ntds.dit on *EACH* 
> DC2k3 that have been migrated ? or may i do the operation on only one DC and 
> this DC will replicate the state (compact&defrag) on all other DCs ? 
>   I have at least 60 DCs :(
>   I think the answer will be "compact & defrag each DC that have been 
> upgraded", but just to be 100 % sure.
>
>   Thanks for answer.
> 
> Yann
> 
>  
>
> 
> -
>   Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! Mail et son 
> interface r?volutionnaire.   
>   
> 
> 
> 
> 
> 
>   
> -
>  Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! Mail et son 
> interface r?volutionnaire.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] pw reset domain account

[joe]

Yes, password issues literally cost the company millions 
per year. Interestingly enough the total cost of password issues actually slowly 
went up when I left and were trending up a horrible rate at the point 6 
months later when I came back. Three weeks after came back, the trend was 
completely reversed and total costs were dropping like a rock. I actually 
have a very cool graph that was put together by the password kiosk project group 
people to show their value and I noticed the trends and the dates and kind of 
chuckled. My manager noticed the dates as well. I asked the question, "how come 
the password reset trend went down and the costs went down PRIOR to the launch 
of the kiosk software?"  They didn't have a good answer, just a shrug of 
the shoulders. That is what you get when your AD is running smoothly. :)  
Later changing the lockout policy from 5 bad to 15 bad and reducing the lockout 
period to I think it was 15 minutes (from 60) also significantly helped with 
helpdesk tickets.
 
I think the averages were something like 10 minutes per 
password reset call and cost per call was something like $65 or so. Been too 
long now since I saw the numbers. It was always understood though that there are 
some people who just won't use automated systems, they will only deal with real 
people when trying to get help. Me, I'm the opposite, much rather use an 
automated system than real people. Better chance of everything going 
right.
 
Delegated Admin IDs could only be reset by going through 
the kiosk and using your securid. This pissed a lot of "admins" off because they 
didn't like having to be required to use their SecurIDs (meant they better not 
forget their password or not forget their securID token at home). The kiosk only 
had rights over normal userids passwords and lockouts. So obviously the 4 DAs 
had to be trusted not to forget their own passwords. When you only have four 
people with that level of rights, it is pretty easy to make sure they are 
trustworthy. The bad eggs stick out quick and you drown them right away versus 
crutching them along.
 
  joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Tuesday, June 27, 2006 2:51 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] pw reset domain 
account

It is a bear.  Another option is to use peer resets, but I'm not fond 
of that because it opens the world to too many untrusted entities. 
 
Still another option is to use the telephone and a self-service method via 
ACD.  This satisfies the OOB communications, prevents the customization of 
desktop code, and it's tried and true technology (the phone systems have been 
around a while).  It's also the most prevalent item on the desk. The two 
biggest downsides are that it's the phone system, so you'll have to hook it into 
your phone system and you have to know the phone number in order to call - you'd 
be surprised by how many people have the numbers in their contacts ;) 
 
To solve these issues, there is a combination of technology and 
ingenuity.  You can easily buy phone phone system to AD solutions that can 
be used for this purpose.  You can also include such phone numbers in the 
screen saver and in the logon banner or the background so that it can be seen 
even you if you cannot logon.  
 
I don't believe that changing the GINA is going to be a one-stop 
solution.  In fact, I think a combination of approaches will be needed but 
as I said in a different message, I highly advise verifying the true cost of the 
problem before going out to solve it.  At your old widget company, I'm sure 
it was much more costly than at a more common company of say 50K users. :) 

 
Al 
On 6/27/06, joe 
<[EMAIL PROTECTED]> 
wrote: 

  
  
  Yeah but 
  puts you right back where you were at, a call to someone else, might as well 
  be the help desk instead of your manager. Visualize working on saturdays or 
  late at night or what not. The idea behind a password kiosk is so people can 
  help themselves. We struggled with this at the widget company and the solution 
  was determined to be a GINA extension, not sure if they implemented it as I 
  left before the dev work was done. 
  
   
   
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Phil 
  RenoufSent: Tuesday, June 27, 2006 1:04 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] pw 
  reset domain account
   
  
  
  I think a webpage where your admin or your manager can go in under their 
  ID on their PC and submit a request to the system to reset your password, or 
  to automatically reset your account might be a great solution. Although this 
  would require some diligence in keeping certain attributes in AD populated for 
  every user, so using this in conjunction wi

RE: [ActiveDir] Where's that account being used?

[Deji Akomolafe]

This may help you:
 
http://www.akomolafe.com/Portals/1/Find%20SPECIFIC%20Service%20Account%20on%20Computers.txt
 
The caveats about using my scripts apply :)
 


Sincerely,    _      (, /  |  /)   /) /)       /---| (/_  __   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)     (/   Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Free, BobSent: Tue 6/27/2006 11:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Where's that account being used?
It's been a while but I used to use Small Wonder's Service Explorer (
It's since been taken over by ScriptLogic) and it was was excellent for
this, also gets scheduled tasks and it is definitely worth a peek. You
can change the password on all those services (and tasks) at once with
it, delete services, set parameters etc..

http://www.scriptlogic.com/products/serviceexplorer/

HTH

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Tuesday, June 27, 2006 9:22 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Where's that account being used?

Dear fountain of knowledge,

We've inherited a particularly messy AD structure, and we're now
trying to find out where a particular account is in use.  There's
around 80 servers in the domain and 3000 workstations, and this
account appears to be used for pretty much anything that wants to log
on as a service, or anyone who wants domain admin privs.

Is there any kind of audit utility to scan servers and see which
services are using the account, and ideally - any kind of monitoring
package to flag up an alert each time the account is used to, say, map
a drive or connect to a SQL db?

-- 
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Service time-out

[joe]

Cool that one goes into permanent memory, I wasn't aware of it. Thanks
Steve. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, June 27, 2006 2:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Service time-out

You can try

http://support.microsoft.com/?id=824344 "How to debug Windows services"


Specifically the section:

"When a service starts, the service communicates to the Service Control 
Manager how long the service must have to start (the time-out period for the

service). If the Service Control Manager does not receive a "service 
started" notice from the service within this time-out period, the Service 
Control Manager terminates the process that hosts the service. This time-out

period is typically less than 30 seconds. If you do not adjust this time-out

period, the Service Control Manager ends the process and the attached 
debugger while you are trying to debug. To adjust this time-out period, 
follow these steps: "

ServicesPipeTimeout

However - if you have a svc which isnt starting , its better to figure out 
why IMO


steve


- Original Message - 
From: <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, June 27, 2006 10:54 AM
Subject: RE: [ActiveDir] Service time-out


> Thanks for the reply, Joe. I am referring to the the timeout of a service
> on startup. (ie. "The service did not respond in a timely manner"
>
> Thanks,
> James
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, June 27, 2006 11:27 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Service time-out
>
> Do mean timeout for how long a service is allowed to live during a
> shutdown
> before it is just killed? If so that is under the key
> hklm\system\currentcontrolset\control in the value
> WaitToKillServiceTimeout.
>
>  joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Monday, June 26, 2006 10:27 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Service time-out
>
> Does anybody know where the service timeout period is set for NT services?
>
> Also, is there a global setting for time outs for all services?
>
> Any help would be appreciated - thanks.
>
> James Masters
> Midrange Support
> The Kroger Co.
> (859) 363-2346 - Desk
> (859) 653-8644 - Cell
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] pw reset domain account

[Phil Renouf]

Yeah that is true, but the helpdesk can also have the ability to do password resets, but giving a way for the admin asst or manager to also do password resets would reduce helpdesk calls which is part of the reason for implementing something like this. If there are occassions when the manager is not around (off hours, vacation etc.) then the helpdesk can still provide the facility.

 
If true self-help is the goal then definitely GINA was the best choice, with the changes to Vista though I am not sure what the best solution will be.
 
Phil 
On 6/27/06, joe <[EMAIL PROTECTED]> wrote:



Yeah but puts you right back where you were at, a call to someone else, might as well be the help desk instead of your manager. Visualize working on saturdays or late at night or what not. The idea behind a password kiosk is so people can help themselves. We struggled with this at the widget company and the solution was determined to be a GINA extension, not sure if they implemented it as I left before the dev work was done. 


 
 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Tuesday, June 27, 2006 1:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] pw reset domain account
 


I think a webpage where your admin or your manager can go in under their ID on their PC and submit a request to the system to reset your password, or to automatically reset your account might be a great solution. Although this would require some diligence in keeping certain attributes in AD populated for every user, so using this in conjunction with a provisioning solution (or built into the provisioning solution) might be the best idea. 

 
That would eliminate the need for a generic account, wouldnt require GINA modifications and wont be overly complex like trying to setup/maintain local accounts etc.
 
Phil 
On 6/27/06, joe <[EMAIL PROTECTED]> wrote:
 



Yeah the proper way to do this is to modify the GINA so that you can bypass normal logon and go to the website. That being said, not a lot of folks are going to modifying GINAs and anyone who is will find a bit o trouble with those GINA mods when they start deploying Vista ( 
i.e. they won't work).
 
This is a tough nut to crack and the only thing I can really think of that comes close to secure is the machine that is deployed to a user also gets a local ID for them as well or possibly a very well locked down generic local ID that gets added to all workstations. That generic ID should have IE as the shell so it comes right up in a kiosk type mode right to that web site or better yet, a custom written gui app that is used as the shell that exposes that web page and doesn't allow you to do anything but go to that web page ( 
i.e. not a generic browser). I would also set up the policy for that ID on every machine such that it can't connect to any machine but the webservers hosting the kiosk website across the network... i.e. access this machine from the network DENY for the local generic userid. That would prevent someone from using runas or something like that to go surfing across other machines in an anonymous way since the passwords are all synced. It is a lot of work and a lot of chance of missing something. 


 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 




From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of AWS
Sent: Monday, June 26, 2006 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] pw reset domain account 

Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset.

On 6/25/06, joe <[EMAIL PROTECTED]> wrote: 




Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or  

 
Either of those solutions wouldn't be optimal and I would love to work in that company for a day with that implemented and have people point out who the dumbass managers were... Or at least their IDs.   

 
Oh I just read that again, is this an idea to give a userid/password to everyone so they can get past the GINA and get to the self service website? 

 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of AWSSent: Sunday, June 25, 2006 6:35 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] pw reset domain account 


There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any us

RE: [ActiveDir] Service time-out

[joe]

I don't believe that is configurable outside of the service code for each
individual service as it isn't a normal timeout. 

Basically, as I understand it, what happens is when a service starts, it is
supposed to set its status to SERVICE_START_PENDING and set a wait hint in
milliseconds of how long it should take. If the startup is taking too long,
it is up to the service to submit an updated value for the wait hint. If the
wait hint expires, the SCM is supposed to assume that the service process
has errored out in its initialization.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, June 27, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Service time-out

Thanks for the reply, Joe. I am referring to the the timeout of a service
on startup. (ie. "The service did not respond in a timely manner"

Thanks,
James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 27, 2006 11:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Service time-out

Do mean timeout for how long a service is allowed to live during a
shutdown
before it is just killed? If so that is under the key
hklm\system\currentcontrolset\control in the value
WaitToKillServiceTimeout.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Service time-out

Does anybody know where the service timeout period is set for NT services?

Also, is there a global setting for time outs for all services?

Any help would be appreciated - thanks.

James Masters
Midrange Support
The Kroger Co.
(859) 363-2346 - Desk
(859) 653-8644 - Cell
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Service time-out

[steve patrick]

You can try

http://support.microsoft.com/?id=824344 "How to debug Windows services"


Specifically the section:

"When a service starts, the service communicates to the Service Control 
Manager how long the service must have to start (the time-out period for the 
service). If the Service Control Manager does not receive a "service 
started" notice from the service within this time-out period, the Service 
Control Manager terminates the process that hosts the service. This time-out 
period is typically less than 30 seconds. If you do not adjust this time-out 
period, the Service Control Manager ends the process and the attached 
debugger while you are trying to debug. To adjust this time-out period, 
follow these steps: "


ServicesPipeTimeout

However - if you have a svc which isnt starting , its better to figure out 
why IMO



steve


- Original Message - 
From: <[EMAIL PROTECTED]>

To: 
Sent: Tuesday, June 27, 2006 10:54 AM
Subject: RE: [ActiveDir] Service time-out



Thanks for the reply, Joe. I am referring to the the timeout of a service
on startup. (ie. "The service did not respond in a timely manner"

Thanks,
James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 27, 2006 11:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Service time-out

Do mean timeout for how long a service is allowed to live during a
shutdown
before it is just killed? If so that is under the key
hklm\system\currentcontrolset\control in the value
WaitToKillServiceTimeout.

 joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Service time-out

Does anybody know where the service timeout period is set for NT services?

Also, is there a global setting for time outs for all services?

Any help would be appreciated - thanks.

James Masters
Midrange Support
The Kroger Co.
(859) 363-2346 - Desk
(859) 653-8644 - Cell

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] pw reset domain account

[Al Mulnick]

It is a bear.  Another option is to use peer resets, but I'm not fond of that because it opens the world to too many untrusted entities. 
 
Still another option is to use the telephone and a self-service method via ACD.  This satisfies the OOB communications, prevents the customization of desktop code, and it's tried and true technology (the phone systems have been around a while).  It's also the most prevalent item on the desk. The two biggest downsides are that it's the phone system, so you'll have to hook it into your phone system and you have to know the phone number in order to call - you'd be surprised by how many people have the numbers in their contacts ;)

 
To solve these issues, there is a combination of technology and ingenuity.  You can easily buy phone phone system to AD solutions that can be used for this purpose.  You can also include such phone numbers in the screen saver and in the logon banner or the background so that it can be seen even you if you cannot logon.  

 
I don't believe that changing the GINA is going to be a one-stop solution.  In fact, I think a combination of approaches will be needed but as I said in a different message, I highly advise verifying the true cost of the problem before going out to solve it.  At your old widget company, I'm sure it was much more costly than at a more common company of say 50K users. :)

 
Al 
On 6/27/06, joe <[EMAIL PROTECTED]> wrote:



Yeah but puts you right back where you were at, a call to someone else, might as well be the help desk instead of your manager. Visualize working on saturdays or late at night or what not. The idea behind a password kiosk is so people can help themselves. We struggled with this at the widget company and the solution was determined to be a GINA extension, not sure if they implemented it as I left before the dev work was done. 


 
 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Tuesday, June 27, 2006 1:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] pw reset domain account
 


I think a webpage where your admin or your manager can go in under their ID on their PC and submit a request to the system to reset your password, or to automatically reset your account might be a great solution. Although this would require some diligence in keeping certain attributes in AD populated for every user, so using this in conjunction with a provisioning solution (or built into the provisioning solution) might be the best idea. 

 
That would eliminate the need for a generic account, wouldnt require GINA modifications and wont be overly complex like trying to setup/maintain local accounts etc.
 
Phil 
On 6/27/06, joe <[EMAIL PROTECTED]> wrote:
 



Yeah the proper way to do this is to modify the GINA so that you can bypass normal logon and go to the website. That being said, not a lot of folks are going to modifying GINAs and anyone who is will find a bit o trouble with those GINA mods when they start deploying Vista ( 
i.e. they won't work).
 
This is a tough nut to crack and the only thing I can really think of that comes close to secure is the machine that is deployed to a user also gets a local ID for them as well or possibly a very well locked down generic local ID that gets added to all workstations. That generic ID should have IE as the shell so it comes right up in a kiosk type mode right to that web site or better yet, a custom written gui app that is used as the shell that exposes that web page and doesn't allow you to do anything but go to that web page ( 
i.e. not a generic browser). I would also set up the policy for that ID on every machine such that it can't connect to any machine but the webservers hosting the kiosk website across the network... i.e. access this machine from the network DENY for the local generic userid. That would prevent someone from using runas or something like that to go surfing across other machines in an anonymous way since the passwords are all synced. It is a lot of work and a lot of chance of missing something. 


 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 




From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of AWS
Sent: Monday, June 26, 2006 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] pw reset domain account 

Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset.

On 6/25/06, joe <[EMAIL PROTECTED]> wrote: 




Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or  

 
Either of those solutions wouldn't be op

RE : Re: [ActiveDir] Question regarding compacting AD DB.

[Yann]

Hello Al,     Good links u pointed to me, especially the link to automate the process .  Thanks again for clarification on this subject.     YannAl Mulnick <[EMAIL PROTECTED]> a écrit :http://technet2.microsoft.com/WindowsServer/en/Library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.mspx?mfr=true      http://technet2.microsoft.com/WindowsServer/en/Library/975c456e-8b79-4ace-8363-82543236dbb31033.mspx?mfr=true      http://technet2.microsoft.com/WindowsServer/f/?en/Library/5b1d983d-ffab-4514-a95e-6aa0420dacb51033.mspx      Compacting is a local dit thing.  You'll need to deal with it local to each machine.    IIRC, you can automate/semi-automate this and can off-set it to not take out your entire forest at the same time. The above links should help.      I've just never seen a big reason to do this on an automated basis.  Even with similar amounts of DC's I didn't have enough of a reason to do this.  You may want to verify that there is much free space before doing this. Online defrag can be a wonderful thing, and off-line is typically recommended if online is not going to be able to finish during it's run time.           
 Al   On 6/27/06, Yann <[EMAIL PROTECTED]> wrote:   Hello,     It may be a silly question, but when u perform a migration from winNT/w2k to a w2k3 domain, do i have next to compact+defrag  the ntds.dit on *EACH* DC2k3 that have been migrated ? or may i do the operation on only one DC and this DC will replicate the state (compact&defrag) on all other DCs ?   I have at least 60 DCs :(  I think the answer will be "compact & defrag each DC that have been upgraded", but just to be 100 % sure.     Thanks for answer.Yann  
    Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.  
		 
Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.

RE : RE: [ActiveDir] Question regarding compacting AD DB.

[Yann]

Hi,     Thanks for replying.  We already did in-place upgrade for half of our DCs."Coleman, Hunter" <[EMAIL PROTECTED]> a écrit :  If each 2k3DC is newly promoted, as opposed to an in-place upgrade, then the .dit on those DCs will essentially be compacted with minimal whitespace. Were you planning on rebuilding your DCs as part of the migration, or doing in-place upgrades?  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent:
 Tuesday, June 27, 2006 10:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question regarding compacting AD DB.Hello,     It may be a silly question, but when u perform a migration from winNT/w2k to a w2k3 domain, do i have next to compact+defrag  the ntds.dit on *EACH* DC2k3 that have been migrated ? or may i do the operation on only one DC and this DC will replicate the state (compact&defrag) on all other DCs ?  I have at least 60 DCs :(  I think the answer will be "compact & defrag each DC that have been upgraded", but just to be 100 % sure.     Thanks for answer.  Yann        Yahoo! Mail réinvente le mail ! Découvrez le nouveau
 Yahoo! Mail et son interface révolutionnaire.  
		 
Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.

RE: [ActiveDir] Where's that account being used?

[Free, Bob]

It's been a while but I used to use Small Wonder's Service Explorer (
It's since been taken over by ScriptLogic) and it was was excellent for
this, also gets scheduled tasks and it is definitely worth a peek. You
can change the password on all those services (and tasks) at once with
it, delete services, set parameters etc..

http://www.scriptlogic.com/products/serviceexplorer/

HTH

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Tuesday, June 27, 2006 9:22 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Where's that account being used?

Dear fountain of knowledge,

We've inherited a particularly messy AD structure, and we're now
trying to find out where a particular account is in use.  There's
around 80 servers in the domain and 3000 workstations, and this
account appears to be used for pretty much anything that wants to log
on as a service, or anyone who wants domain admin privs.

Is there any kind of audit utility to scan servers and see which
services are using the account, and ideally - any kind of monitoring
package to flag up an alert each time the account is used to, say, map
a drive or connect to a SQL db?

-- 
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] pw reset domain account

[joe]

Yeah but puts you right back where you were at, a call to 
someone else, might as well be the help desk instead of your manager. Visualize 
working on saturdays or late at night or what not. The idea behind a password 
kiosk is so people can help themselves. We struggled with this at the widget 
company and the solution was determined to be a GINA extension, not sure if they 
implemented it as I left before the dev work was done. 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Phil 
RenoufSent: Tuesday, June 27, 2006 1:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] pw reset domain 
account

I think a webpage where your admin or your manager can go in under their ID 
on their PC and submit a request to the system to reset your password, or to 
automatically reset your account might be a great solution. Although this would 
require some diligence in keeping certain attributes in AD populated for every 
user, so using this in conjunction with a provisioning solution (or built into 
the provisioning solution) might be the best idea. 
 
That would eliminate the need for a generic account, wouldnt require GINA 
modifications and wont be overly complex like trying to setup/maintain local 
accounts etc.
 
Phil 
On 6/27/06, joe 
<[EMAIL PROTECTED]> 
wrote: 

  
  
  Yeah the 
  proper way to do this is to modify the GINA so that you can bypass normal 
  logon and go to the website. That being said, not a lot of folks are going to 
  modifying GINAs and anyone who is will find a bit o trouble with those GINA 
  mods when they start deploying Vista ( i.e. they won't 
  work).
   
  This is a 
  tough nut to crack and the only thing I can really think of that comes close 
  to secure is the machine that is deployed to a user also gets a local ID for 
  them as well or possibly a very well locked down generic local ID that gets 
  added to all workstations. That generic ID should have IE as the shell so it 
  comes right up in a kiosk type mode right to that web site or better yet, a 
  custom written gui app that is used as the shell that exposes that web page 
  and doesn't allow you to do anything but go to that web page ( i.e. not a 
  generic browser). I would also set up the policy for that ID on every machine 
  such that it can't connect to any machine but the webservers hosting the kiosk 
  website across the network... i.e. access this machine from the network DENY 
  for the local generic userid. That would prevent someone from using runas or 
  something like that to go surfing across other machines in an anonymous way 
  since the passwords are all synced. It is a lot of work and a lot of chance of 
  missing something. 
  
   
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of 
  AWS
  Sent: Monday, June 26, 2006 10:34 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] pw reset domain 
  account 
  
  Yes, the latter. This is an account a user would use to login with, 
  then the pw reset website would automatically run. The website has 
  challenge/response Q's for them to get their individual acct reset.
  On 6/25/06, joe 
  <[EMAIL PROTECTED]> 
  wrote: 
  


Err, 
maybe you can fill in more detail. I am not quite sure what you are saying. 
Are you saying there is a generic ID to log into the website and it can 
reset anyone's password or are you saying there is a generic ID with rights 
to reset anyone's password or  
 
Either 
of those solutions wouldn't be optimal and I would love to work in that 
company for a day with that implemented and have people point out who the 
dumbass managers were... Or at least their IDs.   

 
Oh I 
just read that again, is this an idea to give a userid/password to everyone 
so they can get past the GINA and get to the self service website? 

 

--
O'Reilly 
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of 
AWSSent: Sunday, June 25, 2006 6:35 PMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] pw reset domain account 


There's a proposal at my company for a self service password reset 
website which uses a shared domain account. It's similar to a kiosk 
configuration, but the intent is to publicize the account and password 
so that it can be used from any users' pc when needed. 
 
They have an account-specific OU/GPO configuration which locks down the 
typical stuff you would expect, but my position is that there are too 
many unknown vectors for such an account to be abused. 
 
Since I don't dabble in the various black hat utils d

RE: [ActiveDir] Service time-out

[james . masters]

Thanks for the reply, Joe. I am referring to the the timeout of a service
on startup. (ie. "The service did not respond in a timely manner"

Thanks,
James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 27, 2006 11:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Service time-out

Do mean timeout for how long a service is allowed to live during a
shutdown
before it is just killed? If so that is under the key
hklm\system\currentcontrolset\control in the value
WaitToKillServiceTimeout.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Service time-out

Does anybody know where the service timeout period is set for NT services?

Also, is there a global setting for time outs for all services?

Any help would be appreciated - thanks.

James Masters
Midrange Support
The Kroger Co.
(859) 363-2346 - Desk
(859) 653-8644 - Cell
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Where's that account being used?

[AFidel]

For services I use:
net view to enumerate all machines,
process with a little batch processing to clean out the description field
services.exe from http://wettberg.home.texas.net/services.htm
grep32, use unique to get a list of
computers using the account or don't to get every service using the account

You could also use ADSI to enumerate
the servers and WMI to query the services fairly easily if you are familiar
with ADSI and WMI.

A more comprehensive approach could
be had using GFI's Languard products, do an audit using network security
scanner to find the services and use security and event log monitor to
track account login usage.







AdamT <[EMAIL PROTECTED]>

Sent by: [EMAIL PROTECTED]
06/27/2006 12:22 PM



Please respond to
ActiveDir@mail.activedir.org





To
ActiveDir@mail.activedir.org


cc



Subject
[ActiveDir] Where's that
account being used?








Dear fountain of knowledge,

We've inherited a particularly messy AD structure, and we're now
trying to find out where a particular account is in use.  There's
around 80 servers in the domain and 3000 workstations, and this
account appears to be used for pretty much anything that wants to log
on as a service, or anyone who wants domain admin privs.

Is there any kind of audit utility to scan servers and see which
services are using the account, and ideally - any kind of monitoring
package to flag up an alert each time the account is used to, say, map
a drive or connect to a SQL db?

-- 
AdamT
"A casual stroll through the lunatic asylum shows that faith does
not
prove anything." - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Question regarding compacting AD DB.

[Al Mulnick]

http://technet2.microsoft.com/WindowsServer/en/Library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.mspx?mfr=true

 
http://technet2.microsoft.com/WindowsServer/en/Library/975c456e-8b79-4ace-8363-82543236dbb31033.mspx?mfr=true

 
http://technet2.microsoft.com/WindowsServer/f/?en/Library/5b1d983d-ffab-4514-a95e-6aa0420dacb51033.mspx

 
Compacting is a local dit thing.  You'll need to deal with it local to each machine. 
 IIRC, you can automate/semi-automate this and can off-set it to not take out your entire forest at the same time. The above links should help. 
 
I've just never seen a big reason to do this on an automated basis.  Even with similar amounts of DC's I didn't have enough of a reason to do this.  You may want to verify that there is much free space before doing this. Online defrag can be a wonderful thing, and off-line is typically recommended if online is not going to be able to finish during it's run time. 

 
 
 
Al 
On 6/27/06, Yann <[EMAIL PROTECTED]> wrote:


Hello,
 
It may be a silly question, but when u perform a migration from winNT/w2k to a w2k3 domain, do i have next to compact+defrag  the ntds.dit on *EACH* DC2k3 that have been migrated ? or may i do the operation on only one DC and this DC will replicate the state (compact&defrag) on all other DCs ?

I have at least 60 DCs :(
I think the answer will be "compact & defrag each DC that have been upgraded", but just to be 100 % sure.
 
Thanks for answer.

Yann

 
 


Yahoo! Mail réinvente le mail ! Découvrez le 
nouveau Yahoo! Mail et son interface révolutionnaire. 

RE: [ActiveDir] Question regarding compacting AD DB.

[Coleman, Hunter]

If each 2k3DC is newly promoted, as opposed to an in-place 
upgrade, then the .dit on those DCs will essentially be compacted with minimal 
whitespace. Were you planning on rebuilding your DCs as part of the migration, 
or doing in-place upgrades?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
YannSent: Tuesday, June 27, 2006 10:29 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question regarding 
compacting AD DB.

Hello,
 
It may be a silly question, but when u perform a migration from winNT/w2k 
to a w2k3 domain, do i have next to compact+defrag  the ntds.dit on 
*EACH* DC2k3 that have been migrated ? or may i do the operation on only 
one DC and this DC will replicate the state (compact&defrag) on all other 
DCs ?
I have at least 60 DCs :(
I think the answer will be "compact & defrag each DC that have been 
upgraded", but just to be 100 % sure.
 
Thanks for answer.
Yann
 
 


Yahoo! Mail réinvente le mail ! Découvrez le nouveau 
Yahoo! Mail et son interface révolutionnaire. 

Re: [ActiveDir] pw reset domain account

[Phil Renouf]

I think a webpage where your admin or your manager can go in under their ID on their PC and submit a request to the system to reset your password, or to automatically reset your account might be a great solution. Although this would require some diligence in keeping certain attributes in AD populated for every user, so using this in conjunction with a provisioning solution (or built into the provisioning solution) might be the best idea.

 
That would eliminate the need for a generic account, wouldnt require GINA modifications and wont be overly complex like trying to setup/maintain local accounts etc.
 
Phil 
On 6/27/06, joe <[EMAIL PROTECTED]> wrote:



Yeah the proper way to do this is to modify the GINA so that you can bypass normal logon and go to the website. That being said, not a lot of folks are going to modifying GINAs and anyone who is will find a bit o trouble with those GINA mods when they start deploying Vista (
i.e. they won't work).
 
This is a tough nut to crack and the only thing I can really think of that comes close to secure is the machine that is deployed to a user also gets a local ID for them as well or possibly a very well locked down generic local ID that gets added to all workstations. That generic ID should have IE as the shell so it comes right up in a kiosk type mode right to that web site or better yet, a custom written gui app that is used as the shell that exposes that web page and doesn't allow you to do anything but go to that web page (
i.e. not a generic browser). I would also set up the policy for that ID on every machine such that it can't connect to any machine but the webservers hosting the kiosk website across the network... i.e. access this machine from the network DENY for the local generic userid. That would prevent someone from using runas or something like that to go surfing across other machines in an anonymous way since the passwords are all synced. It is a lot of work and a lot of chance of missing something.


 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of AWS
Sent: Monday, June 26, 2006 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] pw reset domain account 

Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset.

On 6/25/06, joe <[EMAIL PROTECTED]> wrote:
 



Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or  

 
Either of those solutions wouldn't be optimal and I would love to work in that company for a day with that implemented and have people point out who the dumbass managers were... Or at least their IDs.   

 
Oh I just read that again, is this an idea to give a userid/password to everyone so they can get past the GINA and get to the self service website? 

 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of AWSSent: Sunday, June 25, 2006 6:35 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] pw reset domain account 


There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any users' pc when needed. 

 
They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect, but my position is that there are too many unknown vectors for such an account to be abused. 
 
Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain account could be hacked upon? Conversely, is there any way such an account could be effectively locked down? 

 
Thanks,
AW

[ActiveDir] Question regarding compacting AD DB.

[Yann]

Hello,     It may be a silly question, but when u perform a migration from winNT/w2k to a w2k3 domain, do i have next to compact+defrag  the ntds.dit on *EACH* DC2k3 that have been migrated ? or may i do the operation on only one DC and this DC will replicate the state (compact&defrag) on all other DCs ?  I have at least 60 DCs :(  I think the answer will be "compact & defrag each DC that have been upgraded", but just to be 100 % sure.     Thanks for answer.  Yann       
		 
Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.

[ActiveDir] Where's that account being used?

[AdamT]

Dear fountain of knowledge,

We've inherited a particularly messy AD structure, and we're now
trying to find out where a particular account is in use.  There's
around 80 servers in the domain and 3000 workstations, and this
account appears to be used for pretty much anything that wants to log
on as a service, or anyone who wants domain admin privs.

Is there any kind of audit utility to scan servers and see which
services are using the account, and ideally - any kind of monitoring
package to flag up an alert each time the account is used to, say, map
a drive or connect to a SQL db?

--
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Self vs. the object name / effective permissions

[joe]

Title: Self vs. the object name / effective permissions



Without knowing the details I would start off by saying 
effective permissions isn't the greatest[1] and is very likely to be 
incorrect because without an actual security token to work from on the 
machine that you need to know the effective rights it is very easy to miss 
something and not get it right. I don't even bother looking at effective 
rights ever, I look at the ACLs myself and work it through. 
 
If you want, email me the DSACLS dump to my home address 
and what isn't working and I will give you a free opinion. :)  

 
  joe
 
 
[1] I 
was going to say sucks but I tried to write my own version of it once and it is 
really really really hard.
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon 
(.)Sent: Tuesday, June 27, 2006 10:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Self vs. the object 
name / effective permissions 

Someone came by my cube and said they were having 
permission issues. They assigned Self some rights for computer objects and in 
ADUC the effective permissions are correct. However, they also did effective 
permissions on the name of the computer object and it has different results….Why 
is this?? I know Self represents the object…so where is it getting different 
permissions from? DSAcls is retrieving correct information for me, but this 
seems like a bug to me.
-Brandon 

RE: [ActiveDir] Recieved X out of Y objects

[joe]

Title: Recieved X out of Y objects



Those values aren't necessarily absolutely correct, they 
are best effort "guesses" sort of like when you do a google search for something 
and it shows you that you are looking at match 1 of 45,673 but in actuality 
there are only 39,423 actual page matches. Dmitri, Brett, or ~Eric could 
probably give more details if they feel up to it.
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Guy 
TeverovskySent: Monday, June 26, 2006 3:07 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Recieved X out of Y 
objects


Could be that I never took 
a better look at it and this is a well know issue, but when dcpromo-ing W2K SP4 
to a DC I get "Replicating DC=domain,dc=tld: received X out of 
Y objects.", where X is larger than Y.

Could it be that X counts 
tombstones and Y does not ? 

Cheers,
Guy

RE: [ActiveDir] Deny permissions in AD

[joe]

Note also that there is a hierarchy in the inheritence as 
well... 
 
If you have 
 
L1 
 L2
  
L3
 
U3-1
 
If you set an inheritable deny access for everyone to 
description at L1 that deny would apply all the way down to L3 and U3-1 
(assuming no blocked inheritence). If you consequently grant an inhertable allow 
everyone for description at L2, L2, L3, and U3-1 would have an 
effective grant to description.  You could also set it at L3 or 
explicitely on U3-1. 
 
However, if the inheritable grant and deny of description 
were applied at L1, the deny would win out. 
 
 
  joe

 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, June 26, 2006 1:50 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Deny permissions in AD


Probably 
order of inheritance…
 
1. 
Noninherited 
Deny entries.
2. 
Noninherited 
Allow entries.
3. 
Inherited 
Deny entries.
4. 
Inherited 
Allow entries.
 
 




































:m:dsm:cci:mvp | 
marcusoh.blogspot.com
 


From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Joshua CoffmanSent: Monday, June 26, 2006 1:44 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Deny permissions in AD
 
I have an Active 
Directory 2003 domain that is used only as an LDAP User store for a 3rd party 
Identity Management Application. There are no workstations or 
servers in the domain, other than the DCs themselves. We are trying 
to lock down the domain, so that an ordinary user cannot read other user's 
attributes. For some special attributes, we have implemented the 2K3 SP1 
"Confidential Attribute" function, and it is working well. However, 
over the weekend, another administrator decided to try something that has me a 
little perplexed. Here is what the Admin did: Put a 
DENY ACE for the "Domain Users" group for "Read All Properties" 
(in advanced security settings) on an OU containing a lot of 
users. Now, your average user account cannot read attributes, which 
is good. Domain Admins and Administrators can read the attributes of users 
in the OU, which is also good. However, I am wondering, 
why does this work this way? Shouldn't the DENY ACE override all 
other permissions, including those inherited for domain Admins, which I believe 
is a member of the domain users group by default. Also, an additional group was 
created which allows read/write access to a single user attribute in the 
same OU. A non-administrative account, when added to this group, can read 
and write to the attribute, even though there is a deny on read all 
properties. Can anyone tell me why this is working this way? It is 
contrary to what I thought I knew about Deny 
ACEs. Thanks, Josh  

RE: [ActiveDir] pw reset domain account

[joe]

Yeah the proper way to do this is to modify the GINA so 
that you can bypass normal logon and go to the website. That being said, not a 
lot of folks are going to modifying GINAs and anyone who is will find a bit o 
trouble with those GINA mods when they start deploying Vista (i.e. they won't 
work).
 
This is a tough nut to crack and the only thing I can 
really think of that comes close to secure is the machine that is deployed to a 
user also gets a local ID for them as well or possibly a very well locked down 
generic local ID that gets added to all workstations. That generic ID should 
have IE as the shell so it comes right up in a kiosk type mode right to that web 
site or better yet, a custom written gui app that is used as the shell that 
exposes that web page and doesn't allow you to do anything but go to that web 
page (i.e. not a generic browser). I would also set up the policy for that ID on 
every machine such that it can't connect to any machine but the webservers 
hosting the kiosk website across the network... i.e. access this machine from 
the network DENY for the local generic userid. That would prevent someone from 
using runas or something like that to go surfing across other machines in an 
anonymous way since the passwords are all synced. It is a lot of work and a lot 
of chance of missing something.
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
AWSSent: Monday, June 26, 2006 10:34 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] pw reset domain 
account
Yes, the latter. This is an account a user would use to login with, 
then the pw reset website would automatically run. The website has 
challenge/response Q's for them to get their individual acct reset.
On 6/25/06, joe 
<[EMAIL PROTECTED]> 
wrote: 

  
  
  Err, maybe 
  you can fill in more detail. I am not quite sure what you are saying. Are you 
  saying there is a generic ID to log into the website and it can reset anyone's 
  password or are you saying there is a generic ID with rights to reset anyone's 
  password or  
   
  Either of 
  those solutions wouldn't be optimal and I would love to work in that company 
  for a day with that implemented and have people point out who the dumbass 
  managers were... Or at least their IDs.   
   
  Oh I just 
  read that again, is this an idea to give a userid/password to everyone so they 
  can get past the GINA and get to the self service website? 

   
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of 
  AWSSent: Sunday, June 25, 2006 6:35 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  pw reset domain account 
  
  
  There's a proposal at my company for a self service password reset 
  website which uses a shared domain account. It's similar to a kiosk 
  configuration, but the intent is to publicize the account and password so 
  that it can be used from any users' pc when needed. 
   
  They have an account-specific OU/GPO configuration which locks down the 
  typical stuff you would expect, but my position is that there are too 
  many unknown vectors for such an account to be abused. 
   
  Since I don't dabble in the various black hat utils du jour, does anyone 
  have any thoughts on how a globally known domain account could be hacked 
  upon? Conversely, is there any way such an account could be effectively locked 
  down? 
   
  Thanks,
  AW
  

RE: [ActiveDir] Service time-out

[joe]

Do mean timeout for how long a service is allowed to live during a shutdown
before it is just killed? If so that is under the key
hklm\system\currentcontrolset\control in the value WaitToKillServiceTimeout.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Service time-out

Does anybody know where the service timeout period is set for NT services?

Also, is there a global setting for time outs for all services?

Any help would be appreciated - thanks.

James Masters
Midrange Support
The Kroger Co.
(859) 363-2346 - Desk
(859) 653-8644 - Cell
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Password Expiration

[joe]

Basically when a user logs on, the DC processing the authentication
retrieves the local time in Int8 format and the value of maxPwdAge on the NC
Head. It then subtracts the maxPwdAge[1] from the local time Int8 value and
checks the pwdLastSet value of the user attempting to log on. If the
pwdLastSet value is less than the previously calculated value then the
account is considered expired and the account can not be logged into.

That is the long technical way of saying, the latter... ;o)

Something similar occurs with lockouts only the NC head attribute is
lockoutDuration and the user attribute is lockoutTime and the account is
locked out still if the lockoutTime value is greater than the calculated
value. If the account is determined to be outside of the lockout duration
the DC at that point clears the lockoutTime value[2].  


   joe


[1] Actually it adds it, the maxPwdAge value is negative but I didn't want
to throw people for a loop by saying adds it if they didn't look at the
value or understand you can add a positive value and a negative value.

[2] I state this for those who look at a user with a lockoutTime value but
know the account isn't locked and wonder what is going on. This was a bug in
ADUC for some time where if there was any value in lockoutTime, the account
was considered locked. I think they fixed it but I am not sure, I hope so as
I bugged it like 10 times since December 1999.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Monday, June 26, 2006 5:09 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Password Expiration

We have a 120 day password expiration GPO.  What happens if a user changes
their password in the 120 day time period?  Do they still get prompted with
the whole domain does or do they get prompted 120 days after their reset
their password?  Thanks.
 
-Christine
 
 
Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place 
Boston, MA 02216
 
617-748-6034
617-293-4407
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Monitoring AD Database

[Brett Shirley]

If you give me specifics on which performance counters specifically don't
show up for 2003 that are there in 2000, I can look into it (could've been
removed on purpose, unintentionally removed, superceded by another
counter, or simply made squeaky).

Cheers,
BrettSh [msft]


On Tue, 27 Jun 2006, Teo De Las Heras wrote:

> So I found the following article which pertains to Windows 2000 on adding
> the AD database counters.  It works on Windows 2003, but not all the
> counters listed for 2000 show up on 2003.  Is there something I'm missing?
> 
> http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/addeploy/addch09.mspx?mfr=true
> 
> Teo
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Self vs. the object name / effective permissions

[Bernier, Brandon \(.\)]

Title: Self vs. the object name / effective permissions 







Someone came by my cube and said they were having permission issues. They assigned Self some rights for computer objects and in ADUC the effective permissions are correct. However, they also did effective permissions on the name of the computer object and it has different results….Why is this?? I know Self represents the object…so where is it getting different permissions from? DSAcls is retrieving correct information for me, but this seems like a bug to me.

-Brandon

[ActiveDir] [Fwd: Active Directory Security Checklist, Version 1 Release 1.1 (NEW) dated 07 June 2006 (UNCLASSIFIED)]

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

 Original Message 
Subject: 	Active Directory Security Checklist, Version 1 Release 1.1 
(NEW) dated 07 June 2006 (UNCLASSIFIED)

Date:   Tue, 27 Jun 2006 09:53:22 -0400
From:   IASE <[EMAIL PROTECTED]>



Classification: _* UNCLASSIFIED*_
Caveats: NONE

DISA Field Security Operations has developed an Active Directory 
Security Checklist.  This Active Directory Security Checklist provides 
the procedures for conducting a Security Readiness Review (SRR) to 
determine compliance with the requirements in the Active Directory 
Security Technical Implementation Guide (STIG). This Checklist document 
must be used together with the corresponding version of the STIG document.


__

As in the related STIG, this Checklist addresses three review subjects:
- Active Directory Implementation - This subject covers checks for AD 
Domain Controllers, AD Domains, and the AD Forest that make up an 
implementation of Active Directory.


- Synchronization\Maintenance Application - This subject covers checks 
for an individual installation of an application used to perform 
synchronization or maintenance on one more Active Directory implementations.


- ADAM - This subject covers checks for an individual installation of 
ADAM as a directory service.



Classification: _* UNCLASSIFIED*_
Caveats: NONE

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Monitoring AD Database

[Teo De Las Heras]

So I found the following article which pertains to Windows 2000 on adding the AD database counters.  It works on Windows 2003, but not all the counters listed for 2000 show up on 2003.  Is there something I'm missing?

 
http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/addeploy/addch09.mspx?mfr=true

 
Teo

RE: [ActiveDir] Group Policy question

[neil.ruston]

Various 3rd party offerings are available in this space.

NetIQ, Quest, ScriptLogic and NetPro, for example, offer tools in this
area.

They can be used to grant users permissions to make 'offline' GPO
changes, which are then approved by an admin and deployed into prod by a
service account.

Naturally, they are not free, as is GPMC, but they offer an offline
model, with granular delegation and workflow too.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: 26 June 2006 19:27
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group Policy question

Colleagues,

Our Microcomputer Support group wants the ability to create Group Policy
objects and apply them to various workstations. I've taken a few classes
in AD, but I'm a tad shaky on how to give these folks just barely enough
privs to create GPO's and only link them to the OU's I choose.

It would seem that I should add the whole Micro group to the "Group
Policy Creator Owners" group in the "Users" OU, but the description
"Members in this group can modify group policy for the domain" scares me
a bit.

Unless, of course, it is *also* necessary to use the Delegate Control
wizard on whatever OU's they need, thus limiting their power to link
GPO's to only those OU's.

All suggestions from you knowledgeable AD Admins gratefully accepted!

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx