Re: [ActiveDir] UPPER case for username
I've not tested this (just hashed it up as I read your post, so there's probably going to be some syntax errors, etc. --please test first). But here's a quick and dirty vbscript that should change all uppercase accounts to lowercase. set oConn=createObject(ADODB.Connection) set oComm=createObject(ADODB.Command) ' configure provider and define command oConn.provider=ADsDSOObject oConn.openActive Directory Provider oComm.activeConnection=oConn ' build query sADsPath= LDAP://oRootDse.get(defaultNamingContext); sFilter = ((objectCategory=person)(objectClass=user)); sAttrs = ADsPath,sAMAccountName; sScope = SubTree sQuery = sADsPathsFiltersAttrssScope ' configure command properties oComm.commandText=sQuery oComm.properties(Page Size)=128 oComm.properties(Size Limit)=10 oComm.properties(Cache Results)=false ' execute query set oRs=oComm.execute if(not oRs.eOF)then ' check to see if any results oRs.moveFirst ' were returned ' iterate result set while not oRs.eOF sAMAccountName = oRs.fields(1).value if(uCase(sAMAccountName) = sAMAccountName)then sAMAccountName = lCase(sAMAccountName) set oUser = getObject(oRs.Fields(0)) oUser.putsAMAccountName,sAMAccountName oUser.setInfo end if oRs.moveNext wend else ' empty record set (no results returned) end if --Paul - Original Message - From: Irwan Hadi [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 09, 2006 2:14 AM Subject: [ActiveDir] UPPER case for username We are in the process of bringin in a couple hundred users from a Novell Groupwise system to our AD 2003 + Exchange 2003 system. Our AD is in Windows 2003 Native mode for forest and domain. Because of the need to integrate Groupwise and Exchange, we need to use Microsoft Exchange Connector for Groupwise (and Quest Migration Wizard). The problem is, the administrator of the Novell Groupwise has set their standard username to be in UPPER CASE, eg: JDOE, instead of lower case eg: jdoe, and Exchange Connector for Groupwise will create the username with the same case it is now in Groupwise. This means in our AD domain, we will have a couple hundred users who use UPPER CASE for their username. Now the questions are: - Will this cause any problem with any of Microsoft product in the future (eg: Sharepoint). - Is there a way to change the username in CAPS to be in lower letter, once Exchange connector for Groupwise creates the user? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] FMSO roles split, patch question.
06-040?? What is this? john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, August 08, 2006 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] FMSO roles split, patch question. The main thing it to test and approve 06-040 and get that one on the fast track IMHO.Deji Akomolafe wrote: It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John StrongoskySent: Tue 8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other.After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Weak AD passwords
Title: Message Hi Haven't used it, but one of my colleagues swears it's too good. :)Try Rainbow Tables. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: 20 March 2006 21:38To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like "Password1" or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
Re: [ActiveDir] FMSO roles split, patch question.
Security bulletin 06-040.. out yesterday. Put it on a test priority folks. http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx John Strongosky wrote: 06-040?? What is this? john *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] *Sent:* Tuesday, August 08, 2006 5:17 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] FMSO roles split, patch question. The main thing it to test and approve 06-040 and get that one on the fast track IMHO. Deji Akomolafe wrote: It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* John Strongosky *Sent:* Tue 8/8/2006 4:49 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Weak AD passwords
John the Ripper McCann, Danny wrote: Hi Haven't used it, but one of my colleagues swears it's too good. :) Try Rainbow Tables. Cheers Danny -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ *Sent:* 20 March 2006 21:38 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like Password1 or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service http://www.altman.co.uk/emailsystems ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Weak AD passwords
http://www.elcomsoft.com/ppa.html Password auditor McCann, Danny wrote: Hi Haven't used it, but one of my colleagues swears it's too good. :) Try Rainbow Tables. Cheers Danny -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ *Sent:* 20 March 2006 21:38 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like Password1 or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service http://www.altman.co.uk/emailsystems ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Weak AD passwords
Title: Message I took the time to generate the 64 GB tables with the full US-ASCII character set (I spread it out over a couple of dozen servers and it only took about a week) last year. I ran it last week against one of my environments. It cracked 1,628 passwords out of 1,629 total accounts in18 hours. Not bad at all. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Wednesday, August 09, 2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :)Try Rainbow Tables. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: 20 March 2006 21:38To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like "Password1" or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Weak AD passwords
And as lm configuration #6 from http://www.antsight.com/zsl/rainbowcrack/ shows it's trivial to crack ANY reasonable windows password with length 14 characters unless lmhashes are turned off!(lm hashes are not stored for passwords longer than 14 characters). Unfortunately if you have to support downlevel clients you can't turn off lmhash system wide, but it can be disabled on a per-account basis so any admin type accounts should probably have it turned off. Andrew Fidel McCann, Danny [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 10:59 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :) Try Rainbow Tables. Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 20 March 2006 21:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like Password1 or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Weak AD passwords
"...but it can be disabled on a per-account basis so any admin type accounts should probably have it turned off. " how is this done please? I know how it can be done at the domain level, but not per user. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 09 August 2006 16:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD passwords And as lm configuration #6 from http://www.antsight.com/zsl/rainbowcrack/ shows it's trivial to crack ANY reasonable windows password with length 14 characters unless lmhashes are turned off!(lm hashes are not stored for passwords longer than 14 characters). Unfortunately if you have to support downlevel clients you can't turn off lmhash system wide, but it can be disabled on a per-account basis so any admin type accounts should probably have it turned off. Andrew Fidel "McCann, Danny" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 10:59 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :) Try Rainbow Tables. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: 20 March 2006 21:38To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Weak AD passwordsCan anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like "Password1" or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Weak AD passwords
Title: Message With the assistance, support and ratification from your IT Security department, of course :) Do you use complex passwords in the below scenario? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: 09 August 2006 16:25To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD passwords I took the time to generate the 64 GB tables with the full US-ASCII character set (I spread it out over a couple of dozen servers and it only took about a week) last year. I ran it last week against one of my environments. It cracked 1,628 passwords out of 1,629 total accounts in18 hours. Not bad at all. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Wednesday, August 09, 2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :)Try Rainbow Tables. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: 20 March 2006 21:38To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like "Password1" or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Weak AD passwords
Title: Message Lophcrack was purchased by Symantec and is now sold as an enterprise security product. It's called LC5, I believe, but has recently been discontinued (after symantec stopped selling it to people outside of North America) and support runs out at the end of the year. Which is a real pain as I've recently recommended it and now need to revise my recommendations! --Paul - Original Message - From: McCann, Danny To: ActiveDir@mail.activedir.org Sent: Wednesday, August 09, 2006 3:59 PM Subject: RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :)Try Rainbow Tables. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: 20 March 2006 21:38To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like "Password1" or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Weak AD passwords
Title: Message Uh, I am the IT security department for a number of my clients. Yes, complex passwords were used. Here are a few it cracked, just as samples: F0ur.Sc0r3 grVnBEqRo*2Yb @[EMAIL PROTECTED]@cK From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 11:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD passwords With the assistance, support and ratification from your IT Security department, of course :) Do you use complex passwords in the below scenario? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: 09 August 2006 16:25To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD passwords I took the time to generate the 64 GB tables with the full US-ASCII character set (I spread it out over a couple of dozen servers and it only took about a week) last year. I ran it last week against one of my environments. It cracked 1,628 passwords out of 1,629 total accounts in18 hours. Not bad at all. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Wednesday, August 09, 2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :)Try Rainbow Tables. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: 20 March 2006 21:38To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like "Password1" or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Weak AD passwords
Title: Message It seems that Cain Able development has picked up greatly since LC5 was discontinued and seems to offer all the features of LC5 and more. Check out the list of network security tools that the creator of NMAP has developed. Cain Able is #9. http://sectools.org/ And heres the direct link to Cain Able. http://www.oxid.it/index.html ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, August 09, 2006 9:07 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Weak AD passwords Lophcrack was purchased by Symantec and is now sold as an enterprise security product. It's called LC5, I believe, but has recently been discontinued (after symantec stopped selling it to people outside of North America) and support runs out at the end of the year. Which is a real pain as I've recently recommended it and now need to revise my recommendations! --Paul - Original Message - From: McCann, Danny To: ActiveDir@mail.activedir.org Sent: Wednesday, August 09, 2006 3:59 PM Subject: RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :)Try Rainbow Tables. Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 20 March 2006 21:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like Password1 or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Weak AD passwords
Title: Message I think you might mean the storing of LM hashes for compatibility with extremely old operating systems. When using LM Hash your password at most will consist of 14 characters, while thats a good length, the worst part is it is broken up into two 7 character strings. (At least if I remember this all correctly, I learned about this quite awhile ago) So really, when brute forcing a password that is LM hash compatible, all the password cracking utility needs to do is crack the password twice. Once for the first 7 characters, and again for the second 7 characters. If youve watched the speed which with a good password cracking utility can chew through 7 character strings then it shouldnt be surprising that it can crack even complex passwords this way. http://support.microsoft.com/kb/299656/ If you remove the storage of the LM Hash of your passwords, then the cracking utility will have to crack all 14+ characters in your password at once, making it infinitely more difficult to brute force. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, August 09, 2006 9:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Weak AD passwords Uh, I am the IT security department for a number of my clients. Yes, complex passwords were used. Here are a few it cracked, just as samples: F0ur.Sc0r3 grVnBEqRo*2Yb @[EMAIL PROTECTED]@cK From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 09, 2006 11:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Weak AD passwords With the assistance, support and ratification from your IT Security department, of course :) Do you use complex passwords in the below scenario? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: 09 August 2006 16:25 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Weak AD passwords I took the time to generate the 64 GB tables with the full US-ASCII character set (I spread it out over a couple of dozen servers and it only took about a week) last year. I ran it last week against one of my environments. It cracked 1,628 passwords out of 1,629 total accounts in18 hours. Not bad at all. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Wednesday, August 09, 2006 11:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :)Try Rainbow Tables. Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 20 March 2006 21:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like Password1 or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy
RE: [ActiveDir] Weak AD passwords
By using a high ASCII character from table 1 in http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/03osinstl.mspx Andrew Fidel [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 11:52 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Weak AD passwords ...but it can be disabled on a per-account basis so any admin type accounts should probably have it turned off. how is this done please? I know how it can be done at the domain level, but not per user. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 09 August 2006 16:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Weak AD passwords And as lm configuration #6 from http://www.antsight.com/zsl/rainbowcrack/ shows it's trivial to crack ANY reasonable windows password with length 14 characters unless lmhashes are turned off!(lm hashes are not stored for passwords longer than 14 characters). Unfortunately if you have to support downlevel clients you can't turn off lmhash system wide, but it can be disabled on a per-account basis so any admin type accounts should probably have it turned off. Andrew Fidel McCann, Danny [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 10:59 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :) Try Rainbow Tables. Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 20 March 2006 21:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like Password1 or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Weak AD passwords
In a all borg network (XP,2k3 even 2k) disabling LMhash breaks nothing. For those with mixed networks.. test... you may have devices, OS that need lmhash (NT,98). Kill them off as soon as you can as it's weakening the security posture of your network.. and even the guy who has THE blog on defending security infrastructures or whatevers would agree with me on that one. ..and remember this takes affect on the 'next' change of the passwords. Running a password cracking sniffing the inside of your network...you'll be seeing how fast you can get this shut off. WATSON, BEN wrote: I think you might mean the storing of LM hashes for compatibility with extremely old operating systems. When using LM Hash your password at most will consist of 14 characters, while that’s a good length, the worst part is it is broken up into two 7 character strings. (At least if I remember this all correctly, I learned about this quite awhile ago) So really, when brute forcing a password that is LM hash compatible, all the password cracking utility needs to do is crack the password twice. Once for the first 7 characters, and again for the second 7 characters. If you’ve watched the speed which with a good password cracking utility can chew through 7 character strings then it shouldn’t be surprising that it can crack even complex passwords this way. http://support.microsoft.com/kb/299656/ If you remove the storage of the LM Hash of your passwords, then the cracking utility will have to crack all 14+ characters in your password at once, making it infinitely more difficult to brute force. ~Ben *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Michael B. Smith *Sent:* Wednesday, August 09, 2006 9:22 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Weak AD passwords Uh, I am the IT security department for a number of my clients. Yes, complex passwords were used. Here are a few it cracked, just as samples: F0ur.Sc0r3 grVnBEqRo*2Yb @[EMAIL PROTECTED]@cK *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Wednesday, August 09, 2006 11:54 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Weak AD passwords With the assistance, support and ratification from your IT Security department, of course :) Do you use complex passwords in the below scenario? neil *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Michael B. Smith *Sent:* 09 August 2006 16:25 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Weak AD passwords I took the time to generate the 64 GB tables with the full US-ASCII character set (I spread it out over a couple of dozen servers and it only took about a week) last year. I ran it last week against one of my environments. It cracked 1,628 passwords out of 1,629 total accounts in 18 hours. Not bad at all. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *McCann, Danny *Sent:* Wednesday, August 09, 2006 11:00 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :) Try Rainbow Tables. Cheers Danny -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ *Sent:* 20 March 2006 21:38 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like Password1 or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service http://www.altman.co.uk/emailsystems ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete
[ActiveDir] Computer bootup speeds
Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Computer bootup speeds
Do you have roaming profiles? Andrew Fidel Rimmerman, Russ [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Computer bootup speeds
No, just local. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel "Rimmerman, Russ" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs inour AD to boot up? It sits at applying settings for quite awhile, soI'm thinking it may have something to do with GPOs, but most computersonly have 2 or 3 GPOs applied to them. I wouldn't think the GPOs wouldtake that long to apply though. Sometimes it literally sits at applyingsettings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but isthere any other ways? Thanks~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
[ActiveDir] LDAP Logon Name
We have a HP printer/scanner that we want to setup for emailing scanned documents. Management wants to ensure only domain users with email addresses can do this. There is an option for setting up LDAP gateway, where you can set user name password up. Its asking for LDAP logonname. I have tried my user name and account anme, but it didnt work. I looked it up in ADSIedit, but I couldnt find it. Can this be perhaps be done on the Exchange side (there is also a setting for SMTP gateway)? TIA Alex
RE: [ActiveDir] Computer bootup speeds
