Re: [ActiveDir] UPPER case for username

[Paul Williams]

I've not tested this (just hashed it up as I read your post, so there's 
probably going to be some syntax errors, etc. --please test first).


But here's a quick and dirty vbscript that should change all uppercase 
accounts to lowercase.



set oConn=createObject(ADODB.Connection)
set oComm=createObject(ADODB.Command)

' configure provider and define command
oConn.provider=ADsDSOObject
oConn.openActive Directory Provider
oComm.activeConnection=oConn

' build query
sADsPath= LDAP://oRootDse.get(defaultNamingContext);
sFilter = ((objectCategory=person)(objectClass=user));
sAttrs = ADsPath,sAMAccountName;
sScope = SubTree
sQuery = sADsPathsFiltersAttrssScope

' configure command properties
oComm.commandText=sQuery
oComm.properties(Page Size)=128
oComm.properties(Size Limit)=10
oComm.properties(Cache Results)=false

' execute query
set oRs=oComm.execute

if(not oRs.eOF)then ' check to see if any results
oRs.moveFirst ' were returned

' iterate result set
while not oRs.eOF
sAMAccountName = oRs.fields(1).value
if(uCase(sAMAccountName) = sAMAccountName)then
 sAMAccountName = lCase(sAMAccountName)
 set oUser = getObject(oRs.Fields(0))
 oUser.putsAMAccountName,sAMAccountName
 oUser.setInfo
end if
oRs.moveNext
wend
else
' empty record set (no results returned)
end if


--Paul

- Original Message - 
From: Irwan Hadi [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Wednesday, August 09, 2006 2:14 AM
Subject: [ActiveDir] UPPER case for username



We are in the process of bringin in a couple hundred users from a
Novell Groupwise system to our AD 2003 + Exchange 2003 system. Our AD
is in Windows 2003 Native mode for forest and domain.

Because of the need to integrate Groupwise and Exchange, we need to
use Microsoft Exchange Connector for Groupwise (and Quest Migration
Wizard). The problem is, the administrator of the Novell Groupwise has
set their standard username to be in UPPER CASE, eg: JDOE, instead of
lower case eg: jdoe, and Exchange Connector for Groupwise will create
the username with the same case it is now in Groupwise.

This means in our AD domain, we will have a couple hundred users who
use UPPER CASE for their username.

Now the questions are:
- Will this cause any problem with any of Microsoft product in the
future (eg: Sharepoint).
- Is there a way to change the username  in CAPS to be in lower
letter, once Exchange connector for Groupwise creates the user?

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] FMSO roles split, patch question.

[John Strongosky]

06-040?? What is this?

john


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, August 08, 2006 5:17 
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
FMSO roles split, patch question.
The main thing it to test and approve 06-040 and get that one on the 
fast track IMHO.Deji Akomolafe wrote: 

  
  It doesn't 
  matter.
  
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: John StrongoskySent: Tue 
  8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] FMSO roles split, patch question.
  
  We 
  have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree 
  Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on 
  the other.After I apply the patches from Microsoft what is the beat 
  practices for the boot order...or does it matter?
  
  1. 
  Remote DC/GC's first
  2. 
  no. 1
  3. 
  then no 2.
  
  
  thanks
  
  
  -- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbsList 
info : http://www.activedir.org/List.aspx List FAQ : 
http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Weak AD passwords

[McCann, Danny]

Title: Message



Hi

Haven't used it, but one of my colleagues swears it's too good. 
:)Try Rainbow Tables.

Cheers

Danny


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Rimmerman, RussSent: 20 March 2006 
  21:38To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Weak AD passwords
  Can anyone 
  recommend any tools to find which of our users have weak AD passwords? 
  We used to use L0phtcrack back in the day, but it doesn't appear to be 
  supported any longer? Other than enforcing complex passwords (which we 
  do) and 8 character minimum, we'd like to figure out who uses things like 
  "Password1" or something silly like that.
  
  Thanks in 
  advance
  Email has been scanned for viruses 
  by Altman Technologies' email management service
  


  ~~This 
e-mail is confidential, may contain proprietary informationof the 
Cooper Cameron Corporation and its operating Divisionsand may be 
confidential or privileged.This e-mail should be read, copied, 
disseminated and/or used onlyby the addressee. If you have received 
this message in error pleasedelete it, together with any 
attachments, from your 
system.~~

Re: [ActiveDir] FMSO roles split, patch question.

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Security bulletin 06-040.. out yesterday.

Put it on a test priority folks.

http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

John Strongosky wrote:


06-040?? What is this?
 
john



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP]

*Sent:* Tuesday, August 08, 2006 5:17 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] FMSO roles split, patch question.

The main thing it to test and approve 06-040 and get that one on the 
fast track IMHO.


Deji Akomolafe wrote:


It doesn't matter.
 


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _

 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - 
we know IT

*-5.75, -3.23*
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon



*From:* John Strongosky
*Sent:* Tue 8/8/2006 4:49 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] FMSO roles split, patch question.

We have our FMSO roles split between 2 dc's. They are Schema 
Master/Domain Tree Operator on 1 and on 2,  the roles PDC 
Emulator/Rid Pool/Intrastate on the other. After I apply the patches 
from Microsoft what is the beat practices for the boot order...or 
does it matter?
 
1. Remote DC/GC's first

2. no. 1
3. then no 2.
 
 
thanks
 
 
 



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info : http://www.activedir.org/List.aspx List FAQ : 
http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Weak AD passwords

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

John the Ripper

McCann, Danny wrote:


Hi
 
Haven't used it, but one of my colleagues swears it's too good. :) Try 
Rainbow Tables.
 
Cheers
 
Danny
 


-Original Message-
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
*Rimmerman, Russ
*Sent:* 20 March 2006 21:38
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Weak AD passwords

Can anyone recommend any tools to find which of our users have
weak AD passwords?  We used to use L0phtcrack back in the day, but
it doesn't appear to be supported any longer?  Other than
enforcing complex passwords (which we do) and 8 character minimum,
we'd like to figure out who uses things like Password1 or
something silly like that.
 
Thanks in advance


Email has been scanned for viruses by Altman Technologies' email
management service http://www.altman.co.uk/emailsystems

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Weak AD passwords

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

http://www.elcomsoft.com/ppa.html

Password auditor

McCann, Danny wrote:


Hi
 
Haven't used it, but one of my colleagues swears it's too good. :) Try 
Rainbow Tables.
 
Cheers
 
Danny
 


-Original Message-
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
*Rimmerman, Russ
*Sent:* 20 March 2006 21:38
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Weak AD passwords

Can anyone recommend any tools to find which of our users have
weak AD passwords?  We used to use L0phtcrack back in the day, but
it doesn't appear to be supported any longer?  Other than
enforcing complex passwords (which we do) and 8 character minimum,
we'd like to figure out who uses things like Password1 or
something silly like that.
 
Thanks in advance


Email has been scanned for viruses by Altman Technologies' email
management service http://www.altman.co.uk/emailsystems

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Weak AD passwords

[Michael B. Smith]

Title: Message



I took the time to generate the 64 GB tables with the full 
US-ASCII character set (I spread it out over a couple of dozen servers and it 
only took about a week) last year.

I ran it last week against one of my environments. It 
cracked 1,628 passwords out of 1,629 total accounts in18 hours. Not bad at 
all.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, 
DannySent: Wednesday, August 09, 2006 11:00 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD 
passwords

Hi

Haven't used it, but one of my colleagues swears it's too good. 
:)Try Rainbow Tables.

Cheers

Danny


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Rimmerman, RussSent: 20 March 2006 
  21:38To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Weak AD passwords
  Can anyone 
  recommend any tools to find which of our users have weak AD passwords? 
  We used to use L0phtcrack back in the day, but it doesn't appear to be 
  supported any longer? Other than enforcing complex passwords (which we 
  do) and 8 character minimum, we'd like to figure out who uses things like 
  "Password1" or something silly like that.
  
  Thanks in 
  advance
  Email has been scanned for viruses 
  by Altman Technologies' email management service
  


  ~~This 
e-mail is confidential, may contain proprietary informationof the 
Cooper Cameron Corporation and its operating Divisionsand may be 
confidential or privileged.This e-mail should be read, copied, 
disseminated and/or used onlyby the addressee. If you have received 
this message in error pleasedelete it, together with any 
attachments, from your 
system.~~

RE: [ActiveDir] Weak AD passwords

[AFidel]

And as lm configuration #6 from http://www.antsight.com/zsl/rainbowcrack/
shows it's trivial to crack ANY reasonable windows password with length
14 characters unless lmhashes are turned off!(lm hashes are not stored
for passwords longer than 14 characters). Unfortunately if you have to
support downlevel clients you can't turn off lmhash system wide, but it
can be disabled on a per-account basis so any admin type accounts should
probably have it turned off.

Andrew Fidel





McCann, Danny
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
08/09/2006 10:59 AM



Please respond to
ActiveDir@mail.activedir.org





To
ActiveDir@mail.activedir.org


cc



Subject
RE: [ActiveDir] Weak AD passwords








Hi

Haven't used it, but one of my
colleagues swears it's too good. :) Try Rainbow Tables.

Cheers

Danny

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rimmerman, Russ
Sent: 20 March 2006 21:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Weak AD passwords

Can anyone recommend any tools to find which
of our users have weak AD passwords? We used to use L0phtcrack back
in the day, but it doesn't appear to be supported any longer? Other
than enforcing complex passwords (which we do) and 8 character minimum,
we'd like to figure out who uses things like Password1 or something
silly like that.

Thanks in advance
Email
has been scanned for viruses by Altman Technologies' email management service



~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Weak AD passwords

[neil.ruston]

"...but it can be disabled on a 
per-account basis so any admin type accounts should probably have it turned 
off. "

how is this done please? I know how it can be done at 
the domain level, but not per user.

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: 09 August 2006 16:33To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD 
passwords
And as lm 
configuration #6 from http://www.antsight.com/zsl/rainbowcrack/ shows it's 
trivial to crack ANY reasonable windows password with length 14 characters 
unless lmhashes are turned off!(lm hashes are not stored for passwords longer 
than 14 characters). Unfortunately if you have to support downlevel clients you 
can't turn off lmhash system wide, but it can be disabled on a per-account basis 
so any admin type accounts should probably have it turned off. 
Andrew Fidel 

  
  
"McCann, Danny" 
  [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 
  08/09/2006 10:59 AM 
  


  
Please respond 
toActiveDir@mail.activedir.org

  


  
To
  ActiveDir@mail.activedir.org 

  
cc
  

  
Subject
  RE: [ActiveDir] Weak AD 
passwords
  


  
  Hi  Haven't used it, but one of my colleagues swears it's too 
good. :) Try Rainbow Tables.  Cheers  
Danny  -Original 
Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: 20 March 2006 21:38To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Weak AD 
passwordsCan anyone recommend any tools 
to find which of our users have weak AD passwords? We used to use 
L0phtcrack back in the day, but it doesn't appear to be supported any longer? 
Other than enforcing complex passwords (which we do) and 8 character 
minimum, we'd like to figure out who uses things like "Password1" or something 
silly like that.  Thanks in advance 
Email has been scanned for viruses by Altman Technologies' email 
management service 


  
  
~~This e-mail 
  is confidential, may contain proprietary informationof the Cooper 
  Cameron Corporation and its operating Divisionsand may be confidential 
  or privileged.This e-mail should be read, copied, disseminated 
  and/or used onlyby the addressee. If you have received this message in 
  error pleasedelete it, together with any attachments, from your 
  system.~~PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] Weak AD passwords

[neil.ruston]

Title: Message



With the assistance, support and ratification from your IT 
Security department, of course :)

Do you use complex passwords in the below 
scenario?

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: 09 August 2006 16:25To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD 
passwords

I took the time to generate the 64 GB tables with the full 
US-ASCII character set (I spread it out over a couple of dozen servers and it 
only took about a week) last year.

I ran it last week against one of my environments. It 
cracked 1,628 passwords out of 1,629 total accounts in18 hours. Not bad at 
all.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, 
DannySent: Wednesday, August 09, 2006 11:00 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD 
passwords

Hi

Haven't used it, but one of my colleagues swears it's too good. 
:)Try Rainbow Tables.

Cheers

Danny


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Rimmerman, RussSent: 20 March 2006 
  21:38To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Weak AD passwords
  Can anyone 
  recommend any tools to find which of our users have weak AD passwords? 
  We used to use L0phtcrack back in the day, but it doesn't appear to be 
  supported any longer? Other than enforcing complex passwords (which we 
  do) and 8 character minimum, we'd like to figure out who uses things like 
  "Password1" or something silly like that.
  
  Thanks in 
  advance
  Email has been scanned for viruses 
  by Altman Technologies' email management service
  


  ~~This 
e-mail is confidential, may contain proprietary informationof the 
Cooper Cameron Corporation and its operating Divisionsand may be 
confidential or privileged.This e-mail should be read, copied, 
disseminated and/or used onlyby the addressee. If you have received 
this message in error pleasedelete it, together with any 
attachments, from your 
system.~~PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

Re: [ActiveDir] Weak AD passwords

[Paul Williams]

Title: Message



Lophcrack was purchased by Symantec and is 
now sold as an enterprise security product. It's called LC5, I believe, 
but has recently been discontinued (after symantec stopped selling it to people 
outside of North America) and support runs out at the end of the year. 
Which is a real pain as I've recently recommended it and now need to revise my 
recommendations!


--Paul

  - Original Message - 
  From: 
  McCann, 
  Danny 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, August 09, 2006 3:59 
  PM
  Subject: RE: [ActiveDir] Weak AD 
  passwords
  
  Hi
  
  Haven't used it, but one of my colleagues swears it's too good. 
  :)Try Rainbow Tables.
  
  Cheers
  
  Danny
  
  

-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: 20 March 2006 21:38To: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Weak AD passwords
Can anyone 
recommend any tools to find which of our users have weak AD passwords? 
We used to use L0phtcrack back in the day, but it doesn't appear to be 
supported any longer? Other than enforcing complex passwords (which we 
do) and 8 character minimum, we'd like to figure out who uses things like 
"Password1" or something silly like that.

Thanks in 
advance
Email has been scanned for 
viruses by Altman Technologies' email management service

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have 
  received this message in error pleasedelete it, together with any 
  attachments, from your 
  system.~~

RE: [ActiveDir] Weak AD passwords

[Michael B. Smith]

Title: Message



Uh, I am the IT security department for a number of my 
clients.

Yes, complex passwords were used. Here are a few it 
cracked, just as samples:



  
  
  
  
F0ur.Sc0r3
  
grVnBEqRo*2Yb
  
@[EMAIL PROTECTED]@cK


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 11:54 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Weak AD passwords

With the assistance, support and ratification from your IT 
Security department, of course :)

Do you use complex passwords in the below 
scenario?

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: 09 August 2006 16:25To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD 
passwords

I took the time to generate the 64 GB tables with the full 
US-ASCII character set (I spread it out over a couple of dozen servers and it 
only took about a week) last year.

I ran it last week against one of my environments. It 
cracked 1,628 passwords out of 1,629 total accounts in18 hours. Not bad at 
all.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, 
DannySent: Wednesday, August 09, 2006 11:00 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD 
passwords

Hi

Haven't used it, but one of my colleagues swears it's too good. 
:)Try Rainbow Tables.

Cheers

Danny


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Rimmerman, RussSent: 20 March 2006 
  21:38To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Weak AD passwords
  Can anyone 
  recommend any tools to find which of our users have weak AD passwords? 
  We used to use L0phtcrack back in the day, but it doesn't appear to be 
  supported any longer? Other than enforcing complex passwords (which we 
  do) and 8 character minimum, we'd like to figure out who uses things like 
  "Password1" or something silly like that.
  
  Thanks in 
  advance
  Email has been scanned for viruses 
  by Altman Technologies' email management service
  


  ~~This 
e-mail is confidential, may contain proprietary informationof the 
Cooper Cameron Corporation and its operating Divisionsand may be 
confidential or privileged.This e-mail should be read, copied, 
disseminated and/or used onlyby the addressee. If you have received 
this message in error pleasedelete it, together with any 
attachments, from your 
system.~~
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

RE: [ActiveDir] Weak AD passwords

[WATSON, BEN]

Title: Message








It seems that Cain  Able development
has picked up greatly since LC5 was discontinued and seems to offer all the
features of LC5 and more.


Check out the list of network security tools that the creator of NMAP has
developed. Cain  Able is #9.



http://sectools.org/



And heres the direct link to Cain
 Able.



http://www.oxid.it/index.html



~Ben













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Wednesday, August 09, 2006
9:07 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Weak AD
passwords







Lophcrack was
purchased by Symantec and is now sold as an enterprise security product.
It's called LC5, I believe, but has recently been discontinued (after symantec
stopped selling it to people outside of North America)
and support runs out at the end of the year. Which is a real pain as I've
recently recommended it and now need to revise my recommendations!

















--Paul







- Original Message - 





From: McCann, Danny






To: ActiveDir@mail.activedir.org






Sent: Wednesday, August
09, 2006 3:59 PM





Subject: RE: [ActiveDir]
Weak AD passwords











Hi











Haven't used it, but one of my colleagues
swears it's too good. :)Try Rainbow Tables.











Cheers











Danny











-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rimmerman, Russ
Sent: 20 March 2006 21:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Weak AD
passwords



Can anyone recommend any tools to find which of our users
have weak AD passwords? We used to use L0phtcrack back in the day, but it
doesn't appear to be supported any longer? Other than enforcing complex
passwords (which we do) and 8 character minimum, we'd like to figure out who
uses things like Password1 or something silly like that.











Thanks in advance



Email has been scanned for viruses
by Altman Technologies' email management service


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 

RE: [ActiveDir] Weak AD passwords

[WATSON, BEN]

Title: Message








I think you might mean the storing of LM
hashes for compatibility with extremely old operating systems. When using LM
Hash your password at most will consist of 14 characters, while thats a
good length, the worst part is it is broken up into two 7 character strings. (At
least if I remember this all correctly, I learned about this quite awhile ago)
So really, when brute forcing a password that is LM hash compatible, all the
password cracking utility needs to do is crack the password twice. Once for
the first 7 characters, and again for the second 7 characters. If youve
watched the speed which with a good password cracking utility can chew through
7 character strings then it shouldnt be surprising that it can crack
even complex passwords this way.



http://support.microsoft.com/kb/299656/



If you remove the storage of the LM Hash
of your passwords, then the cracking utility will have to crack all 14+
characters in your password at once, making it infinitely more difficult to
brute force.



~Ben











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Wednesday, August 09, 2006
9:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Weak AD
passwords





Uh, I am the IT security department for a
number of my clients.



Yes, complex passwords were used. Here are
a few it cracked, just as samples:




 
 
  
  F0ur.Sc0r3
  
 
 
  
  grVnBEqRo*2Yb
  
 
 
  
  @[EMAIL PROTECTED]@cK
  
 










From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 09, 2006
11:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Weak AD
passwords

With the assistance, support and
ratification from your IT Security department, of course :)



Do you use complex passwords in the below
scenario?



neil







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: 09 August 2006 16:25
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Weak AD
passwords

I took the time to generate the 64 GB
tables with the full US-ASCII character set (I spread it out over a couple of
dozen servers and it only took about a week) last year.



I ran it last week against one of my
environments. It cracked 1,628 passwords out of 1,629 total accounts in18
hours. Not bad at all.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Wednesday, August 09, 2006
11:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Weak AD
passwords



Hi











Haven't used it, but one of my colleagues
swears it's too good. :)Try Rainbow Tables.











Cheers











Danny











-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 20 March 2006 21:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Weak AD
passwords



Can anyone recommend any tools to find which of our users
have weak AD passwords? We used to use L0phtcrack back in the day, but it
doesn't appear to be supported any longer? Other than enforcing complex
passwords (which we do) and 8 character minimum, we'd like to figure out who
uses things like Password1 or something silly like that.











Thanks in advance



Email has been scanned for viruses
by Altman Technologies' email management service


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 






PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy 

RE: [ActiveDir] Weak AD passwords

[AFidel]

By using a high ASCII character from
table 1 in http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/03osinstl.mspx

Andrew Fidel





[EMAIL PROTECTED]

Sent by: [EMAIL PROTECTED]
08/09/2006 11:52 AM



Please respond to
ActiveDir@mail.activedir.org





To
ActiveDir@mail.activedir.org


cc



Subject
RE: [ActiveDir] Weak AD passwords








...but
it can be disabled on a per-account basis so any admin type accounts should
probably have it turned off.


how is this done please? I know
how it can be done at the domain level, but not per user.

neil


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 09 August 2006 16:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Weak AD passwords


And as lm configuration #6 from http://www.antsight.com/zsl/rainbowcrack/
shows it's trivial to crack ANY reasonable windows password with length
14 characters unless lmhashes are turned off!(lm hashes are not stored
for passwords longer than 14 characters). Unfortunately if you have to
support downlevel clients you can't turn off lmhash system wide, but it
can be disabled on a per-account basis so any admin type accounts should
probably have it turned off. 

Andrew Fidel 




McCann, Danny
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 
08/09/2006 10:59 AM





Please respond to
ActiveDir@mail.activedir.org






To
ActiveDir@mail.activedir.org



cc



Subject
RE: [ActiveDir] Weak AD passwords










Hi 
 
Haven't used it, but one of my colleagues swears it's too good. :) Try
Rainbow Tables. 
 
Cheers 
 
Danny 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rimmerman, Russ
Sent: 20 March 2006 21:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Weak AD passwords

Can anyone recommend any tools to find which of our users have weak AD
passwords? We used to use L0phtcrack back in the day, but it doesn't
appear to be supported any longer? Other than enforcing complex passwords
(which we do) and 8 character minimum, we'd like to figure out who uses
things like Password1 or something silly like that.

 
Thanks in advance 
Email
has been scanned for viruses by Altman Technologies' email management service




~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~


PLEASE READ: The information contained in
this email is confidential and 
intended for the named recipient(s) only.
If you are not an intended 
recipient of this email please notify the
sender immediately and delete your 
copy from your system. You must not copy,
distribute or take any further 
action in reliance on it. Email is not a
secure method of communication and 
Nomura International plc ('NIplc') will not,
to the extent permitted by law, 
accept responsibility or liability for (a)
the accuracy or completeness of, 
or (b) the presence of any virus, worm or
similar malicious or disabling 
code in, this message or any attachment(s)
to it. If verification of this 
email is sought then please request a hard
copy. Unless otherwise stated 
this email: (1) is not, and should not be
treated or relied upon as, 
investment research; (2) contains views or
opinions that are solely those of 
the author and do not necessarily represent
those of NIplc; (3) is intended 
for informational purposes only and is not
a recommendation, solicitation or 
offer to buy or sell securities or related
financial instruments. NIplc 
does not provide investment services to private
customers. Authorised and 
regulated by the Financial Services Authority.
Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered
Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura
group of companies. 

Re: [ActiveDir] Weak AD passwords

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

In a all borg network (XP,2k3 even 2k) disabling LMhash breaks nothing. 
For those with mixed networks.. test... you may have devices, OS that 
need lmhash (NT,98). Kill them off as soon as you can as it's weakening 
the security posture of your network.. and even the guy who has THE blog 
on defending security infrastructures or whatevers would agree with me 
on that one.


..and remember this takes affect on the 'next' change of the passwords.

Running a password cracking sniffing the inside of your network...you'll 
be seeing how fast you can get this shut off.


WATSON, BEN wrote:


I think you might mean the storing of LM hashes for compatibility with 
extremely old operating systems. When using LM Hash your password at 
most will consist of 14 characters, while that’s a good length, the 
worst part is it is broken up into two 7 character strings. (At least 
if I remember this all correctly, I learned about this quite awhile 
ago) So really, when brute forcing a password that is LM hash 
compatible, all the password cracking utility needs to do is crack the 
password twice. Once for the first 7 characters, and again for the 
second 7 characters. If you’ve watched the speed which with a good 
password cracking utility can chew through 7 character strings then it 
shouldn’t be surprising that it can crack even complex passwords this way.


http://support.microsoft.com/kb/299656/

If you remove the storage of the LM Hash of your passwords, then the 
cracking utility will have to crack all 14+ characters in your 
password at once, making it infinitely more difficult to brute force.


~Ben



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Michael B. 
Smith

*Sent:* Wednesday, August 09, 2006 9:22 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Weak AD passwords

Uh, I am the IT security department for a number of my clients.

Yes, complex passwords were used. Here are a few it cracked, just as 
samples:


F0ur.Sc0r3

grVnBEqRo*2Yb

@[EMAIL PROTECTED]@cK



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of 
[EMAIL PROTECTED]

*Sent:* Wednesday, August 09, 2006 11:54 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Weak AD passwords

With the assistance, support and ratification from your IT Security 
department, of course :)


Do you use complex passwords in the below scenario?

neil



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Michael B. 
Smith

*Sent:* 09 August 2006 16:25
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Weak AD passwords

I took the time to generate the 64 GB tables with the full US-ASCII 
character set (I spread it out over a couple of dozen servers and it 
only took about a week) last year.


I ran it last week against one of my environments. It cracked 1,628 
passwords out of 1,629 total accounts in 18 hours. Not bad at all.




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *McCann, Danny

*Sent:* Wednesday, August 09, 2006 11:00 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Weak AD passwords

Hi

Haven't used it, but one of my colleagues swears it's too good. :) Try 
Rainbow Tables.


Cheers

Danny

-Original Message-
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
*Rimmerman, Russ
*Sent:* 20 March 2006 21:38
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Weak AD passwords

Can anyone recommend any tools to find which of our users have
weak AD passwords? We used to use L0phtcrack back in the day, but
it doesn't appear to be supported any longer? Other than enforcing
complex passwords (which we do) and 8 character minimum, we'd like
to figure out who uses things like Password1 or something silly
like that.

Thanks in advance

Email has been scanned for viruses by Altman Technologies' email
management service http://www.altman.co.uk/emailsystems

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and 
delete 

[ActiveDir] Computer bootup speeds

[Rimmerman, Russ]

Is there any easy way to determine why it's taking so long for PCs in
our AD to boot up?  It sits at applying settings for quite awhile, so
I'm thinking it may have something to do with GPOs, but most computers
only have 2 or 3 GPOs applied to them.  I wouldn't think the GPOs would
take that long to apply though.  Sometimes it literally sits at applying
settings for 4 or 5 minutes!  
I guess I could move a computer to an OU with no GPOs and see, but is
there any other ways?  

Thanks

~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Computer bootup speeds

[AFidel]

Do you have roaming profiles?

Andrew Fidel





Rimmerman, Russ
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
08/09/2006 02:29 PM



Please respond to
ActiveDir@mail.activedir.org





To
ActiveDir@mail.activedir.org


cc



Subject
[ActiveDir] Computer bootup
speeds









Is there any easy way to determine why it's taking so long for PCs in
our AD to boot up? It sits at applying settings for quite awhile,
so
I'm thinking it may have something to do with GPOs, but most computers
only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs
would
take that long to apply though. Sometimes it literally sits at applying
settings for 4 or 5 minutes! 
I guess I could move a computer to an OU with no GPOs and see, but is
there any other ways? 

Thanks

~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info  : http://www.activedir.org/List.aspx
List FAQ  : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Computer bootup speeds

[Rimmerman, Russ]

No, just local.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Computer bootup speeds
Do you have roaming profiles? 
Andrew Fidel 

  
  
"Rimmerman, Russ" 
  [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 
  08/09/2006 02:29 PM 
  


  
Please respond 
toActiveDir@mail.activedir.org

  


  
To
  ActiveDir@mail.activedir.org 

  
cc
  

  
Subject
  [ActiveDir] Computer 
bootup speeds
  


  
  Is there any easy way to determine why it's taking so long for 
PCs inour AD to boot up? It sits at applying settings for quite 
awhile, soI'm thinking it may have something to do with GPOs, but most 
computersonly have 2 or 3 GPOs applied to them. I wouldn't think the 
GPOs wouldtake that long to apply though. Sometimes it literally sits 
at applyingsettings for 4 or 5 minutes! I guess I could move a 
computer to an OU with no GPOs and see, but isthere any other ways? 
Thanks~~This 
e-mail is confidential, may contain proprietary informationof Cameron and 
its operating Divisions and may be confidentialor privileged.This 
e-mail should be read, copied, disseminated and/or used onlyby the 
addressee. If you have received this message in error pleasedelete it, 
together with any attachments, from your 
system.~~List info 
 : http://www.activedir.org/List.aspxList FAQ  : 
http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

[ActiveDir] LDAP Logon Name

[Alex Alborzfard]

We have a HP printer/scanner that we want
to setup for emailing scanned documents.

Management wants to ensure only domain
users with email addresses can do this. 

There is an option for setting up LDAP
gateway, where you can set user name  password up.

Its asking for LDAP logonname. I
have tried my user name and account anme, but it didnt work. 

I looked it up in ADSIedit, but I couldnt
find it.



Can this be perhaps be done on the
Exchange side (there is also a setting for SMTP gateway)?



TIA





Alex

RE: [ActiveDir] Computer bootup speeds

[Matt Plahtinsky]

Most times consulting when I see slow login times its dew to DNS miss
configuration issues. Are your computers pointing to your internal DNS
servers or an external DNS?  If they point to an external it will take
about 5 min before it times out and looks inside. 


Matt




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, August 09, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer bootup speeds


Is there any easy way to determine why it's taking so long for PCs in
our AD to boot up?  It sits at applying settings for quite awhile, so
I'm thinking it may have something to do with GPOs, but most computers
only have 2 or 3 GPOs applied to them.  I wouldn't think the GPOs would
take that long to apply though.  Sometimes it literally sits at applying
settings for 4 or 5 minutes!  
I guess I could move a computer to an OU with no GPOs and see, but is
there any other ways?  

Thanks

~~
This e-mail is confidential, may contain proprietary information of
Cameron and its operating Divisions and may be confidential or
privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Computer bootup speeds

[Kevin Brunson]

First thing I would check is the DNS
settings on the client. Are they pointing at a valid DNS server, and is it
responding?











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, August 09, 2006
1:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer
bootup speeds





No, just local.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 09, 2006
1:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer
bootup speeds


Do you have roaming profiles? 

Andrew
Fidel 




 
  
  Rimmerman, Russ
  [EMAIL PROTECTED] 
  Sent
  by: [EMAIL PROTECTED] 
  08/09/2006 02:29 PM 
  
   

Please
respond to
ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org


   
   

cc




   
   

Subject


[ActiveDir] Computer bootup speeds

   
  
  
  
   






   
  
  
  
 






Is there any easy way to determine why it's taking
so long for PCs in
our AD to boot up? It sits at applying
settings for quite awhile, so
I'm thinking it may have something to do with
GPOs, but most computers
only have 2 or 3 GPOs applied to them. I
wouldn't think the GPOs would
take that long to apply though. Sometimes it
literally sits at applying
settings for 4 or 5 minutes! 
I guess I could move a computer to an OU with no
GPOs and see, but is
there any other ways? 

Thanks

~~
This e-mail is confidential, may contain
proprietary information
of Cameron and its operating Divisions and may be
confidential
or privileged.

This e-mail should be read, copied, disseminated
and/or used only
by the addressee. If you have received this
message in error please
delete it, together with any attachments, from
your system.
~~
List info  :
http://www.activedir.org/List.aspx
List FAQ  :
http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.activedir.org/ml/threads.aspx






~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

Re: [ActiveDir] LDAP Logon Name

[Tomasz Onyszko]

Alex Alborzfard wrote:
We have a HP printer/scanner that we want to setup for emailing scanned 
documents.


Management wants to ensure only domain users with email addresses can do 
this.


There is an option for setting up LDAP gateway, where you can set user 
name  password up.


It’s asking for LDAP logonname. I have tried my user name and account 
anme, but it didn’t work.


I looked it up in ADSIedit, but I couldn’t find it.


I think that simplest way would be to refer to product documentation but 
I would try to use DN, or CN (in CN=... format) of this user.


--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Computer bootup speeds

[Krenceski, William]

I had this happen once and for the life of me could not 
figure it out. It was happening to computers pointed to one router in particular 
as they're default gateway. It was one of 3 of our Gateway routers so I swapped 
DHCP settings to a different one and they all started working like they should. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin 
BrunsonSent: Wednesday, August 09, 2006 2:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds


First thing I would 
check is the DNS settings on the client. Are they pointing at a valid DNS 
server, and is it responding?





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Rimmerman, 
RussSent: Wednesday, August 
09, 2006 1:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds

No, just 
local.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 
PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer bootup 
speeds
Do you have 
roaming profiles? Andrew Fidel 


  
  

  "Rimmerman, 
  Russ" [EMAIL PROTECTED] Sent by: 
  [EMAIL PROTECTED] 
  08/09/2006 02:29 
  PM 
  


  
Please respond 
toActiveDir@mail.activedir.org
  

  


  
To
  
ActiveDir@mail.activedir.org 


  
cc
  


  
Subject
  
[ActiveDir] 
Computer bootup speeds
  
  


  

  

  
Is there any easy way to determine why it's taking so long 
for PCs inour AD to boot up? 
It sits at applying settings for quite awhile, soI'm thinking it may have something to do with GPOs, but most 
computersonly have 2 or 3 GPOs 
applied to them. I wouldn't think the GPOs wouldtake that long to apply though. Sometimes it literally 
sits at applyingsettings for 4 or 5 
minutes! I guess I could move 
a computer to an OU with no GPOs and see, but isthere any other ways? Thanks~~This e-mail is confidential, may contain proprietary 
informationof Cameron and its 
operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used 
onlyby the addressee. If you have 
received this message in error pleasedelete it, together with any attachments, from your 
system.~~List info  : 
http://www.activedir.org/List.aspxList FAQ  : 
http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof Cameron 
  and its operating Divisions and may be confidentialor 
  privileged.This e-mail should be read, copied, disseminated and/or 
  used onlyby the addressee. If you have received this message in error 
  pleasedelete it, together with any attachments, from your 
  system.~~Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.

[ActiveDir]

[HBooGz]

Hey All -How do you disable an AD account and deny mail delivery. There are some users that are disabled but when i send an email to their smtp address i don't get a sys admin error, it appears to send it to the respective store.
how do you all disable an AD account,not remove, and prevent it from receiving mail ?-- HBooGz:\

RE: [ActiveDir] Computer bootup speeds

[Condra, Jerry W Mr HP]

Id also
verify what server my machines are authenticating to using Set L
from a command prompt and making sure they are hitting the correct ones. Sounds
like the IP range may not be defined in Sites and Services.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, William
Sent: Wednesday, August 09, 2006
2:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer
bootup speeds





I had this happen once and for the life of
me could not figure it out. It was happening to computers pointed to one router
in particular as they're default gateway. It was one of 3 of our Gateway
routers so I swapped DHCP settings to a different one and they all started
working like they should. 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Wednesday, August 09, 2006
2:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer
bootup speeds

First thing I would check is the DNS
settings on the client. Are they pointing at a valid DNS server, and is
it responding?











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, August 09, 2006
1:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer
bootup speeds





No, just local.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 09, 2006
1:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer
bootup speeds


Do you have roaming profiles? 

Andrew
Fidel 


 
  
  Rimmerman, Russ [EMAIL PROTECTED] 
  Sent
  by: [EMAIL PROTECTED] 
  08/09/2006
  02:29 PM 
  
   

Please respond
to
 ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org 

   
   

cc




   
   

Subject


[ActiveDir] Computer bootup speeds

   
  
  
  
   






   
  
  
  
 






Is there any easy way to determine why it's taking
so long for PCs in
our AD to boot up? It sits at applying
settings for quite awhile, so
I'm thinking it may have something to do with
GPOs, but most computers
only have 2 or 3 GPOs applied to them. I
wouldn't think the GPOs would
take that long to apply though. Sometimes it
literally sits at applying
settings for 4 or 5 minutes! 
I guess I could move a computer to an OU with no
GPOs and see, but is
there any other ways? 

Thanks

~~
This e-mail is confidential, may contain
proprietary information
of Cameron and its operating Divisions and may be
confidential
or privileged.

This e-mail should be read, copied, disseminated
and/or used only
by the addressee. If you have received this
message in error please
delete it, together with any attachments, from
your system.
~~
List info  :
http://www.activedir.org/List.aspx
List FAQ  : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.activedir.org/ml/threads.aspx


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of Cameron and its operating Divisions and may be confidential
  or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 








Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.

RE: [ActiveDir]

[Kennedy, Jim]

Remove their external smtp address and then set the send to
permissions in the account to just me. Then disable the account.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: Wednesday, August 09, 2006 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 







Hey All -

How do you disable an AD account and deny mail delivery. There are some users
that are disabled but when i send an email to their smtp address i don't get a
sys admin error, it appears to send it to the respective store. 

how do you all disable an AD account,not remove, and prevent it from receiving
mail ?

-- 
HBooGz:\ 

RE: [ActiveDir]

[Kennedy, Jim]

To be more accurate….change their smtp address to a bunch of
gibberish.









From: Kennedy, Jim 
Sent: Wednesday, August 09, 2006 3:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 







Remove their external smtp address and then set the send to
permissions in the account to just me. Then disable the account.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: Wednesday, August 09, 2006 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 







Hey All -

How do you disable an AD account and deny mail delivery. There are some users
that are disabled but when i send an email to their smtp address i don't get a
sys admin error, it appears to send it to the respective store. 

how do you all disable an AD account,not remove, and prevent it from receiving
mail ?

-- 
HBooGz:\ 

RE: [ActiveDir]

[Derek Harris]

There are several ways you could do it, but the easiest is 
probably on the Exchange General tab in ADUC  Delivery Restrictions  
Message Restrictions -- click "Only from:" and don't add any 
addresses.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
HBooGzSent: Wednesday, August 09, 2006 1:35 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] 

Hey All -How do you disable an AD account and deny mail 
delivery. There are some users that are disabled but when i send an email to 
their smtp address i don't get a sys admin error, it appears to send it to the 
respective store. how do you all disable an AD account,not remove, and 
prevent it from receiving mail ?-- HBooGz:\ 

Re: [ActiveDir]

[HBooGz]

i came across this:http://msexchangeteam.com/archive/2006/03/22/422799.aspxwhich points me to a hotfix.otherwise, when i enable 'associate external account' instead of a user getting an NDR about delivery refused the message is sent and delivered to the local store without an NDR.
How can i still generate an NDR and prevent mail from even being delievered, would this make sense ?
In order to disable the accounts, prevent mailflow, and stop the error
messages I would recommend doing the following.

1) Create a mailbox store of hold deleted mailboxes
2) Set the deleted mailbox retention time to the appropriate amount of time
you want to keep a disabled users mailbox
3) Disable the account
4) Move the mailbox to the Deleted mailbox store
5) Remove the mailbox from the user

At this point 
email  sent to the end user will receive an NDR saying the user

does not exist.  But the Mailbox will exist, and can be reconnected to the
user until the end of the deleted mailbox retention time.On 8/9/06, Derek Harris 
[EMAIL PROTECTED] wrote:




There are several ways you could do it, but the easiest is 
probably on the Exchange General tab in ADUC  Delivery Restrictions  
Message Restrictions -- click Only from: and don't add any 
addresses.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of 
HBooGzSent: Wednesday, August 09, 2006 1:35 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] 

Hey All -How do you disable an AD account and deny mail 
delivery. There are some users that are disabled but when i send an email to 
their smtp address i don't get a sys admin error, it appears to send it to the 
respective store. how do you all disable an AD account,not remove, and 
prevent it from receiving mail ?-- HBooGz:\ 


-- HBooGz:\

[ActiveDir] re: Computer bootup speeds

[Scott Klassen]

I've seen something 
similar in the past due to network issues. Specifically Spanning Tree 
Protocol and/or link speed autosense on both the computer NIC and the switch 
port it is connected to.

Scott 
Klassen

RE: [ActiveDir]

[Deji Akomolafe]

Actually, you want to select them all and choose "Remove Exchange Attributes" from the "Exchange Tasks" menu



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Kennedy, JimSent: Wed 8/9/2006 12:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 


To be more accurate.change their smtp address to a bunch of gibberish.




From: Kennedy, Jim Sent: Wednesday, August 09, 2006 3:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 

Remove their external smtp address and then set the send to permissions in the account to just me. Then disable the account.




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Wednesday, August 09, 2006 3:35 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 

Hey All -How do you disable an AD account and deny mail delivery. There are some users that are disabled but when i send an email to their smtp address i don't get a sys admin error, it appears to send it to the respective store. how do you all disable an AD account,not remove, and prevent it from receiving mail ?-- HBooGz:\ 

[ActiveDir] machine GP load

[Antonio Aranda]

I have a few machines that will not load
the machine GP. Im pretty sure that its an issue with the
workstations but just to cover butt, is there any thing that on the GP or AD
that would prevent the GP from loading?



Antonio





Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.

RE: [ActiveDir] machine GP load

[Laura A. Robinson]

If by 
"loading", you mean applying the settings, yes, there are things in AD/GP that 
would affect workstation application of policies, including ACLs on the 
policies, OU structures, use of blocking and application of loopback 
processing.

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Antonio 
  ArandaSent: Wednesday, August 09, 2006 4:53 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] machine GP 
  load
  
  
  I have a few machines 
  that will not load the machine GP. Im pretty sure that its an issue 
  with the workstations but just to cover butt, is there any thing that on the 
  GP or AD that would prevent the GP from loading?
  
  Antonio
  Confidentiality 
  Notice: The information contained in this message may be legally privileged 
  and confidential information intended only for the use of the individual or 
  entity named above. If the reader of this message is not the intended 
  recipient, or the employee or agent responsible to deliver it to the intended 
  recipient, you are hereby notified that any release, dissemination, 
  distribution, or copying of this communication is strictly prohibited. If you 
  have received this communication in error please notify the author immediately 
  by replying to this message and deleting the original message. Thank 
  you.

RE: [ActiveDir] machine GP load

[Darren Mar-Elia]

Several things might prevent that, including security 
filters that are denying access to the GPO from the machines, network timing 
issues (esp. if its only machine GPOs that are causing the problem). I would use 
GPMC to run a GP Results Wizard against the machine and just verify that the 
GPOs are not denied for some reason that you can control. If the component 
status shows that GP Infrastructure processing Failed, then its probably 
something other than the obvious and we can go from there.

Darren


Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the Windows 
Group Policy Guide,the definitiveresource for Group Policy 
information.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio 
ArandaSent: Wednesday, August 09, 2006 1:53 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] machine GP 
load


I have a few machines 
that will not load the machine GP. Im pretty sure that its an issue with 
the workstations but just to cover butt, is there any thing that on the GP or AD 
that would prevent the GP from loading?

Antonio
Confidentiality 
Notice: The information contained in this message may be legally privileged and 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, or the 
employee or agent responsible to deliver it to the intended recipient, you are 
hereby notified that any release, dissemination, distribution, or copying of 
this communication is strictly prohibited. If you have received this 
communication in error please notify the author immediately by replying to this 
message and deleting the original message. Thank 
you.

RE: [ActiveDir] Computer bootup speeds

[Andrew Cace]

Be careful using set L.
That command echoes an environmental variable that is set at boot and doesnt
change after that. It should suffice in this situation. A much better way to
determine which DC a computer is currently authenticating against is
nltest.exe. nltest /sc_query:domain_name You can even run this
command against remote machines using nltest /sc_query:domain_name
/server:computer_name. Unfortunately, even the /sc_query option has its
drawbacks; it only echoes the last DC that the target computer authenticated
against.



-Andrew











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Condra, Jerry W Mr HP
Sent: Wednesday, August 09, 2006
2:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer
bootup speeds





Id also
verify what server my machines are authenticating to using Set L
from a command prompt and making sure they are hitting the correct ones. Sounds
like the IP range may not be defined in Sites and Services.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Krenceski, William
Sent: Wednesday, August 09, 2006
2:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer
bootup speeds





I had this happen once and for the life of
me could not figure it out. It was happening to computers pointed to one router
in particular as they're default gateway. It was one of 3 of our Gateway
routers so I swapped DHCP settings to a different one and they all started working
like they should. 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Wednesday, August 09, 2006
2:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer
bootup speeds

First thing I would check is the DNS
settings on the client. Are they pointing at a valid DNS server, and is
it responding?











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, August 09, 2006
1:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer
bootup speeds





No, just local.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 09, 2006
1:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer
bootup speeds


Do you have roaming profiles? 

Andrew
Fidel 


 
  
  Rimmerman, Russ
  [EMAIL PROTECTED] 
  Sent
  by: [EMAIL PROTECTED] 
  08/09/2006
  02:29 PM 
  
   

Please respond
to
ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org 

   
   

cc




   
   

Subject


[ActiveDir] Computer bootup speeds

   
  
  
  
   






   
  
  
  
 






Is there any easy way to determine why it's taking
so long for PCs in
our AD to boot up? It sits at applying
settings for quite awhile, so
I'm thinking it may have something to do with
GPOs, but most computers
only have 2 or 3 GPOs applied to them. I
wouldn't think the GPOs would
take that long to apply though. Sometimes it
literally sits at applying
settings for 4 or 5 minutes! 
I guess I could move a computer to an OU with no
GPOs and see, but is
there any other ways? 

Thanks

~~
This e-mail is confidential, may contain
proprietary information
of Cameron and its operating Divisions and may be
confidential
or privileged.

This e-mail should be read, copied, disseminated
and/or used only
by the addressee. If you have received this
message in error please
delete it, together with any attachments, from
your system.
~~
List info  :
http://www.activedir.org/List.aspx
List FAQ  :
http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of Cameron and its operating Divisions and may be confidential
  or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 








Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.

RE: [ActiveDir] re: Computer bootup speeds

[Darren Mar-Elia]

There's lot of reasons for slow boot up, as folks have 
indicated. Enabling userenv logging and observing the time stamps will give you 
a clue as to whether its related to user profiles or group policy. Also, as per 
the network issues, check out http://support.microsoft.com/default.aspx?scid=kb;en-us;840669




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Scott 
KlassenSent: Wednesday, August 09, 2006 1:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] re: Computer bootup 
speeds

I've seen something 
similar in the past due to network issues. Specifically Spanning Tree 
Protocol and/or link speed autosense on both the computer NIC and the switch 
port it is connected to.

Scott 
Klassen

RE: [ActiveDir] machine GP load

[Robert Rutherford]

Have you performed the usual gpresult, modelling,
etc?

Anything in the event logs?

Is this a new policy or new machines (to
the domain), or both in fact?



Cheers



Rob








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: 09 August 2006 21:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] machine GP
load





I have a few machines
that will not load the machine GP. Im pretty sure that its
an issue with the workstations but just to cover butt, is there any thing that
on the GP or AD that would prevent the GP from loading?



Antonio





Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.

RE: [ActiveDir] Computer bootup speeds

[Rimmerman, Russ]

Well I think we figured it out. If we disable the 
"Network Location Awareness (NLA)" service, it cuts the time down by about 
90%. I guess we'll disable this service via a GPO, cuz it looks like we 
don't need it anyway.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W 
Mr HPSent: Wednesday, August 09, 2006 2:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds


Id also 
verify what server my machines are authenticating to using Set L from a 
command prompt and making sure they are hitting the correct ones. Sounds like 
the IP range may not be defined in Sites and Services.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Krenceski, 
WilliamSent: Wednesday, August 
09, 2006 2:22 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds

I had this happen once 
and for the life of me could not figure it out. It was happening to computers 
pointed to one router in particular as they're default gateway. It was one of 3 
of our Gateway routers so I swapped DHCP settings to a different one and they 
all started working like they should. 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Kevin 
BrunsonSent: Wednesday, August 
09, 2006 2:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds
First thing I would 
check is the DNS settings on the client. Are they pointing at a valid DNS 
server, and is it responding?





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Rimmerman, 
RussSent: Wednesday, August 
09, 2006 1:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds

No, just 
local.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 
PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer bootup 
speeds
Do you have roaming 
profiles? Andrew Fidel 

  
  

  "Rimmerman, 
  Russ" [EMAIL PROTECTED] 
  Sent by: 
  [EMAIL PROTECTED] 
  08/09/2006 02:29 
  PM 
  


  
Please respond 
toActiveDir@mail.activedir.org
  

  


  
To
  
ActiveDir@mail.activedir.org 


  
cc
  


  
Subject
  
[ActiveDir] Computer 
bootup speeds
  
  


  

  

  
Is there any easy way to determine why it's taking so long 
for PCs inour AD to boot up? 
It sits at applying settings for quite awhile, soI'm thinking it may have something to do with GPOs, but most 
computersonly have 2 or 3 GPOs 
applied to them. I wouldn't think the GPOs wouldtake that long to apply though. Sometimes it literally 
sits at applyingsettings for 4 or 5 
minutes! I guess I could move 
a computer to an OU with no GPOs and see, but isthere any other ways? Thanks~~This e-mail is confidential, may contain proprietary 
informationof Cameron and its 
operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used 
onlyby the addressee. If you have 
received this message in error pleasedelete it, together with any attachments, from your 
system.~~List info  : 
http://www.activedir.org/List.aspxList FAQ  : 
http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

  
  

  ~~This 
  e-mail is confidential, may contain proprietary informationof Cameron 
  and its operating Divisions and may be confidentialor 
  privileged.This e-mail should be read, copied, disseminated and/or 
  used onlyby the addressee. If you have received this message in error 
  pleasedelete it, together with any attachments, from your 
  system.~~

Confidentiality 
Notice: The information contained in this message may be legally privileged and 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, or the 
employee or agent responsible to deliver it to the intended recipient, you are 
hereby notified that any release, dissemination, distribution, or copying of 
this communication is strictly prohibited. If you have received this 
communication in error please notify the author immediately by replying to this 
message and deleting the original message. Thank 
you.

~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.

RE: [ActiveDir] Computer bootup speeds

[Rimmerman, Russ]

This is all good... Using the right logonserver, DNS 
is responding well.

It's the darn Network Awareness service causing it. 
We aren't using ICS or Windows Firewall so I suppose we can disable it 
safely.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Andrew 
CaceSent: Wednesday, August 09, 2006 4:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds


Be careful using set 
L. That command echoes an environmental variable that is set at boot and 
doesnt change after that. It should suffice in this situation. A 
much better way to determine which DC a computer is currently authenticating 
against is nltest.exe. nltest /sc_query:domain_name You can even 
run this command against remote machines using nltest /sc_query:domain_name 
/server:computer_name. Unfortunately, even the /sc_query option has its 
drawbacks; it only echoes the last DC that the target computer authenticated 
against.

-Andrew





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Condra, Jerry W Mr 
HPSent: Wednesday, August 09, 
2006 2:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds

Id also 
verify what server my machines are authenticating to using Set L from a 
command prompt and making sure they are hitting the correct ones. Sounds like 
the IP range may not be defined in Sites and 
Services.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Krenceski, 
WilliamSent: Wednesday, August 
09, 2006 2:22 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds

I had this happen once 
and for the life of me could not figure it out. It was happening to computers 
pointed to one router in particular as they're default gateway. It was one of 3 
of our Gateway routers so I swapped DHCP settings to a different one and they 
all started working like they should. 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Kevin 
BrunsonSent: Wednesday, August 
09, 2006 2:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds
First thing I would 
check is the DNS settings on the client. Are they pointing at a valid DNS 
server, and is it responding?





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Rimmerman, 
RussSent: Wednesday, August 
09, 2006 1:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds

No, just 
local.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 
PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer bootup 
speeds
Do you have roaming 
profiles? Andrew Fidel 


  
  

  "Rimmerman, 
  Russ" [EMAIL PROTECTED] 
  Sent by: 
  [EMAIL PROTECTED] 
  08/09/2006 02:29 
  PM 
  


  
Please respond 
toActiveDir@mail.activedir.org
  

  


  
To
  
ActiveDir@mail.activedir.org 


  
cc
  


  
Subject
  
[ActiveDir] Computer 
bootup speeds
  
  


  

  

  
Is there any easy way to determine why it's taking so long 
for PCs inour AD to boot up? 
It sits at applying settings for quite awhile, soI'm thinking it may have something to do with GPOs, but most 
computersonly have 2 or 3 GPOs 
applied to them. I wouldn't think the GPOs wouldtake that long to apply though. Sometimes it literally 
sits at applyingsettings for 4 or 5 
minutes! I guess I could move 
a computer to an OU with no GPOs and see, but isthere any other ways? Thanks~~This e-mail is confidential, may contain proprietary 
informationof Cameron and its 
operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used 
onlyby the addressee. If you have 
received this message in error pleasedelete it, together with any attachments, from your 
system.~~List info  : 
http://www.activedir.org/List.aspxList FAQ  : 
http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

  
  

  ~~This 
  e-mail is confidential, may contain proprietary informationof Cameron 
  and its operating Divisions and may be confidentialor 
  privileged.This e-mail should be read, copied, disseminated and/or 
  used onlyby the addressee. If you have received this message in error 
  pleasedelete it, together with any attachments, from your 
  system.~~

Confidentiality 
Notice: The information contained in this message may be 

Re: [ActiveDir] Computer bootup speeds

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

I wouldn't disable that but put it on manual. We've found that on rare 
occasion we've had to enable NLA to get the XP sp2 firewall to 
consistently know that the machine was domain joined and thus use the 
domain profile.


Test first.

Rimmerman, Russ wrote:
Well I think we figured it out. If we disable the Network Location 
Awareness (NLA) service, it cuts the time down by about 90%. I guess 
we'll disable this service via a GPO, cuz it looks like we don't need 
it anyway.



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, 
Jerry W Mr HP

*Sent:* Wednesday, August 09, 2006 2:42 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Computer bootup speeds

I’d also verify what server my machines are authenticating to using 
“Set L” from a command prompt and making sure they are hitting the 
correct ones. Sounds like the IP range may not be defined in Sites and 
Services.




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, 
William

*Sent:* Wednesday, August 09, 2006 2:22 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Computer bootup speeds

I had this happen once and for the life of me could not figure it out. 
It was happening to computers pointed to one router in particular as 
they're default gateway. It was one of 3 of our Gateway routers so I 
swapped DHCP settings to a different one and they all started working 
like they should.




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin Brunson

*Sent:* Wednesday, August 09, 2006 2:57 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Computer bootup speeds

First thing I would check is the DNS settings on the client. Are they 
pointing at a valid DNS server, and is it responding?




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ

*Sent:* Wednesday, August 09, 2006 1:44 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Computer bootup speeds

No, just local.



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED]

*Sent:* Wednesday, August 09, 2006 1:37 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Computer bootup speeds


Do you have roaming profiles?

Andrew Fidel

*Rimmerman, Russ [EMAIL PROTECTED]*
Sent by: [EMAIL PROTECTED]

08/09/2006 02:29 PM

Please respond to
ActiveDir@mail.activedir.org



To



ActiveDir@mail.activedir.org

cc



Subject



[ActiveDir] Computer bootup speeds







Is there any easy way to determine why it's taking so long for PCs in
our AD to boot up? It sits at applying settings for quite awhile, so
I'm thinking it may have something to do with GPOs, but most computers
only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would
take that long to apply though. Sometimes it literally sits at applying
settings for 4 or 5 minutes!
I guess I could move a computer to an OU with no GPOs and see, but is
there any other ways?

Thanks

~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

Confidentiality Notice: The information contained in this message may 
be legally privileged and confidential information intended only for 
the use of the individual or entity named above. If the reader of this 
message is not the intended recipient, or the employee or agent 
responsible to deliver it to the intended recipient, you are hereby 
notified that any release, dissemination, distribution, or copying of 
this communication is strictly prohibited. If you have received this 
communication in error please notify the author immediately by 
replying to 

RE: [ActiveDir] Computer bootup speeds

[Darren Mar-Elia]

That's a new one on me. Its kind of ironic because in 
Vista, the NLA service replaces ICMP slow link detection for GP 
processing...

Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Wednesday, August 09, 2006 2:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds

Well I think we figured it out. If we disable the 
"Network Location Awareness (NLA)" service, it cuts the time down by about 
90%. I guess we'll disable this service via a GPO, cuz it looks like we 
don't need it anyway.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W 
Mr HPSent: Wednesday, August 09, 2006 2:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds


Id also 
verify what server my machines are authenticating to using Set L from a 
command prompt and making sure they are hitting the correct ones. Sounds like 
the IP range may not be defined in Sites and Services.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Krenceski, 
WilliamSent: Wednesday, August 
09, 2006 2:22 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds

I had this happen once 
and for the life of me could not figure it out. It was happening to computers 
pointed to one router in particular as they're default gateway. It was one of 3 
of our Gateway routers so I swapped DHCP settings to a different one and they 
all started working like they should. 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Kevin 
BrunsonSent: Wednesday, August 
09, 2006 2:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds
First thing I would 
check is the DNS settings on the client. Are they pointing at a valid DNS 
server, and is it responding?





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Rimmerman, 
RussSent: Wednesday, August 
09, 2006 1:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds

No, just 
local.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 
PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer bootup 
speeds
Do you have roaming 
profiles? Andrew Fidel 

  
  

  "Rimmerman, 
  Russ" [EMAIL PROTECTED] 
  Sent by: 
  [EMAIL PROTECTED] 
  08/09/2006 02:29 
  PM 
  


  
Please respond 
toActiveDir@mail.activedir.org
  

  


  
To
  
ActiveDir@mail.activedir.org 


  
cc
  


  
Subject
  
[ActiveDir] Computer 
bootup speeds
  
  


  

  

  
Is there any easy way to determine why it's taking so long 
for PCs inour AD to boot up? 
It sits at applying settings for quite awhile, soI'm thinking it may have something to do with GPOs, but most 
computersonly have 2 or 3 GPOs 
applied to them. I wouldn't think the GPOs wouldtake that long to apply though. Sometimes it literally 
sits at applyingsettings for 4 or 5 
minutes! I guess I could move 
a computer to an OU with no GPOs and see, but isthere any other ways? Thanks~~This e-mail is confidential, may contain proprietary 
informationof Cameron and its 
operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used 
onlyby the addressee. If you have 
received this message in error pleasedelete it, together with any attachments, from your 
system.~~List info  : 
http://www.activedir.org/List.aspxList FAQ  : 
http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

  
  

  ~~This 
  e-mail is confidential, may contain proprietary informationof Cameron 
  and its operating Divisions and may be confidentialor 
  privileged.This e-mail should be read, copied, disseminated and/or 
  used onlyby the addressee. If you have received this message in error 
  pleasedelete it, together with any attachments, from your 
  system.~~

Confidentiality 
Notice: The information contained in this message may be legally privileged and 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, or the 
employee or agent responsible to deliver it to the intended recipient, you are 
hereby notified that any release, dissemination, distribution, or copying of 
this communication is strictly prohibited. If you have 

RE: [ActiveDir] Computer bootup speeds

[Darren Mar-Elia]

Yes, good point Susan. NLA is used to let Windows know that a network
connection state has changed. So if you're using Windows Firewall and have
both domain and standard profiles, by disabling NLA, you prevent that state
change from notifying the firewall that it may need to switch from one
profile to another.  

See this article for reference:

http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx#EUC

Darren



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, August 09, 2006 2:58 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer bootup speeds

I wouldn't disable that but put it on manual. We've found that on rare
occasion we've had to enable NLA to get the XP sp2 firewall to consistently
know that the machine was domain joined and thus use the domain profile.

Test first.

Rimmerman, Russ wrote:
 Well I think we figured it out. If we disable the Network Location 
 Awareness (NLA) service, it cuts the time down by about 90%. I guess 
 we'll disable this service via a GPO, cuz it looks like we don't need 
 it anyway.

 --
 --
 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, 
 Jerry W Mr HP
 *Sent:* Wednesday, August 09, 2006 2:42 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 I'd also verify what server my machines are authenticating to using 
 Set L from a command prompt and making sure they are hitting the 
 correct ones. Sounds like the IP range may not be defined in Sites and 
 Services.

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, 
 William
 *Sent:* Wednesday, August 09, 2006 2:22 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 I had this happen once and for the life of me could not figure it out. 
 It was happening to computers pointed to one router in particular as 
 they're default gateway. It was one of 3 of our Gateway routers so I 
 swapped DHCP settings to a different one and they all started working 
 like they should.

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin 
 Brunson
 *Sent:* Wednesday, August 09, 2006 2:57 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 First thing I would check is the DNS settings on the client. Are they 
 pointing at a valid DNS server, and is it responding?

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, 
 Russ
 *Sent:* Wednesday, August 09, 2006 1:44 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 No, just local.

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of 
 [EMAIL PROTECTED]
 *Sent:* Wednesday, August 09, 2006 1:37 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* Re: [ActiveDir] Computer bootup speeds


 Do you have roaming profiles?

 Andrew Fidel

 *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: 
 [EMAIL PROTECTED]

 08/09/2006 02:29 PM

 Please respond to
 ActiveDir@mail.activedir.org

   

 To

   

 ActiveDir@mail.activedir.org

 cc

   

 Subject

   

 [ActiveDir] Computer bootup speeds

   





 Is there any easy way to determine why it's taking so long for PCs in 
 our AD to boot up? It sits at applying settings for quite awhile, so 
 I'm thinking it may have something to do with GPOs, but most computers 
 only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would 
 take that long to apply though. Sometimes it literally sits at 
 applying settings for 4 or 5 minutes!
 I guess I could move a computer to an OU with no GPOs and see, but is 
 there any other ways?

 Thanks

 ~~
 This e-mail is confidential, may contain proprietary information of 
 Cameron and its operating Divisions and may be confidential or 
 privileged.

 This e-mail should be read, copied, disseminated and/or used only by 
 the addressee. If you have received this message in error please 
 delete it, together with any attachments, from your system.
 ~~
 List info : http://www.activedir.org/List.aspx
 List FAQ : http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx

 ~~
 This e-mail is confidential, may contain proprietary information of 
 Cameron and its operating Divisions and may be confidential or 
 privileged.

 This e-mail should be read, 

RE: [ActiveDir] machine GP load

[Jerry Welch]

Does anyone have, or know of, a utility program that 
will provide a breakout of object counts in ADin each container, with a 
rollup so that each container shows all of the containers below it 
?
Joe ?
Thanks,
Jerry

Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-5 
GMT)
IP Phone (Skype): Jerry_Welch ( www.skype.net )

RE: [ActiveDir] machine GP load

[Brian Desmond]

No but a recursive program to do this would be an easy thing to
write. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Jerry Welch
Sent: Wednesday, August 09, 2006 6:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] machine GP load







Does anyone have, or know of, a utility program that will provide a
breakout of object counts in ADin each container, with a rollup so that
each container shows all of the containers below it ?

Joe ?

Thanks,

Jerry







Jerry
Welch



CPS
Systems





US/Canada:
888-666-0277





International:
+1 703 827 0919 (-5 GMT)





IP
Phone (Skype): Jerry_Welch ( www.skype.net )

RE: [ActiveDir] Computer bootup speeds

[Rimmerman, Russ]

We aren't using Windows Firewall, we're using the firewall that comes
with our desktop antivirus solution.  So I guess we're OK turning off
NLA (via GPO)?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 09, 2006 5:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer bootup speeds

Yes, good point Susan. NLA is used to let Windows know that a network
connection state has changed. So if you're using Windows Firewall and
have
both domain and standard profiles, by disabling NLA, you prevent that
state
change from notifying the firewall that it may need to switch from one
profile to another.  

See this article for reference:

http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx#
EUC

Darren



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, August 09, 2006 2:58 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer bootup speeds

I wouldn't disable that but put it on manual. We've found that on rare
occasion we've had to enable NLA to get the XP sp2 firewall to
consistently
know that the machine was domain joined and thus use the domain profile.

Test first.

Rimmerman, Russ wrote:
 Well I think we figured it out. If we disable the Network Location 
 Awareness (NLA) service, it cuts the time down by about 90%. I guess 
 we'll disable this service via a GPO, cuz it looks like we don't need 
 it anyway.

 --
 --
 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, 
 Jerry W Mr HP
 *Sent:* Wednesday, August 09, 2006 2:42 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 I'd also verify what server my machines are authenticating to using 
 Set L from a command prompt and making sure they are hitting the 
 correct ones. Sounds like the IP range may not be defined in Sites and

 Services.

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, 
 William
 *Sent:* Wednesday, August 09, 2006 2:22 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 I had this happen once and for the life of me could not figure it out.

 It was happening to computers pointed to one router in particular as 
 they're default gateway. It was one of 3 of our Gateway routers so I 
 swapped DHCP settings to a different one and they all started working 
 like they should.

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin 
 Brunson
 *Sent:* Wednesday, August 09, 2006 2:57 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 First thing I would check is the DNS settings on the client. Are they 
 pointing at a valid DNS server, and is it responding?

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, 
 Russ
 *Sent:* Wednesday, August 09, 2006 1:44 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 No, just local.

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of 
 [EMAIL PROTECTED]
 *Sent:* Wednesday, August 09, 2006 1:37 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* Re: [ActiveDir] Computer bootup speeds


 Do you have roaming profiles?

 Andrew Fidel

 *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: 
 [EMAIL PROTECTED]

 08/09/2006 02:29 PM

 Please respond to
 ActiveDir@mail.activedir.org

   

 To

   

 ActiveDir@mail.activedir.org

 cc

   

 Subject

   

 [ActiveDir] Computer bootup speeds

   





 Is there any easy way to determine why it's taking so long for PCs in 
 our AD to boot up? It sits at applying settings for quite awhile, so 
 I'm thinking it may have something to do with GPOs, but most computers

 only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would

 take that long to apply though. Sometimes it literally sits at 
 applying settings for 4 or 5 minutes!
 I guess I could move a computer to an OU with no GPOs and see, but is 
 there any other ways?

 Thanks

 ~~
 This e-mail is confidential, may contain proprietary information of 
 Cameron and its operating Divisions and may be confidential or 
 privileged.

 This e-mail should be read, copied, disseminated and/or used only by 
 the addressee. If you have received this message in error please 
 delete it, together with any attachments, from your system.
 

RE: [ActiveDir] Computer bootup speeds

[Rimmerman, Russ]

Here's a thought - 

Our DHCP is assigning the DNS domain name (015) of our old NT4 domain
still, not the name of our new AD domain.  Would that cause this?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 09, 2006 5:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer bootup speeds

Yes, good point Susan. NLA is used to let Windows know that a network
connection state has changed. So if you're using Windows Firewall and
have
both domain and standard profiles, by disabling NLA, you prevent that
state
change from notifying the firewall that it may need to switch from one
profile to another.  

See this article for reference:

http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx#
EUC

Darren



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, August 09, 2006 2:58 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer bootup speeds

I wouldn't disable that but put it on manual. We've found that on rare
occasion we've had to enable NLA to get the XP sp2 firewall to
consistently
know that the machine was domain joined and thus use the domain profile.

Test first.

Rimmerman, Russ wrote:
 Well I think we figured it out. If we disable the Network Location 
 Awareness (NLA) service, it cuts the time down by about 90%. I guess 
 we'll disable this service via a GPO, cuz it looks like we don't need 
 it anyway.

 --
 --
 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, 
 Jerry W Mr HP
 *Sent:* Wednesday, August 09, 2006 2:42 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 I'd also verify what server my machines are authenticating to using 
 Set L from a command prompt and making sure they are hitting the 
 correct ones. Sounds like the IP range may not be defined in Sites and

 Services.

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, 
 William
 *Sent:* Wednesday, August 09, 2006 2:22 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 I had this happen once and for the life of me could not figure it out.

 It was happening to computers pointed to one router in particular as 
 they're default gateway. It was one of 3 of our Gateway routers so I 
 swapped DHCP settings to a different one and they all started working 
 like they should.

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin 
 Brunson
 *Sent:* Wednesday, August 09, 2006 2:57 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 First thing I would check is the DNS settings on the client. Are they 
 pointing at a valid DNS server, and is it responding?

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, 
 Russ
 *Sent:* Wednesday, August 09, 2006 1:44 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Computer bootup speeds

 No, just local.

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of 
 [EMAIL PROTECTED]
 *Sent:* Wednesday, August 09, 2006 1:37 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* Re: [ActiveDir] Computer bootup speeds


 Do you have roaming profiles?

 Andrew Fidel

 *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: 
 [EMAIL PROTECTED]

 08/09/2006 02:29 PM

 Please respond to
 ActiveDir@mail.activedir.org

   

 To

   

 ActiveDir@mail.activedir.org

 cc

   

 Subject

   

 [ActiveDir] Computer bootup speeds

   





 Is there any easy way to determine why it's taking so long for PCs in 
 our AD to boot up? It sits at applying settings for quite awhile, so 
 I'm thinking it may have something to do with GPOs, but most computers

 only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would

 take that long to apply though. Sometimes it literally sits at 
 applying settings for 4 or 5 minutes!
 I guess I could move a computer to an OU with no GPOs and see, but is 
 there any other ways?

 Thanks

 ~~
 This e-mail is confidential, may contain proprietary information of 
 Cameron and its operating Divisions and may be confidential or 
 privileged.

 This e-mail should be read, copied, disseminated and/or used only by 
 the addressee. If you have received this message in error please 
 delete it, together with any attachments, from your system.
 

RE: [ActiveDir] Computer bootup speeds

[Laura A. Robinson]

Misconfigured scopes.

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Rimmerman, Russ
 Sent: Wednesday, August 09, 2006 10:24 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Computer bootup speeds
 
 
 Here's a thought - 
 
 Our DHCP is assigning the DNS domain name (015) of our old 
 NT4 domain still, not the name of our new AD domain.  Would 
 that cause this?
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Darren Mar-Elia
 Sent: Wednesday, August 09, 2006 5:29 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Computer bootup speeds
 
 Yes, good point Susan. NLA is used to let Windows know that a 
 network connection state has changed. So if you're using 
 Windows Firewall and have both domain and standard profiles, 
 by disabling NLA, you prevent that state change from 
 notifying the firewall that it may need to switch from one 
 profile to another.  
 
 See this article for reference:
 
 http://www.microsoft.com/technet/community/columns/cableguy/cg
 0504.mspx#
 EUC
 
 Darren
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Wednesday, August 09, 2006 2:58 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Computer bootup speeds
 
 I wouldn't disable that but put it on manual. We've found 
 that on rare occasion we've had to enable NLA to get the XP 
 sp2 firewall to consistently know that the machine was domain 
 joined and thus use the domain profile.
 
 Test first.
 
 Rimmerman, Russ wrote:
  Well I think we figured it out. If we disable the Network Location 
  Awareness (NLA) service, it cuts the time down by about 
 90%. I guess 
  we'll disable this service via a GPO, cuz it looks like we 
 don't need 
  it anyway.
 
  
 --
  --
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, 
  Jerry W Mr HP
  *Sent:* Wednesday, August 09, 2006 2:42 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  I'd also verify what server my machines are authenticating to using 
  Set L from a command prompt and making sure they are hitting the 
  correct ones. Sounds like the IP range may not be defined 
 in Sites and
 
  Services.
 
  
 --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of 
 *Krenceski, 
  William
  *Sent:* Wednesday, August 09, 2006 2:22 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  I had this happen once and for the life of me could not 
 figure it out.
 
  It was happening to computers pointed to one router in 
 particular as 
  they're default gateway. It was one of 3 of our Gateway 
 routers so I 
  swapped DHCP settings to a different one and they all 
 started working 
  like they should.
 
  
 --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin 
  Brunson
  *Sent:* Wednesday, August 09, 2006 2:57 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  First thing I would check is the DNS settings on the 
 client. Are they 
  pointing at a valid DNS server, and is it responding?
 
  
 --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of 
 *Rimmerman, 
  Russ
  *Sent:* Wednesday, August 09, 2006 1:44 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  No, just local.
 
  
 --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of 
  [EMAIL PROTECTED]
  *Sent:* Wednesday, August 09, 2006 1:37 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* Re: [ActiveDir] Computer bootup speeds
 
 
  Do you have roaming profiles?
 
  Andrew Fidel
 
  *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: 
  [EMAIL PROTECTED]
 
  08/09/2006 02:29 PM
 
  Please respond to
  ActiveDir@mail.activedir.org
 
  
 
  To
 
  
 
  ActiveDir@mail.activedir.org
 
  cc
 
  
 
  Subject
 
  
 
  [ActiveDir] Computer bootup speeds
 
  
 
 
 
 
 
  Is there any easy way to determine why it's taking so long 
 for PCs in 
  our AD to boot up? It sits at applying settings for quite 
 awhile, so 
  I'm thinking it may have something to do with GPOs, but 
 most computers
 
  only have 2 or 3 GPOs applied to them. I wouldn't think the 
 GPOs would
 
  take that long to apply though. Sometimes it literally sits at 
  applying settings for 4 or 5 minutes!
  I guess I could move a computer to an OU with no GPOs and 
 see, but is 
  

Re: RE: [ActiveDir] Computer bootup speeds

[Darren Mar-Elia]

The DNS suffix of the active connection definitely plays a role in determining 
which Firewall profile is in use, if that's what you're referring to. 

Darren

-Original message-
From: Rimmerman, Russ [EMAIL PROTECTED]
Date: Wed,  9 Aug 2006 22:23:43 -0400
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer bootup speeds

 
 Here's a thought - 
 
 Our DHCP is assigning the DNS domain name (015) of our old NT4 domain
 still, not the name of our new AD domain.  Would that cause this?
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
 Sent: Wednesday, August 09, 2006 5:29 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Computer bootup speeds
 
 Yes, good point Susan. NLA is used to let Windows know that a network
 connection state has changed. So if you're using Windows Firewall and
 have
 both domain and standard profiles, by disabling NLA, you prevent that
 state
 change from notifying the firewall that it may need to switch from one
 profile to another.  
 
 See this article for reference:
 
 http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx#
 EUC
 
 Darren
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
 CPA
 aka Ebitz - SBS Rocks [MVP]
 Sent: Wednesday, August 09, 2006 2:58 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Computer bootup speeds
 
 I wouldn't disable that but put it on manual. We've found that on rare
 occasion we've had to enable NLA to get the XP sp2 firewall to
 consistently
 know that the machine was domain joined and thus use the domain profile.
 
 Test first.
 
 Rimmerman, Russ wrote:
  Well I think we figured it out. If we disable the Network Location 
  Awareness (NLA) service, it cuts the time down by about 90%. I guess 
  we'll disable this service via a GPO, cuz it looks like we don't need 
  it anyway.
 
  --
  --
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, 
  Jerry W Mr HP
  *Sent:* Wednesday, August 09, 2006 2:42 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  I'd also verify what server my machines are authenticating to using 
  Set L from a command prompt and making sure they are hitting the 
  correct ones. Sounds like the IP range may not be defined in Sites and
 
  Services.
 
  --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, 
  William
  *Sent:* Wednesday, August 09, 2006 2:22 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  I had this happen once and for the life of me could not figure it out.
 
  It was happening to computers pointed to one router in particular as 
  they're default gateway. It was one of 3 of our Gateway routers so I 
  swapped DHCP settings to a different one and they all started working 
  like they should.
 
  --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin 
  Brunson
  *Sent:* Wednesday, August 09, 2006 2:57 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  First thing I would check is the DNS settings on the client. Are they 
  pointing at a valid DNS server, and is it responding?
 
  --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, 
  Russ
  *Sent:* Wednesday, August 09, 2006 1:44 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  No, just local.
 
  --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of 
  [EMAIL PROTECTED]
  *Sent:* Wednesday, August 09, 2006 1:37 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* Re: [ActiveDir] Computer bootup speeds
 
 
  Do you have roaming profiles?
 
  Andrew Fidel
 
  *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: 
  [EMAIL PROTECTED]
 
  08/09/2006 02:29 PM
 
  Please respond to
  ActiveDir@mail.activedir.org
 
  
 
  To
 
  
 
  ActiveDir@mail.activedir.org
 
  cc
 
  
 
  Subject
 
  
 
  [ActiveDir] Computer bootup speeds
 
  
 
 
 
 
 
  Is there any easy way to determine why it's taking so long for PCs in 
  our AD to boot up? It sits at applying settings for quite awhile, so 
  I'm thinking it may have something to do with GPOs, but most computers
 
  only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would
 
  take that long to apply though. Sometimes it literally sits at 
  applying settings for 4 or 5 minutes!
  I guess I could move a computer to an OU with no 

Re: RE: [ActiveDir] Computer bootup speeds

[Darren Mar-Elia]

Probably for now-- just remember to turn it back on when you upgrade to Vista 
:-)

-Original message-
From: Rimmerman, Russ [EMAIL PROTECTED]
Date: Wed,  9 Aug 2006 22:18:23 -0400
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer bootup speeds

 
 We aren't using Windows Firewall, we're using the firewall that comes
 with our desktop antivirus solution.  So I guess we're OK turning off
 NLA (via GPO)?
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
 Sent: Wednesday, August 09, 2006 5:29 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Computer bootup speeds
 
 Yes, good point Susan. NLA is used to let Windows know that a network
 connection state has changed. So if you're using Windows Firewall and
 have
 both domain and standard profiles, by disabling NLA, you prevent that
 state
 change from notifying the firewall that it may need to switch from one
 profile to another.  
 
 See this article for reference:
 
 http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx#
 EUC
 
 Darren
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
 CPA
 aka Ebitz - SBS Rocks [MVP]
 Sent: Wednesday, August 09, 2006 2:58 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Computer bootup speeds
 
 I wouldn't disable that but put it on manual. We've found that on rare
 occasion we've had to enable NLA to get the XP sp2 firewall to
 consistently
 know that the machine was domain joined and thus use the domain profile.
 
 Test first.
 
 Rimmerman, Russ wrote:
  Well I think we figured it out. If we disable the Network Location 
  Awareness (NLA) service, it cuts the time down by about 90%. I guess 
  we'll disable this service via a GPO, cuz it looks like we don't need 
  it anyway.
 
  --
  --
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, 
  Jerry W Mr HP
  *Sent:* Wednesday, August 09, 2006 2:42 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  I'd also verify what server my machines are authenticating to using 
  Set L from a command prompt and making sure they are hitting the 
  correct ones. Sounds like the IP range may not be defined in Sites and
 
  Services.
 
  --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, 
  William
  *Sent:* Wednesday, August 09, 2006 2:22 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  I had this happen once and for the life of me could not figure it out.
 
  It was happening to computers pointed to one router in particular as 
  they're default gateway. It was one of 3 of our Gateway routers so I 
  swapped DHCP settings to a different one and they all started working 
  like they should.
 
  --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin 
  Brunson
  *Sent:* Wednesday, August 09, 2006 2:57 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  First thing I would check is the DNS settings on the client. Are they 
  pointing at a valid DNS server, and is it responding?
 
  --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, 
  Russ
  *Sent:* Wednesday, August 09, 2006 1:44 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Computer bootup speeds
 
  No, just local.
 
  --
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of 
  [EMAIL PROTECTED]
  *Sent:* Wednesday, August 09, 2006 1:37 PM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* Re: [ActiveDir] Computer bootup speeds
 
 
  Do you have roaming profiles?
 
  Andrew Fidel
 
  *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: 
  [EMAIL PROTECTED]
 
  08/09/2006 02:29 PM
 
  Please respond to
  ActiveDir@mail.activedir.org
 
  
 
  To
 
  
 
  ActiveDir@mail.activedir.org
 
  cc
 
  
 
  Subject
 
  
 
  [ActiveDir] Computer bootup speeds
 
  
 
 
 
 
 
  Is there any easy way to determine why it's taking so long for PCs in 
  our AD to boot up? It sits at applying settings for quite awhile, so 
  I'm thinking it may have something to do with GPOs, but most computers
 
  only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would
 
  take that long to apply though. Sometimes it literally sits at 
  applying settings for 4 or 5 minutes!
  I guess I could move a computer to an OU with no GPOs and see, but is 
  there any other ways?
 
  Thanks