Most times consulting when I see slow login times its dew to DNS miss configuration issues. Are your computers pointing to your internal DNS servers or an external DNS? If they point to an external it will take about 5 min before it times out and looks inside. Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 09, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Computer bootup speeds
First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 09, 2006 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds No, just local. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 09, 2006 1:37 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel Rimmerman, Russ [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
Re: [ActiveDir] LDAP Logon Name
Alex Alborzfard wrote: We have a HP printer/scanner that we want to setup for emailing scanned documents. Management wants to ensure only domain users with email addresses can do this. There is an option for setting up LDAP gateway, where you can set user name password up. It’s asking for LDAP logonname. I have tried my user name and account anme, but it didn’t work. I looked it up in ADSIedit, but I couldn’t find it. I think that simplest way would be to refer to product documentation but I would try to use DN, or CN (in CN=... format) of this user. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Computer bootup speeds
I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Wednesday, August 09, 2006 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 09, 2006 1:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds No, just local. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel "Rimmerman, Russ" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs inour AD to boot up? It sits at applying settings for quite awhile, soI'm thinking it may have something to do with GPOs, but most computersonly have 2 or 3 GPOs applied to them. I wouldn't think the GPOs wouldtake that long to apply though. Sometimes it literally sits at applyingsettings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but isthere any other ways? Thanks~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
[ActiveDir]
Hey All -How do you disable an AD account and deny mail delivery. There are some users that are disabled but when i send an email to their smtp address i don't get a sys admin error, it appears to send it to the respective store. how do you all disable an AD account,not remove, and prevent it from receiving mail ?-- HBooGz:\
RE: [ActiveDir] Computer bootup speeds
Id also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, William Sent: Wednesday, August 09, 2006 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Wednesday, August 09, 2006 2:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 09, 2006 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds No, just local. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 09, 2006 1:37 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel Rimmerman, Russ [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir]
Remove their external smtp address and then set the send to permissions in the account to just me. Then disable the account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Wednesday, August 09, 2006 3:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hey All - How do you disable an AD account and deny mail delivery. There are some users that are disabled but when i send an email to their smtp address i don't get a sys admin error, it appears to send it to the respective store. how do you all disable an AD account,not remove, and prevent it from receiving mail ? -- HBooGz:\
RE: [ActiveDir]
To be more accurate….change their smtp address to a bunch of gibberish. From: Kennedy, Jim Sent: Wednesday, August 09, 2006 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove their external smtp address and then set the send to permissions in the account to just me. Then disable the account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Wednesday, August 09, 2006 3:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hey All - How do you disable an AD account and deny mail delivery. There are some users that are disabled but when i send an email to their smtp address i don't get a sys admin error, it appears to send it to the respective store. how do you all disable an AD account,not remove, and prevent it from receiving mail ? -- HBooGz:\
RE: [ActiveDir]
There are several ways you could do it, but the easiest is probably on the Exchange General tab in ADUC Delivery Restrictions Message Restrictions -- click "Only from:" and don't add any addresses. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Wednesday, August 09, 2006 1:35 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Hey All -How do you disable an AD account and deny mail delivery. There are some users that are disabled but when i send an email to their smtp address i don't get a sys admin error, it appears to send it to the respective store. how do you all disable an AD account,not remove, and prevent it from receiving mail ?-- HBooGz:\
Re: [ActiveDir]
i came across this:http://msexchangeteam.com/archive/2006/03/22/422799.aspxwhich points me to a hotfix.otherwise, when i enable 'associate external account' instead of a user getting an NDR about delivery refused the message is sent and delivered to the local store without an NDR. How can i still generate an NDR and prevent mail from even being delievered, would this make sense ? In order to disable the accounts, prevent mailflow, and stop the error messages I would recommend doing the following. 1) Create a mailbox store of hold deleted mailboxes 2) Set the deleted mailbox retention time to the appropriate amount of time you want to keep a disabled users mailbox 3) Disable the account 4) Move the mailbox to the Deleted mailbox store 5) Remove the mailbox from the user At this point email sent to the end user will receive an NDR saying the user does not exist. But the Mailbox will exist, and can be reconnected to the user until the end of the deleted mailbox retention time.On 8/9/06, Derek Harris [EMAIL PROTECTED] wrote: There are several ways you could do it, but the easiest is probably on the Exchange General tab in ADUC Delivery Restrictions Message Restrictions -- click Only from: and don't add any addresses. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of HBooGzSent: Wednesday, August 09, 2006 1:35 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Hey All -How do you disable an AD account and deny mail delivery. There are some users that are disabled but when i send an email to their smtp address i don't get a sys admin error, it appears to send it to the respective store. how do you all disable an AD account,not remove, and prevent it from receiving mail ?-- HBooGz:\ -- HBooGz:\
[ActiveDir] re: Computer bootup speeds
I've seen something similar in the past due to network issues. Specifically Spanning Tree Protocol and/or link speed autosense on both the computer NIC and the switch port it is connected to. Scott Klassen
RE: [ActiveDir]
Actually, you want to select them all and choose "Remove Exchange Attributes" from the "Exchange Tasks" menu Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Kennedy, JimSent: Wed 8/9/2006 12:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] To be more accurate.change their smtp address to a bunch of gibberish. From: Kennedy, Jim Sent: Wednesday, August 09, 2006 3:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove their external smtp address and then set the send to permissions in the account to just me. Then disable the account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Wednesday, August 09, 2006 3:35 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Hey All -How do you disable an AD account and deny mail delivery. There are some users that are disabled but when i send an email to their smtp address i don't get a sys admin error, it appears to send it to the respective store. how do you all disable an AD account,not remove, and prevent it from receiving mail ?-- HBooGz:\
[ActiveDir] machine GP load
I have a few machines that will not load the machine GP. Im pretty sure that its an issue with the workstations but just to cover butt, is there any thing that on the GP or AD that would prevent the GP from loading? Antonio Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] machine GP load
If by "loading", you mean applying the settings, yes, there are things in AD/GP that would affect workstation application of policies, including ACLs on the policies, OU structures, use of blocking and application of loopback processing. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Wednesday, August 09, 2006 4:53 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] machine GP load I have a few machines that will not load the machine GP. Im pretty sure that its an issue with the workstations but just to cover butt, is there any thing that on the GP or AD that would prevent the GP from loading? Antonio Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] machine GP load
Several things might prevent that, including security filters that are denying access to the GPO from the machines, network timing issues (esp. if its only machine GPOs that are causing the problem). I would use GPMC to run a GP Results Wizard against the machine and just verify that the GPOs are not denied for some reason that you can control. If the component status shows that GP Infrastructure processing Failed, then its probably something other than the obvious and we can go from there. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Wednesday, August 09, 2006 1:53 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] machine GP load I have a few machines that will not load the machine GP. Im pretty sure that its an issue with the workstations but just to cover butt, is there any thing that on the GP or AD that would prevent the GP from loading? Antonio Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Computer bootup speeds
Be careful using set L. That command echoes an environmental variable that is set at boot and doesnt change after that. It should suffice in this situation. A much better way to determine which DC a computer is currently authenticating against is nltest.exe. nltest /sc_query:domain_name You can even run this command against remote machines using nltest /sc_query:domain_name /server:computer_name. Unfortunately, even the /sc_query option has its drawbacks; it only echoes the last DC that the target computer authenticated against. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Wednesday, August 09, 2006 2:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds Id also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, William Sent: Wednesday, August 09, 2006 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Wednesday, August 09, 2006 2:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 09, 2006 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds No, just local. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 09, 2006 1:37 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel Rimmerman, Russ [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] re: Computer bootup speeds
There's lot of reasons for slow boot up, as folks have indicated. Enabling userenv logging and observing the time stamps will give you a clue as to whether its related to user profiles or group policy. Also, as per the network issues, check out http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott KlassenSent: Wednesday, August 09, 2006 1:23 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] re: Computer bootup speeds I've seen something similar in the past due to network issues. Specifically Spanning Tree Protocol and/or link speed autosense on both the computer NIC and the switch port it is connected to. Scott Klassen
RE: [ActiveDir] machine GP load
Have you performed the usual gpresult, modelling, etc? Anything in the event logs? Is this a new policy or new machines (to the domain), or both in fact? Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: 09 August 2006 21:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] machine GP load I have a few machines that will not load the machine GP. Im pretty sure that its an issue with the workstations but just to cover butt, is there any thing that on the GP or AD that would prevent the GP from loading? Antonio Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Computer bootup speeds
Well I think we figured it out. If we disable the "Network Location Awareness (NLA)" service, it cuts the time down by about 90%. I guess we'll disable this service via a GPO, cuz it looks like we don't need it anyway. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HPSent: Wednesday, August 09, 2006 2:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds Id also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, WilliamSent: Wednesday, August 09, 2006 2:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Wednesday, August 09, 2006 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 09, 2006 1:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds No, just local. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel "Rimmerman, Russ" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs inour AD to boot up? It sits at applying settings for quite awhile, soI'm thinking it may have something to do with GPOs, but most computersonly have 2 or 3 GPOs applied to them. I wouldn't think the GPOs wouldtake that long to apply though. Sometimes it literally sits at applyingsettings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but isthere any other ways? Thanks~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged.
RE: [ActiveDir] Computer bootup speeds
This is all good... Using the right logonserver, DNS is responding well. It's the darn Network Awareness service causing it. We aren't using ICS or Windows Firewall so I suppose we can disable it safely. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew CaceSent: Wednesday, August 09, 2006 4:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds Be careful using set L. That command echoes an environmental variable that is set at boot and doesnt change after that. It should suffice in this situation. A much better way to determine which DC a computer is currently authenticating against is nltest.exe. nltest /sc_query:domain_name You can even run this command against remote machines using nltest /sc_query:domain_name /server:computer_name. Unfortunately, even the /sc_query option has its drawbacks; it only echoes the last DC that the target computer authenticated against. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HPSent: Wednesday, August 09, 2006 2:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds Id also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, WilliamSent: Wednesday, August 09, 2006 2:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Wednesday, August 09, 2006 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 09, 2006 1:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds No, just local. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel "Rimmerman, Russ" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs inour AD to boot up? It sits at applying settings for quite awhile, soI'm thinking it may have something to do with GPOs, but most computersonly have 2 or 3 GPOs applied to them. I wouldn't think the GPOs wouldtake that long to apply though. Sometimes it literally sits at applyingsettings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but isthere any other ways? Thanks~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ Confidentiality Notice: The information contained in this message may be
Re: [ActiveDir] Computer bootup speeds
I wouldn't disable that but put it on manual. We've found that on rare occasion we've had to enable NLA to get the XP sp2 firewall to consistently know that the machine was domain joined and thus use the domain profile. Test first. Rimmerman, Russ wrote: Well I think we figured it out. If we disable the Network Location Awareness (NLA) service, it cuts the time down by about 90%. I guess we'll disable this service via a GPO, cuz it looks like we don't need it anyway. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, Jerry W Mr HP *Sent:* Wednesday, August 09, 2006 2:42 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I’d also verify what server my machines are authenticating to using “Set L” from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, William *Sent:* Wednesday, August 09, 2006 2:22 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin Brunson *Sent:* Wednesday, August 09, 2006 2:57 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ *Sent:* Wednesday, August 09, 2006 1:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds No, just local. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Wednesday, August 09, 2006 1:37 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to
RE: [ActiveDir] Computer bootup speeds
That's a new one on me. Its kind of ironic because in Vista, the NLA service replaces ICMP slow link detection for GP processing... Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 09, 2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds Well I think we figured it out. If we disable the "Network Location Awareness (NLA)" service, it cuts the time down by about 90%. I guess we'll disable this service via a GPO, cuz it looks like we don't need it anyway. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HPSent: Wednesday, August 09, 2006 2:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds Id also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, WilliamSent: Wednesday, August 09, 2006 2:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Wednesday, August 09, 2006 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 09, 2006 1:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup speeds No, just local. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel "Rimmerman, Russ" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs inour AD to boot up? It sits at applying settings for quite awhile, soI'm thinking it may have something to do with GPOs, but most computersonly have 2 or 3 GPOs applied to them. I wouldn't think the GPOs wouldtake that long to apply though. Sometimes it literally sits at applyingsettings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but isthere any other ways? Thanks~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have
RE: [ActiveDir] Computer bootup speeds
Yes, good point Susan. NLA is used to let Windows know that a network connection state has changed. So if you're using Windows Firewall and have both domain and standard profiles, by disabling NLA, you prevent that state change from notifying the firewall that it may need to switch from one profile to another. See this article for reference: http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx#EUC Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, August 09, 2006 2:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer bootup speeds I wouldn't disable that but put it on manual. We've found that on rare occasion we've had to enable NLA to get the XP sp2 firewall to consistently know that the machine was domain joined and thus use the domain profile. Test first. Rimmerman, Russ wrote: Well I think we figured it out. If we disable the Network Location Awareness (NLA) service, it cuts the time down by about 90%. I guess we'll disable this service via a GPO, cuz it looks like we don't need it anyway. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, Jerry W Mr HP *Sent:* Wednesday, August 09, 2006 2:42 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I'd also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, William *Sent:* Wednesday, August 09, 2006 2:22 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin Brunson *Sent:* Wednesday, August 09, 2006 2:57 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ *Sent:* Wednesday, August 09, 2006 1:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds No, just local. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Wednesday, August 09, 2006 1:37 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read,
RE: [ActiveDir] machine GP load
Does anyone have, or know of, a utility program that will provide a breakout of object counts in ADin each container, with a rollup so that each container shows all of the containers below it ? Joe ? Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net )
RE: [ActiveDir] machine GP load
No but a recursive program to do this would be an easy thing to write. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch Sent: Wednesday, August 09, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] machine GP load Does anyone have, or know of, a utility program that will provide a breakout of object counts in ADin each container, with a rollup so that each container shows all of the containers below it ? Joe ? Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net )
RE: [ActiveDir] Computer bootup speeds
We aren't using Windows Firewall, we're using the firewall that comes with our desktop antivirus solution. So I guess we're OK turning off NLA (via GPO)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 09, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds Yes, good point Susan. NLA is used to let Windows know that a network connection state has changed. So if you're using Windows Firewall and have both domain and standard profiles, by disabling NLA, you prevent that state change from notifying the firewall that it may need to switch from one profile to another. See this article for reference: http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx# EUC Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, August 09, 2006 2:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer bootup speeds I wouldn't disable that but put it on manual. We've found that on rare occasion we've had to enable NLA to get the XP sp2 firewall to consistently know that the machine was domain joined and thus use the domain profile. Test first. Rimmerman, Russ wrote: Well I think we figured it out. If we disable the Network Location Awareness (NLA) service, it cuts the time down by about 90%. I guess we'll disable this service via a GPO, cuz it looks like we don't need it anyway. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, Jerry W Mr HP *Sent:* Wednesday, August 09, 2006 2:42 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I'd also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, William *Sent:* Wednesday, August 09, 2006 2:22 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin Brunson *Sent:* Wednesday, August 09, 2006 2:57 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ *Sent:* Wednesday, August 09, 2006 1:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds No, just local. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Wednesday, August 09, 2006 1:37 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system.
RE: [ActiveDir] Computer bootup speeds
Here's a thought - Our DHCP is assigning the DNS domain name (015) of our old NT4 domain still, not the name of our new AD domain. Would that cause this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 09, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds Yes, good point Susan. NLA is used to let Windows know that a network connection state has changed. So if you're using Windows Firewall and have both domain and standard profiles, by disabling NLA, you prevent that state change from notifying the firewall that it may need to switch from one profile to another. See this article for reference: http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx# EUC Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, August 09, 2006 2:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer bootup speeds I wouldn't disable that but put it on manual. We've found that on rare occasion we've had to enable NLA to get the XP sp2 firewall to consistently know that the machine was domain joined and thus use the domain profile. Test first. Rimmerman, Russ wrote: Well I think we figured it out. If we disable the Network Location Awareness (NLA) service, it cuts the time down by about 90%. I guess we'll disable this service via a GPO, cuz it looks like we don't need it anyway. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, Jerry W Mr HP *Sent:* Wednesday, August 09, 2006 2:42 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I'd also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, William *Sent:* Wednesday, August 09, 2006 2:22 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin Brunson *Sent:* Wednesday, August 09, 2006 2:57 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ *Sent:* Wednesday, August 09, 2006 1:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds No, just local. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Wednesday, August 09, 2006 1:37 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system.
RE: [ActiveDir] Computer bootup speeds
Misconfigured scopes. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 09, 2006 10:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds Here's a thought - Our DHCP is assigning the DNS domain name (015) of our old NT4 domain still, not the name of our new AD domain. Would that cause this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 09, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds Yes, good point Susan. NLA is used to let Windows know that a network connection state has changed. So if you're using Windows Firewall and have both domain and standard profiles, by disabling NLA, you prevent that state change from notifying the firewall that it may need to switch from one profile to another. See this article for reference: http://www.microsoft.com/technet/community/columns/cableguy/cg 0504.mspx# EUC Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, August 09, 2006 2:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer bootup speeds I wouldn't disable that but put it on manual. We've found that on rare occasion we've had to enable NLA to get the XP sp2 firewall to consistently know that the machine was domain joined and thus use the domain profile. Test first. Rimmerman, Russ wrote: Well I think we figured it out. If we disable the Network Location Awareness (NLA) service, it cuts the time down by about 90%. I guess we'll disable this service via a GPO, cuz it looks like we don't need it anyway. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, Jerry W Mr HP *Sent:* Wednesday, August 09, 2006 2:42 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I'd also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, William *Sent:* Wednesday, August 09, 2006 2:22 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin Brunson *Sent:* Wednesday, August 09, 2006 2:57 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ *Sent:* Wednesday, August 09, 2006 1:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds No, just local. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Wednesday, August 09, 2006 1:37 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is
Re: RE: [ActiveDir] Computer bootup speeds
The DNS suffix of the active connection definitely plays a role in determining which Firewall profile is in use, if that's what you're referring to. Darren -Original message- From: Rimmerman, Russ [EMAIL PROTECTED] Date: Wed, 9 Aug 2006 22:23:43 -0400 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds Here's a thought - Our DHCP is assigning the DNS domain name (015) of our old NT4 domain still, not the name of our new AD domain. Would that cause this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 09, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds Yes, good point Susan. NLA is used to let Windows know that a network connection state has changed. So if you're using Windows Firewall and have both domain and standard profiles, by disabling NLA, you prevent that state change from notifying the firewall that it may need to switch from one profile to another. See this article for reference: http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx# EUC Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, August 09, 2006 2:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer bootup speeds I wouldn't disable that but put it on manual. We've found that on rare occasion we've had to enable NLA to get the XP sp2 firewall to consistently know that the machine was domain joined and thus use the domain profile. Test first. Rimmerman, Russ wrote: Well I think we figured it out. If we disable the Network Location Awareness (NLA) service, it cuts the time down by about 90%. I guess we'll disable this service via a GPO, cuz it looks like we don't need it anyway. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, Jerry W Mr HP *Sent:* Wednesday, August 09, 2006 2:42 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I'd also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, William *Sent:* Wednesday, August 09, 2006 2:22 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin Brunson *Sent:* Wednesday, August 09, 2006 2:57 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ *Sent:* Wednesday, August 09, 2006 1:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds No, just local. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Wednesday, August 09, 2006 1:37 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no
Re: RE: [ActiveDir] Computer bootup speeds
Probably for now-- just remember to turn it back on when you upgrade to Vista :-) -Original message- From: Rimmerman, Russ [EMAIL PROTECTED] Date: Wed, 9 Aug 2006 22:18:23 -0400 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds We aren't using Windows Firewall, we're using the firewall that comes with our desktop antivirus solution. So I guess we're OK turning off NLA (via GPO)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 09, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer bootup speeds Yes, good point Susan. NLA is used to let Windows know that a network connection state has changed. So if you're using Windows Firewall and have both domain and standard profiles, by disabling NLA, you prevent that state change from notifying the firewall that it may need to switch from one profile to another. See this article for reference: http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx# EUC Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, August 09, 2006 2:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer bootup speeds I wouldn't disable that but put it on manual. We've found that on rare occasion we've had to enable NLA to get the XP sp2 firewall to consistently know that the machine was domain joined and thus use the domain profile. Test first. Rimmerman, Russ wrote: Well I think we figured it out. If we disable the Network Location Awareness (NLA) service, it cuts the time down by about 90%. I guess we'll disable this service via a GPO, cuz it looks like we don't need it anyway. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, Jerry W Mr HP *Sent:* Wednesday, August 09, 2006 2:42 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I'd also verify what server my machines are authenticating to using Set L from a command prompt and making sure they are hitting the correct ones. Sounds like the IP range may not be defined in Sites and Services. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, William *Sent:* Wednesday, August 09, 2006 2:22 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds I had this happen once and for the life of me could not figure it out. It was happening to computers pointed to one router in particular as they're default gateway. It was one of 3 of our Gateway routers so I swapped DHCP settings to a different one and they all started working like they should. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin Brunson *Sent:* Wednesday, August 09, 2006 2:57 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds First thing I would check is the DNS settings on the client. Are they pointing at a valid DNS server, and is it responding? -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ *Sent:* Wednesday, August 09, 2006 1:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer bootup speeds No, just local. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Wednesday, August 09, 2006 1:37 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Computer bootup speeds Do you have roaming profiles? Andrew Fidel *Rimmerman, Russ [EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] 08/09/2006 02:29 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks