RE: [ActiveDir] DNS Entries --Laptop Users--

2006-09-06 Thread Robert Rutherford 
What is the VPN device?

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: 06 September 2006 00:15
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Entries --Laptop Users--

Hi,

Problem is i have 2 different records of each laptop (Using VPN
Connection) in my DNS. I have secure updates configured in my DNS
Conf.

we are using DHCP. Laptop users getting a specific VLAN IP Address for
there wireless connection which is getting registered in my DNS. This
is good.

But the Problem is that when these Laptop users login from home using
VPN, they get a new IP Address from my VPN Box which is also getting
registered in my DNS.

I have no clue why this is happening.

i m suspecting on DNS conf on local machine under Advanced Tcp Ip
settings. I am not sure i am heading right way or not. here is the
snapshot attached for same.

-- 
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] [OT] Windows Vista Security Guide.

2006-09-06 Thread Mark Parris 
This is beta but still interesting - extracted from a blog.

https://connect.microsoft.com/InvitationUse.aspx?ProgramID=820Invitatio
nID=VSG-P74P-BFTHSiteID=14.

Regards,

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT]The last departmental picnic [list owner]

2006-09-06 Thread Craig Cerino 








My guess  the second was on purpose
after all the backlash 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, September 05, 2006
5:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT]The
last departmental picnic [list owner]





Yeah, I just let him know
he messed up on this one. Can't argue with banning him after 2 messups.
:(





On 9/5/06, Tony
Murray  [EMAIL PROTECTED]
wrote:

Not sure what's going on so I have temporarily suspended his
subscription. 

Tony
List owner and humourless [EMAIL PROTECTED]





Sent via the WebMail system at mail.activedir.org





List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT]The last departmental picnic [list owner]

2006-09-06 Thread Laura A. Robinson 



Given 
that the culprit hasn't received any of the "backlash", my guess is that it was 
still an accident. Can't anybody just cut the guy some slack? 
Yeesh.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Craig 
  CerinoSent: Wednesday, September 06, 2006 9:20 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT]The last 
  departmental picnic [list owner]
  
  
  My guess  the second 
  was on purpose after all the backlash 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Matt 
  HargravesSent: Tuesday, 
  September 05, 2006 5:54 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT]The last 
  departmental picnic [list owner]
  
  Yeah, I just let him know he messed up on 
  this one. Can't argue with banning him after 2 messups. 
  :(
  
  On 9/5/06, Tony Murray  [EMAIL PROTECTED] 
  wrote:
  Not sure what's going on so I have temporarily 
  suspended his subscription. TonyList owner and humourless 
  [EMAIL PROTECTED]Sent 
  via the WebMail system at mail.activedir.org 
  List info : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspx 
  List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT]The last departmental picnic [list owner]

2006-09-06 Thread Craig Cerino 








Nope - - NO SLACK FOR YOU!





/Soup Nazi mode











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Wednesday, September 06,
2006 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]The
last departmental picnic [list owner]







Given that the culprit hasn't received any
of the backlash, my guess is that it was still an accident. Can't
anybody just cut the guy some slack? Yeesh.













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Wednesday, September 06,
2006 9:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]The
last departmental picnic [list owner]

My guess  the second was on purpose
after all the backlash 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt Hargraves
Sent: Tuesday, September 05, 2006
5:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT]The
last departmental picnic [list owner]





Yeah, I just let him know
he messed up on this one. Can't argue with banning him after 2 messups.
:(



On 9/5/06, Tony
Murray  [EMAIL PROTECTED]
wrote:

Not sure what's going on so I have temporarily suspended his
subscription. 

Tony
List owner and humourless [EMAIL PROTECTED]





Sent via the WebMail system at mail.activedir.org





List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [OT]The last departmental picnic [list owner]

2006-09-06 Thread Mark Parris 
David Hasselhoff - will be at Borders Books on Oxford Street, London on Monday 
at 12,

Wear Leather and lots of it.



-Original Message-
From: Laura A. Robinson [EMAIL PROTECTED]
Date: Wed, 06 Sep 2006 09:36:20 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner]

Given that the culprit hasn't received any of the backlash, my guess is that 
it was still an accident. Can't anybody just cut the guy some slack? Yeesh.
 
 

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Wednesday, September 06, 2006 9:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner]

 
 
 
My guess – the second was on purpose after all the backlash 
 
 
 
 
 

 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, September 05, 2006 5:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner]
 
 
 
Yeah, I just let him know he messed up on this one.  Can't argue with banning 
him after 2 messups. :(


 
 
On 9/5/06, Tony Murray  [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED]  wrote:
 
Not sure what's going on so I have temporarily suspended his subscription. 

Tony
List owner and humourless [EMAIL PROTECTED]





Sent via the WebMail system at mail.activedir.org 
  : http://mail.activedir.org 




List info   : http://www.activedir.org/List.aspx: 
http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
  : http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.activedir.org/ml/threads.aspx: 
http://www.activedir.org/ml/threads.aspx 
 
 

RE: [ActiveDir] [OT] Apology

2006-09-06 Thread Brandon Pierce 



Laura, thank you. In my defense yes I had an attack 
of computing stupidity and made a mistake. I accidentally added the 
ActiveDirlist to my own personal DL for sending my friends jokes. As 
you can see these OT posts are the results. I appreciate all the support 
from folks who realize a simple mistakeshappen and that one should not be 
ridiculed for it. I respect these types of information forums 
and consider them vital to the IT professionals success. I have addressed 
this with the list owner and he understands my position! Yes, it is true 
that I inadvertently sent out two jokes. However, since I do not read this 
post every single day (blasphemy!!)I did not catch my mistake immediately 
(sorry no uber-geek here ;) )! As I can see no one was adversely affected 
by these two mistakes I will assume that this now a dead issue. Again, my 
apologies if anyone's lives were dramatically changed by my senseless 
jokes...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
RobinsonSent: Wednesday, September 06, 2006 7:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT]The last 
departmental picnic [list owner]

Given 
that the culprit hasn't received any of the "backlash", my guess is that it was 
still an accident. Can't anybody just cut the guy some slack? 
Yeesh.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Craig 
  CerinoSent: Wednesday, September 06, 2006 9:20 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT]The last 
  departmental picnic [list owner]
  
  
  My guess  the second 
  was on purpose after all the backlash 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Matt 
  HargravesSent: Tuesday, 
  September 05, 2006 5:54 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT]The last 
  departmental picnic [list owner]
  
  Yeah, I just let him know he messed up on 
  this one. Can't argue with banning him after 2 messups. 
  :(
  
  On 9/5/06, Tony Murray  [EMAIL PROTECTED] 
  wrote:
  Not sure what's going on so I have temporarily 
  suspended his subscription. TonyList owner and humourless 
  [EMAIL PROTECTED]Sent 
  via the WebMail system at mail.activedir.org 
  List info : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspx 
  List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT]The last departmental picnic [list owner]

2006-09-06 Thread Robert Rutherford 
Heheh. I'll be there.. You'll know who I am as I'll be the first to be man 
handled out of the door for trying to touch the living legend

Rob Hoff it's me ..
Hoff  Who are you?
Rob Your number 1 fan... come here you big hunk 'o' love

I know we are going to be reprimanded for this outburst... OK joking's over :) 
I'm sorry but I couldn’t resist a follow up.

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 06 September 2006 14:47
To: ActiveDir.org
Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner]

David Hasselhoff - will be at Borders Books on Oxford Street, London on Monday 
at 12,

Wear Leather and lots of it.



-Original Message-
From: Laura A. Robinson [EMAIL PROTECTED]
Date: Wed, 06 Sep 2006 09:36:20 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner]

Given that the culprit hasn't received any of the backlash, my guess is that 
it was still an accident. Can't anybody just cut the guy some slack? Yeesh.
 
 

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Wednesday, September 06, 2006 9:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner]

 
 
 
My guess – the second was on purpose after all the backlash 
 
 
 
 
 

 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, September 05, 2006 5:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner]
 
 
 
Yeah, I just let him know he messed up on this one.  Can't argue with banning 
him after 2 messups. :(


 
 
On 9/5/06, Tony Murray  [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED]  wrote:
 
Not sure what's going on so I have temporarily suspended his subscription. 

Tony
List owner and humourless [EMAIL PROTECTED]





Sent via the WebMail system at mail.activedir.org 
  : http://mail.activedir.org 




List info   : http://www.activedir.org/List.aspx: 
http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
  : http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.activedir.org/ml/threads.aspx: 
http://www.activedir.org/ml/threads.aspx 
 
 
.Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—­±
[EMAIL PROTECTED])

[ActiveDir] Strange password issue

2006-09-06 Thread Tom Kern 
I'm having this weird issue where I have a user account who is able to log in with a blank password.
The Default Domain Policy is set to a min password length of 6 characters.
The userAccountControl on the user is set to 512.

The Domain is at win2k3 DFL and FFL.

Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?

Thanks

[ActiveDir] adm file management

2006-09-06 Thread Graham Turner 
quick question (hopefully not too daft) ref ADM file management

it seems different OS's ship with different versions of the 'standard' ADM files
that include conf.adm / interes.adm / system.adm ...

say if you are maintaining policies that link to containers holding say XP , 
2000,
2003 computers it would not be unreasonable to manage them all from a single 
host on
which you edit policies.

am i correct to say that in maintaining the settings in these files are always
cumulative - if that's the right word

if so then it is correct working practice to always use the MOST RECENT version 
of
an ADM file with no fear of breaking previously functional GPO's ???

GT





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] adm file management

2006-09-06 Thread Darren Mar-Elia 
Graham-
You are correct on both counts. ADMs are typically supersets of each
other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, etc. And
it is definitely best to manage such a mixed environment from the latest
platform (e.g. XP). The key of course, is to pay attention to the
Supported tags in the newer ADMs.

Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Group Policy information.
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, September 06, 2006 7:41 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] adm file management

quick question (hopefully not too daft) ref ADM file management

it seems different OS's ship with different versions of the 'standard' ADM
files that include conf.adm / interes.adm / system.adm ...

say if you are maintaining policies that link to containers holding say XP ,
2000,
2003 computers it would not be unreasonable to manage them all from a single
host on which you edit policies.

am i correct to say that in maintaining the settings in these files are
always cumulative - if that's the right word

if so then it is correct working practice to always use the MOST RECENT
version of an ADM file with no fear of breaking previously functional GPO's
???

GT





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] adm file management

2006-09-06 Thread Kevin Brunson 
This is basically true.  If you are supporting older clients or
unpatched servers, make sure you only edit the GPO's from a machine
running XP SP2 or 2003 SP1.  Otherwise, you need to install a patch from
MS
http://support.microsoft.com/default.aspx?kbid=842933

2000, XP SP1, and 2003 RTM cannot view the newest ADM files without
popping up about 1000 error messages.  The patch resolves this
issue, but it requires a reboot on 2000.

The new features included in an updated ADM will either work with older
clients, or they will only take effect on the clients that can support
it.  You will usually see a message that goes something like Requires
Windows XP or 2003.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, September 06, 2006 9:41 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] adm file management

quick question (hopefully not too daft) ref ADM file management

it seems different OS's ship with different versions of the 'standard'
ADM files
that include conf.adm / interes.adm / system.adm ...

say if you are maintaining policies that link to containers holding say
XP , 2000,
2003 computers it would not be unreasonable to manage them all from a
single host on
which you edit policies.

am i correct to say that in maintaining the settings in these files are
always
cumulative - if that's the right word

if so then it is correct working practice to always use the MOST RECENT
version of
an ADM file with no fear of breaking previously functional GPO's ???

GT





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Strange password issue

2006-09-06 Thread Williams, Robert 








Tom,



This is just a stab in the dark but is it
possible that this users password was set prior to the Default Domain
Policy being in effect?



Robert Williams











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06,
2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange
password issue







I'm having this weird issue where I have a user account who is
able to log in with a blank password.





The Default Domain Policy is set to a min password length of 6
characters.





The userAccountControl on the user is set to 512.











The Domain is at win2k3 DFL and FFL.











Is there any other way besides a migration tool like Quest that could
circumvent this policy and allow blank passwords?











Thanks






2006-09-06, 11:32:05
The information contained in this e-mail message and any attachments may be privileged and confidential.  If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.

RE: [ActiveDir] adm file management

2006-09-06 Thread Graham Turner 
Darren, thanks 4 mail back

in the interim i dug into the 'versioning' of these ADM's and it seems that 
most
recent versions are not always in the same OS

i cite comparison of ADM version (ie dates) on different OS

conf.adm - 22/2/03 (2003/SP1) - 17/7/04 (xp sp2)
system.adm -  18/02/05 (2003 / sp1)  - 17/07/04 (xp / sp2)

so if i read this tight it would seem the rule of latest OS is not strict - 
hence my
view to come back to the 'most recent' ??

i assume if the 'admin' workstation is running windows server 2003 we are ok to 
put
in the ADM files shipped with say XP sp2, assuming of course as above they are 
more
recent ?





 Graham-
 You are correct on both counts. ADMs are typically supersets of each
 other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, etc. And
 it is definitely best to manage such a mixed environment from the latest
 platform (e.g. XP). The key of course, is to pay attention to the
 Supported tags in the newer ADMs.

 Darren

 Darren Mar-Elia
 For comprehensive Windows Group Policy Information, check out
 www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
 whitepapers. Also check out the Windows Group Policy Guide, the definitive
 resource for Group Policy information.



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
 Sent: Wednesday, September 06, 2006 7:41 AM
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] adm file management

 quick question (hopefully not too daft) ref ADM file management

 it seems different OS's ship with different versions of the 'standard' ADM
 files that include conf.adm / interes.adm / system.adm ...

 say if you are maintaining policies that link to containers holding say XP ,
 2000,
 2003 computers it would not be unreasonable to manage them all from a single
 host on which you edit policies.

 am i correct to say that in maintaining the settings in these files are
 always cumulative - if that's the right word

 if so then it is correct working practice to always use the MOST RECENT
 version of an ADM file with no fear of breaking previously functional GPO's
 ???

 GT





 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Moms Alert Question.

2006-09-06 Thread John Strongosky 

Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active
Directory and MOM's and for the life of me cant find where this (Intersite,
expected replication time is 15 minutes) is set I have looked at the repl
mon program and cant see it.. I know I'm looking at some trees when I should
be looking at the forest, but I really need a second pair of eyes
here...could anyone direct me where to look for the intersite replication
parameter.

v/r
john



Description:
The following DCs took more than three times the expected replication time
to replicate.

Format: DC, Naming Context, Calculated Replication Time (in minutes)


Site name: City-CenterCity
(Intersite, expected replication time is 15 minutes)
CIUTIL01A, Domain:SDCCD, 55

Site name: DistrictOffice
(Intersite, expected replication time is 15 minutes)
DOUTIL01A, Domain:SDCCD, 55 Name: AD Replication is occurring slowly 
Severity: Warning 
Resolution State: New 
Domain: SDCCD 
Computer: CDUTIL01A 
Time of First Event: 9/1/2006 3:01:00 PM 
Time of Last Event: 9/1/2006 5:01:00 PM 
Alert latency: -7 min, -26 sec 
Problem State: Active 
Repeat Count: 2 
Age:  
Source: AD Replication Monitoring 
Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f 
Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows
2000 and Windows Server 2003 \Active Directory Availability\AD Replication
is occurring slowly 
 



John M. Strongosky
Network Support Group, Messaging Administrator,
San Diego Community College District
SunGard Higher Education Managed Services
9315 Hillery Drive,
San Diego California 92126
Tel 619-388-1129
Fax 619-388-1195
Help Desk 619-388-7000
[EMAIL PROTECTED]

CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this email in error, please
notify the sender and delete this email from your system. Thank you. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Unable to unpublish old ILS server and replace with new

2006-09-06 Thread Danny 
Netmeeting is utilizing ILS for directory lookup, however, the original ILS server died, so I am trying to unpublish the old and publish the new one. However, I am receive error messages that our beloved search engines and help documentation are not helping much.
When I restart all related (IIS and ILS) services, I do not see any error messages in the event log.Here is what is going on...c:\ilscfg ilsserver.example.org
/publishRegister ILS service returned error: The system detected an invalid pointer address in attempting to use a pointer argument in a call.c:\ilscfg /listpubILS server:
oldilsserver.example.org, Port:1002Found 1 service(s).c:\ilscfg oldilsserver.example.org /unpublish port 1002Unregister ILS service returned error: The system detected an invalid pointer ad 
dress in attempting to use a pointer argument in a call.c:\ilscfg oldilsserver.example.org /unpublish 1002  Unregister ILS service returned error: The system detected an invalid pointer ad
 dress in attempting to use a pointer argument in a call. c:\ilscfg oldilsserver.example.org /unpublish port:1002  Unregister ILS service returned error: The system detected an invalid pointer ad
 dress in attempting to use a pointer argument in a call. References:https://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=""
 http://search.microsoft.com/results.aspx?mkt=en-USsetlang=en-USq=ilscfgSo, is there a way manually unpublish this information and publish the new ILS server in Active Directory?
Thanks!-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

RE: [ActiveDir] Strange password issue

2006-09-06 Thread King, William 








The password might have been set blank
before the password policy was set.







William











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: 06 September 2006 15:39
To: activedirectory
Subject: [ActiveDir] Strange
password issue







I'm having this weird issue where I have a user account who is
able to log in with a blank password.





The Default Domain Policy is set to a min password length of 6
characters.





The userAccountControl on the user is set to 512.











The Domain is at win2k3 DFL and FFL.











Is there any other way besides a migration tool like Quest that could
circumvent this policy and allow blank passwords?











Thanks









This communication (including any attachments) contains information which is confidential and may also be privileged.  
It is for the exclusive use of the intended recipient(s).  
If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. 
Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it.

Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message.

Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.

RE: [ActiveDir] adm file management

2006-09-06 Thread neil.ruston 
I'd add to Darren's comments as follows:

1. Ensure that ADM files are not auto over written by GPO editors.
User config/admin templates/system/group policy/turn off automatic
update of ADM files

2. Test new ADMs - I have seen adm files which do not support an entry
which was supported by an older ADM. 

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 06 September 2006 16:07
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] adm file management

Graham-
You are correct on both counts. ADMs are typically supersets of each
other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, etc.
And it is definitely best to manage such a mixed environment from the
latest platform (e.g. XP). The key of course, is to pay attention to the
Supported tags in the newer ADMs.

Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the
definitive resource for Group Policy information.
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, September 06, 2006 7:41 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] adm file management

quick question (hopefully not too daft) ref ADM file management

it seems different OS's ship with different versions of the 'standard'
ADM files that include conf.adm / interes.adm / system.adm ...

say if you are maintaining policies that link to containers holding say
XP , 2000,
2003 computers it would not be unreasonable to manage them all from a
single host on which you edit policies.

am i correct to say that in maintaining the settings in these files are
always cumulative - if that's the right word

if so then it is correct working practice to always use the MOST RECENT
version of an ADM file with no fear of breaking previously functional
GPO's ???

GT





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] adm file management

2006-09-06 Thread Michael Miller 
ADM files are silently updated by whatever host machine you use. The 
recommendation is to use the latest and greatest OS on a dedicated GPO 
machine so that the latest ADM files are available for use.


-mjm


Michael J. Miller 
Computing Services

College of Veterinary Medicine, UIUC
_



Graham Turner wrote:

quick question (hopefully not too daft) ref ADM file management

it seems different OS's ship with different versions of the 'standard' ADM files
that include conf.adm / interes.adm / system.adm ...

say if you are maintaining policies that link to containers holding say XP , 
2000,
2003 computers it would not be unreasonable to manage them all from a single 
host on
which you edit policies.

am i correct to say that in maintaining the settings in these files are always
cumulative - if that's the right word

if so then it is correct working practice to always use the MOST RECENT version 
of
an ADM file with no fear of breaking previously functional GPO's ???

GT





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Strange password issue

2006-09-06 Thread Tom Kern 
If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote:




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect?


Robert Williams




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory
Subject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.

Re: [ActiveDir] Sharepoint access after user AD migration

2006-09-06 Thread Mike Baudino 
Hi Rob,

I've been told that the Sharepoint install is SP2. Not aware of which hotfixes are on it yet. I've got aconference call scheduled in an hour to discuss it.

Thanks,
Mike
On 9/5/06, Robert Rutherford [EMAIL PROTECTED] wrote:




What Sharepoint servicepack are you running? You need at least one and a hotfix.. cant remember which. I'll look through my old KB to see if I can find the hotfix.


Cheers


Rob 
Robert Rutherford 
QuoStar Solutions Limited 
T: +44 (0) 8456 440 331 
F: +44 (0) 8456 440 332 
M: +44 (0) 7974 249 494 E:  
[EMAIL PROTECTED] W:  
www.quostar.com 
 




From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Mike BaudinoSent: 05 September 2006 21:58
To: ActiveDir@mail.activedir.orgSubject:
 [ActiveDir] Sharepoint access after user AD migration



Apologies if this is not the most appropriate forum for this question.



The situation is an NT4.0 domain with 18,000 users. Migrating to AD Win2k. Two-way trust and sIDHistory filtering is disabled. There's a Sharepoint server in the legacy 
NT4.0 domain. The NT4.0 users can access the Sharepoint just fine. The users, after being migrated, are not able to access the Sharepoint using their new AD accounts until after the Sharepoint admins add their new AD account to the Sharepoint security. Isn't Sharepoint supposed to be able to take advantage of sIDHistory and, if so, is there some setting we need to change? 






Thanks,Mike

RE: [ActiveDir] seeAlso

2006-09-06 Thread Isenhour, Joseph 
That is good to know.  I'm not planning on doing queries based on this
attribute; I'll simply be doing enumerations.  So I think I should be
good to go.

Thanks

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, September 05, 2006 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] seeAlso

I've not seen it used by any specific app.  Bear in mind that it is:

multivalued
not indexed
not a member of the partial attribute set (i.e. not replicated via GC)

Tony

PS. I've always wanted to extend the schema with a new attribute named
tracesOfPeanuts, simply so I can see May Contain: tracesOfPeanuts. :-)
-- Original Message --
From: Isenhour, Joseph [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 5 Sep 2006 15:29:01 -0700

Does anyone know if the seeAlso attribute is used by any specific
application or is it up for grabs?  I'm thinking about using it to store
an alternate contact for a user.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Moms Alert Question.

2006-09-06 Thread Williams, Robert 
John,

I'm not 100% sure if this is what you're seeing, but check out the
Active Directory Management Pack Guide located here:
http://www.microsoft.com/downloads/details.aspx?familyid=2B9D3613-5516-4
F44-8550-B21E054F5047displaylang=en

Around page 14, you'll see where you can set this value.  Please be sure
to read through the whole document as it contains lots of useful
information about configuring the ADMP.

Here's a snippet from the above:
SNIP
The maximum intersite replication latency threshold value is the maximum
amount of time it takes for a change to replicate across the entire
forest. By default, this value is set to 15 minutes. If it takes longer
than 15 minutes for replication to occur, you will receive a warning.
Consult your system architect to review what the expected maximum
threshold value is for your environment. Usually, this value is
monitored closely to ensure that any applicable SLAs for your
organization are being met. After you have determined an appropriate
value for your environment, modify the setting accordingly. The most
common scenario involves ensuring that basic help desk procedures, such
as resetting passwords, replicate from corporate headquarters to a
branch office within a reasonable amount of time as determined by the
SLA.
/SNIP

The document tells you where to change this value.

Another good read for the ADMP is the Active Directory Management Pack
Technical Reference:
http://www.microsoft.com/downloads/details.aspx?familyid=2F0237D8-FDA1-4
925-87D6-7D609E5D0807displaylang=en

I hope that helps...the thing with the Management Packs is to read the
guides (a few times).

Have a great day!

Robert Williams


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Wednesday, September 06, 2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moms Alert Question.


Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active
Directory and MOM's and for the life of me cant find where this
(Intersite,
expected replication time is 15 minutes) is set I have looked at the
repl
mon program and cant see it.. I know I'm looking at some trees when I
should
be looking at the forest, but I really need a second pair of eyes
here...could anyone direct me where to look for the intersite
replication
parameter.

v/r
john



Description:
The following DCs took more than three times the expected replication
time
to replicate.

Format: DC, Naming Context, Calculated Replication Time (in minutes)


Site name: City-CenterCity
(Intersite, expected replication time is 15 minutes)
CIUTIL01A, Domain:SDCCD, 55

Site name: DistrictOffice
(Intersite, expected replication time is 15 minutes)
DOUTIL01A, Domain:SDCCD, 55 Name: AD Replication is occurring slowly 
Severity: Warning 
Resolution State: New 
Domain: SDCCD 
Computer: CDUTIL01A 
Time of First Event: 9/1/2006 3:01:00 PM 
Time of Last Event: 9/1/2006 5:01:00 PM 
Alert latency: -7 min, -26 sec 
Problem State: Active 
Repeat Count: 2 
Age:  
Source: AD Replication Monitoring 
Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f 
Rule (enabled): Microsoft Windows Active Directory\Active Directory
Windows
2000 and Windows Server 2003 \Active Directory Availability\AD
Replication
is occurring slowly 
 



John M. Strongosky
Network Support Group, Messaging Administrator,
San Diego Community College District
SunGard Higher Education Managed Services
9315 Hillery Drive,
San Diego California 92126
Tel 619-388-1129
Fax 619-388-1195
Help Desk 619-388-7000
[EMAIL PROTECTED]

CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this email in error,
please
notify the sender and delete this email from your system. Thank you. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

2006-09-06, 12:31:21
The information contained in this e-mail message and any attachments may be 
privileged and confidential.  If the reader of this message is not the intended 
recipient or an agent responsible for delivering it to the intended recipient, 
you are hereby notified that any review, dissemination, distribution or copying 
of this communication is strictly prohibited.  If you have received this 
communication in error, please notify the sender immediately by replying to 
this e-mail and delete the message and any attachments from your computer.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] adm file management

2006-09-06 Thread Darren Mar-Elia 
Graham-
Yes, the dates can be confusing. I typically take these as groupings. So,
all of the ADMs that ship with a given OS/Service Pack should stay together.
The reality is that the two conf.adm files you list below are identical in
content (windiff is a good tool for this), even though their dates are not
identical. In the case of system.adm 2003/SP1 added some additional policies
for the secure mode IE stuff that wasn't in XP,SP2, but otherwise it was
identical (I list out the differences between the XP,SP2 and 2003, SP1 ADMs
at www.gpoguy.com/admdiffs.htm). To answer your question, yes, if you are
managing GP from a 2003 server machine, then you could certainly have ADMs
from XP, SP2 in your GPOs. By default, the ADMs in 2003's c:\windows\inf
folder will auto-update each GPO you edit so over time, unless you change
that default behavior, your GPOs will be upgraded to 2003,SP1, but in
general, as long as you are on 2003, SP1 or XP, SP2, you should be good to
go.

Clear as mud? 

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, September 06, 2006 8:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] adm file management

Darren, thanks 4 mail back

in the interim i dug into the 'versioning' of these ADM's and it seems that
most recent versions are not always in the same OS

i cite comparison of ADM version (ie dates) on different OS

conf.adm - 22/2/03 (2003/SP1) - 17/7/04 (xp sp2) system.adm -  18/02/05
(2003 / sp1)  - 17/07/04 (xp / sp2)

so if i read this tight it would seem the rule of latest OS is not strict -
hence my view to come back to the 'most recent' ??

i assume if the 'admin' workstation is running windows server 2003 we are ok
to put in the ADM files shipped with say XP sp2, assuming of course as above
they are more recent ?





 Graham-
 You are correct on both counts. ADMs are typically supersets of each 
 other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, 
 etc. And it is definitely best to manage such a mixed environment from 
 the latest platform (e.g. XP). The key of course, is to pay attention 
 to the Supported tags in the newer ADMs.

 Darren

 Darren Mar-Elia
 For comprehensive Windows Group Policy Information, check out
 www.gpoguy.com-- the best source for GPO FAQs, video training, tools 
 and whitepapers. Also check out the Windows Group Policy Guide, the 
 definitive resource for Group Policy information.



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
 Sent: Wednesday, September 06, 2006 7:41 AM
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] adm file management

 quick question (hopefully not too daft) ref ADM file management

 it seems different OS's ship with different versions of the 'standard' 
 ADM files that include conf.adm / interes.adm / system.adm ...

 say if you are maintaining policies that link to containers holding 
 say XP , 2000,
 2003 computers it would not be unreasonable to manage them all from a 
 single host on which you edit policies.

 am i correct to say that in maintaining the settings in these files 
 are always cumulative - if that's the right word

 if so then it is correct working practice to always use the MOST 
 RECENT version of an ADM file with no fear of breaking previously 
 functional GPO's ???

 GT





 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Strange password issue

2006-09-06 Thread Laura A. Robinson 



Impossible/irrelevant.If it's a domain account, the policy applies 
regardless, because the account is stored in AD. If it's a local account, then 
the policy doesn't apply regardless; domain account policies don't apply to 
local accounts. Is this a local account or a domain account?

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Wednesday, September 06, 2006 11:44 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  If you mean before the policy was set up, then, no.
  This policy has been in effect for acouple ofyears and the 
  account was created a month ago..
  
  Maybe the PC is not getting the Default Domain Policy?
  
  
  On 9/6/06, Williams, 
  Robert [EMAIL PROTECTED] 
  wrote: 
  



Tom,

This is just a stab 
in the dark but is it possible that this user's password was set prior to 
the Default Domain Policy being in effect? 

Robert 
Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 
9:39 AMTo: 
activedirectorySubject: 
[ActiveDir] Strange password issue



I'm 
having this weird issue where I have a user account who is able to log 
in with a blank password.

The 
Default Domain Policy is set to a min password length of 6 
characters.

The 
userAccountControl on the user is set to 512.



The 
Domain is at win2k3 DFL and FFL.



Is 
there any other way besides a migration tool like Quest that could 
circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail 
message and any attachments may be privileged and confidential. If the 
reader of this message is not the intended recipient or an agent responsible 
for delivering it to the intended recipient, you are hereby notified that 
any review, dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, 
please notify the sender immediately by replying to this e-mail and delete 
the message and any attachments from your computer.

RE: [ActiveDir] Moms Alert Question.

2006-09-06 Thread John Strongosky 
Answered my own question,,, 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Wednesday, September 06, 2006 8:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moms Alert Question.


Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active
Directory and MOM's and for the life of me cant find where this (Intersite,
expected replication time is 15 minutes) is set I have looked at the repl
mon program and cant see it.. I know I'm looking at some trees when I should
be looking at the forest, but I really need a second pair of eyes
here...could anyone direct me where to look for the intersite replication
parameter.

v/r
john



Description:
The following DCs took more than three times the expected replication time
to replicate.

Format: DC, Naming Context, Calculated Replication Time (in minutes)


Site name: City-CenterCity
(Intersite, expected replication time is 15 minutes) CIUTIL01A,
Domain:SDCCD, 55

Site name: DistrictOffice
(Intersite, expected replication time is 15 minutes) DOUTIL01A,
Domain:SDCCD, 55 Name: AD Replication is occurring slowly
Severity: Warning
Resolution State: New
Domain: SDCCD
Computer: CDUTIL01A
Time of First Event: 9/1/2006 3:01:00 PM Time of Last Event: 9/1/2006
5:01:00 PM Alert latency: -7 min, -26 sec Problem State: Active Repeat
Count: 2
Age:  
Source: AD Replication Monitoring
Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f
Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows
2000 and Windows Server 2003 \Active Directory Availability\AD Replication
is occurring slowly 
 



John M. Strongosky
Network Support Group, Messaging Administrator, San Diego Community College
District SunGard Higher Education Managed Services
9315 Hillery Drive,
San Diego California 92126
Tel 619-388-1129
Fax 619-388-1195
Help Desk 619-388-7000
[EMAIL PROTECTED]

CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this email in error, please
notify the sender and delete this email from your system. Thank you. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Is a Global Security group being used?

2006-09-06 Thread Figueroa, Johnny 



Does anyone have a 
way to determine if a domain global group is being used?. Will auditing on the 
DCs tell me this?

Thanks in 
advance.

Johnny Figueroa

RE: [ActiveDir] Sharepoint access after user AD migration

2006-09-06 Thread Robert Rutherford 








Hmm wasnt that then



Quite a bit on Google grabbed this 
http://www.sharepointblogs.com/dustin/archive/2004/09/10/756.aspx



Cheers



Rob 

Robert
 Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino
Sent: 06 September 2006 17:04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Sharepoint access after user AD migration







Hi Rob,











I've been told that the Sharepoint install is SP2. Not aware of
which hotfixes are on it yet. I've got aconference call scheduled
in an hour to discuss it.











Thanks,





Mike







On 9/5/06, Robert Rutherford [EMAIL PROTECTED]
wrote: 







What Sharepoint servicepack are you running? You need at
least one and a hotfix.. cant remember which. I'll look through my old KB to
see if I can find the hotfix. 



Cheers





Rob 

Robert
 Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E:  [EMAIL PROTECTED] 
W:  www.quostar.com 

 











From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Mike Baudino
Sent: 05 September 2006 21:58
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sharepoint
access after user AD migration











Apologies
if this is not the most appropriate forum for this question.











The
situation is an NT4.0 domain with 18,000 users. Migrating to AD
Win2k. Two-way trust and sIDHistory filtering is disabled. There's
a Sharepoint server in the legacy NT4.0 domain. The NT4.0 users can
access the Sharepoint just fine. The users, after being migrated, are not
able to access the Sharepoint using their new AD accounts until after the
Sharepoint admins add their new AD account to the Sharepoint security.
Isn't Sharepoint supposed to be able to take advantage of sIDHistory and, if
so, is there some setting we need to change? 

















Thanks,
Mike

Re: [ActiveDir] Strange password issue

2006-09-06 Thread Tom Kern 
This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks

On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote:



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account?


Laura




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert [EMAIL PROTECTED]
 wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 


Robert Williams




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory
Subject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.

RE: [ActiveDir] Is a Global Security group being used?

2006-09-06 Thread Laura A. Robinson 



What 
do you mean by "being used"? Are you referring to it being in resource ACLs? 
Nested into other groups?

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, 
  JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global 
  Security group being used?
  
  Does anyone have a 
  way to determine if a domain global group is being used?. Will auditing on the 
  DCs tell me this?
  
  Thanks in 
  advance.
  
  Johnny 
Figueroa

Re: [ActiveDir] Is a Global Security group being used?

2006-09-06 Thread Mark Parris 
Change it to a Distribution Group and see who screams - if anyone does change 
it back to a security group again.

M.

-Original Message-
From: Figueroa, Johnny [EMAIL PROTECTED]
Date: Wed, 6 Sep 2006 09:43:58 
To:ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is a Global Security group being used?

Does anyone have a way to determine if a domain global group is being used?. 
Will auditing on the DCs tell me this? 
  
Thanks in advance. 
  
Johnny Figueroa

[ActiveDir] more DNS questions

2006-09-06 Thread Ramon Linan 
Hi,

I have 2 internal DNS servers and 2 external DNS servers. 
We are delegating the subdomain sub.domain.com to another server in the
same building that is managed by the Unix guys. We have also given them
16 ip address in the range x.y.z.65-80

One of their SA is asking me to update the reverse RR for several
records in this way.

x.y.z.67 CNAME 67.z.y.x.rev.sub.domain.com  


But when I go to our dns server all I find for the reverse zone is
something like.

z.y.x.in-addr.arpa, so when I tried to create a cname record there I get
something like 67.z.y.x.in-addr.arpa instead of
67.z.y.x.rev.sub.domain.com  

How can I get what this dude is asking me to do??? Do I need to create a
reverse zone for that subdomain?

Thanks
Rezuma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] adm file management

2006-09-06 Thread Graham Turner 
Darren, i value your (and all others who help me) correspondence from the 
mailing
list and also the content of your web site.

'clear as mud' sums it up !!

final qu - you referenced a concept of 'supported tags' - is it easy 4 u to 
explain
in a nutshell

GT

 Graham-
 Yes, the dates can be confusing. I typically take these as groupings. So,
 all of the ADMs that ship with a given OS/Service Pack should stay together.
 The reality is that the two conf.adm files you list below are identical in
 content (windiff is a good tool for this), even though their dates are not
 identical. In the case of system.adm 2003/SP1 added some additional policies
 for the secure mode IE stuff that wasn't in XP,SP2, but otherwise it was
 identical (I list out the differences between the XP,SP2 and 2003, SP1 ADMs
 at www.gpoguy.com/admdiffs.htm). To answer your question, yes, if you are
 managing GP from a 2003 server machine, then you could certainly have ADMs
 from XP, SP2 in your GPOs. By default, the ADMs in 2003's c:\windows\inf
 folder will auto-update each GPO you edit so over time, unless you change
 that default behavior, your GPOs will be upgraded to 2003,SP1, but in
 general, as long as you are on 2003, SP1 or XP, SP2, you should be good to
 go.

 Clear as mud?

 Darren

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
 Sent: Wednesday, September 06, 2006 8:21 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] adm file management

 Darren, thanks 4 mail back

 in the interim i dug into the 'versioning' of these ADM's and it seems that
 most recent versions are not always in the same OS

 i cite comparison of ADM version (ie dates) on different OS

 conf.adm - 22/2/03 (2003/SP1) - 17/7/04 (xp sp2) system.adm -  18/02/05
 (2003 / sp1)  - 17/07/04 (xp / sp2)

 so if i read this tight it would seem the rule of latest OS is not strict -
 hence my view to come back to the 'most recent' ??

 i assume if the 'admin' workstation is running windows server 2003 we are ok
 to put in the ADM files shipped with say XP sp2, assuming of course as above
 they are more recent ?





 Graham-
 You are correct on both counts. ADMs are typically supersets of each
 other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000,
 etc. And it is definitely best to manage such a mixed environment from
 the latest platform (e.g. XP). The key of course, is to pay attention
 to the Supported tags in the newer ADMs.

 Darren

 Darren Mar-Elia
 For comprehensive Windows Group Policy Information, check out
 www.gpoguy.com-- the best source for GPO FAQs, video training, tools
 and whitepapers. Also check out the Windows Group Policy Guide, the
 definitive resource for Group Policy information.



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
 Sent: Wednesday, September 06, 2006 7:41 AM
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] adm file management

 quick question (hopefully not too daft) ref ADM file management

 it seems different OS's ship with different versions of the 'standard'
 ADM files that include conf.adm / interes.adm / system.adm ...

 say if you are maintaining policies that link to containers holding
 say XP , 2000,
 2003 computers it would not be unreasonable to manage them all from a
 single host on which you edit policies.

 am i correct to say that in maintaining the settings in these files
 are always cumulative - if that's the right word

 if so then it is correct working practice to always use the MOST
 RECENT version of an ADM file with no fear of breaking previously
 functional GPO's ???

 GT





 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Strange password issue

2006-09-06 Thread Laura A. Robinson 



How 
was the account created?

Thanks,

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Wednesday, September 06, 2006 1:10 PMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  This is a domain account.
  
  To rehash-
  
  The Default Domain Policy is set to min password length- 6 
  charcters.
  This was created 2 years ago and never changed.
  User account is a domain account created a month ago.
  It was bought to my attention that the user can log in with no 
  password.
  I confirmed.
  The userAccountControl attribute of the user object was set to 512(not 
  that i'm certain if setting the passwd_notreqd overrides the DDP).
  The domain/forest is at w2k3 FL.
  
  Thanks
  
  On 9/6/06, Laura A. 
  Robinson [EMAIL PROTECTED] 
  wrote: 
  


Impossible/irrelevant.If it's a domain account, the policy 
applies regardless, because the account is stored in AD. If it's a local 
account, then the policy doesn't apply regardless; domain account policies 
don't apply to local accounts. Is this a local account or a domain account? 


Laura

  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom 
  Kern
  Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: 
  [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the 
account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, 
Robert [EMAIL PROTECTED]  wrote: 

  
  
  
  Tom,
  
  This is just a 
  stab in the dark but is it possible that this user's password was set 
  prior to the Default Domain Policy being in effect? 
  
  Robert 
  Williams
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 
  9:39 AMTo: 
  activedirectorySubject: 
  [ActiveDir] Strange password issue
  
  
  
  I'm 
  having this weird issue where I have a user account who is able to 
  log in with a blank password.
  
  The 
  Default Domain Policy is set to a min password length of 6 
  characters.
  
  The 
  userAccountControl on the user is set to 512.
  
  
  
  The 
  Domain is at win2k3 DFL and FFL.
  
  
  
  Is 
  there any other way besides a migration tool like Quest that could 
  circumvent this policy and allow blank passwords?
  
  
  
  
  Thanks
  2006-09-06, 11:32:05The information contained in this e-mail 
  message and any attachments may be privileged and confidential. If the 
  reader of this message is not the intended recipient or an agent 
  responsible for delivering it to the intended recipient, you are hereby 
  notified that any review, dissemination, distribution or copying of this 
  communication is strictly prohibited. If you have received this 
  communication in error, please notify the sender immediately by replying 
  to this e-mail and delete the message and any attachments from your 
  computer.

[ActiveDir] Good SBS book suggestion

2006-09-06 Thread Daniel Gilbert 
Susan,

Can you suggest a good ID 10 T's guide to SBS 2003 book?  I assume
from your e-mail address you know more than the average SA about SBS. 
Shameless request for information.  And being the SBS NOOB that I am
looking for any information I can get my hands on to provide my
customer with the best product for their limited budget.

I support a small office (eight users) and their workload and data
storage requirements are such that they really should get a real
server.

I am trying to decide if I suggest they purchase a server with SBS 2003
or a server with Windows Server 2003 R2 Standard edition.  I know there
is a cost difference with SBS 2003 being cheaper.  But, I do not think
they need all of the functionality that comes with SBS.  Their mail is
hosted with a comeericial ISP.  Their office is a mix of XP Home and XP
Pro.  I know the XP Pros can join a domain but the XP Homes can not.

Dan

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Moms Alert Question.

2006-09-06 Thread John Strongosky 
Robert, it looks like it, like I said I couldn't see the trees For me
I've got to read these things more than a few times...my old brain is not
what it once wasto many beers probablynah maybe to many
rumsnah...

Thanks again,

john

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert
Sent: Wednesday, September 06, 2006 9:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moms Alert Question.

John,

I'm not 100% sure if this is what you're seeing, but check out the Active
Directory Management Pack Guide located here:
http://www.microsoft.com/downloads/details.aspx?familyid=2B9D3613-5516-4
F44-8550-B21E054F5047displaylang=en

Around page 14, you'll see where you can set this value.  Please be sure to
read through the whole document as it contains lots of useful information
about configuring the ADMP.

Here's a snippet from the above:
SNIP
The maximum intersite replication latency threshold value is the maximum
amount of time it takes for a change to replicate across the entire forest.
By default, this value is set to 15 minutes. If it takes longer than 15
minutes for replication to occur, you will receive a warning.
Consult your system architect to review what the expected maximum threshold
value is for your environment. Usually, this value is monitored closely to
ensure that any applicable SLAs for your organization are being met. After
you have determined an appropriate value for your environment, modify the
setting accordingly. The most common scenario involves ensuring that basic
help desk procedures, such as resetting passwords, replicate from corporate
headquarters to a branch office within a reasonable amount of time as
determined by the SLA.
/SNIP

The document tells you where to change this value.

Another good read for the ADMP is the Active Directory Management Pack
Technical Reference:
http://www.microsoft.com/downloads/details.aspx?familyid=2F0237D8-FDA1-4
925-87D6-7D609E5D0807displaylang=en

I hope that helps...the thing with the Management Packs is to read the
guides (a few times).

Have a great day!

Robert Williams


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Wednesday, September 06, 2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moms Alert Question.


Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active
Directory and MOM's and for the life of me cant find where this (Intersite,
expected replication time is 15 minutes) is set I have looked at the repl
mon program and cant see it.. I know I'm looking at some trees when I should
be looking at the forest, but I really need a second pair of eyes
here...could anyone direct me where to look for the intersite replication
parameter.

v/r
john



Description:
The following DCs took more than three times the expected replication time
to replicate.

Format: DC, Naming Context, Calculated Replication Time (in minutes)


Site name: City-CenterCity
(Intersite, expected replication time is 15 minutes) CIUTIL01A,
Domain:SDCCD, 55

Site name: DistrictOffice
(Intersite, expected replication time is 15 minutes) DOUTIL01A,
Domain:SDCCD, 55 Name: AD Replication is occurring slowly
Severity: Warning
Resolution State: New
Domain: SDCCD
Computer: CDUTIL01A
Time of First Event: 9/1/2006 3:01:00 PM Time of Last Event: 9/1/2006
5:01:00 PM Alert latency: -7 min, -26 sec Problem State: Active Repeat
Count: 2
Age:  
Source: AD Replication Monitoring
Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f
Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows
2000 and Windows Server 2003 \Active Directory Availability\AD Replication
is occurring slowly 
 



John M. Strongosky
Network Support Group, Messaging Administrator, San Diego Community College
District SunGard Higher Education Managed Services
9315 Hillery Drive,
San Diego California 92126
Tel 619-388-1129
Fax 619-388-1195
Help Desk 619-388-7000
[EMAIL PROTECTED]

CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this email in error, please
notify the sender and delete this email from your system. Thank you. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

2006-09-06, 12:31:21
The information contained in this e-mail message and any attachments may be
privileged and confidential.  If the reader of this message is not the
intended recipient or an agent responsible for delivering it to the intended
recipient, you are hereby notified that any review, dissemination,
distribution or copying of this communication is strictly prohibited.  If
you have received this communication in error, please notify the sender
immediately by replying to this e-mail and delete the message

RE: [ActiveDir] Is a Global Security group being used?

2006-09-06 Thread Laura A. Robinson 
While that's an interesting approach, unless this is a very small environment 
(as in, there's no help desk that's going to be baffled by the screaming and no 
multi-gazillionaire CXOs who are going to be doing the screaming), that might 
not be such a good idea. ;-)

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Wednesday, September 06, 2006 1:18 PM
 To: ActiveDir.org
 Subject: Re: [ActiveDir] Is a Global Security group being used?
 
 Change it to a Distribution Group and see who screams - if 
 anyone does change it back to a security group again.
 
 M.
 
 -Original Message-
 From: Figueroa, Johnny [EMAIL PROTECTED]
 Date: Wed, 6 Sep 2006 09:43:58
 To:ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Is a Global Security group being used?
 
 Does anyone have a way to determine if a domain global group 
 is being used?. Will auditing on the DCs tell me this? 
   
 Thanks in advance. 
   
 Johnny Figueroa
 
 .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—­±

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Strange password issue

2006-09-06 Thread Akomolafe, Deji 



It is possible to programmatically create an account that bypasses the password length policy. The password not required flag will let you enable the account with blank password, in contravention of your password policy.


Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Tom KernSent: Wed 9/6/2006 10:09 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue

This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks

On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: 



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? 

Laura




From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 

Robert Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.

RE: [ActiveDir] Is a Global Security group being used?

2006-09-06 Thread Figueroa, Johnny 



The tough one... being used in resource 
ACLs


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
RobinsonSent: Wednesday, September 06, 2006 10:16To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global 
Security group being used?

What 
do you mean by "being used"? Are you referring to it being in resource ACLs? 
Nested into other groups?

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, 
  JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global 
  Security group being used?
  
  Does anyone have a 
  way to determine if a domain global group is being used?. Will auditing on the 
  DCs tell me this?
  
  Thanks in 
  advance.
  
  Johnny 
Figueroa

RE: [ActiveDir] more DNS questions

2006-09-06 Thread Akomolafe, Deji 



Do you have a zone called "rev" in your sub.domain.com fwd lookup zone?

If not, I want to say that the requestor didn't quite explain what he needs properly. The in-addr-arpa tag that you see is standard for reverse entries. Unless you are doing something fancy in your environment, that's what you'd typically use. Creating cnames in reverse lookup zones for vanity domains is ... shall we say  exotic.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Ramon LinanSent: Wed 9/6/2006 10:25 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] more DNS questions
Hi,

I have 2 internal DNS servers and 2 external DNS servers. 
We are delegating the subdomain sub.domain.com to another server in the
same building that is managed by the Unix guys. We have also given them
16 ip address in the range x.y.z.65-80

One of their SA is asking me to update the reverse RR for several
records in this way.

x.y.z.67 CNAME 67.z.y.x.rev.sub.domain.com  


But when I go to our dns server all I find for the reverse zone is
something like.

z.y.x.in-addr.arpa, so when I tried to create a cname record there I get
something like 67.z.y.x.in-addr.arpa instead of
67.z.y.x.rev.sub.domain.com  

How can I get what this dude is asking me to do??? Do I need to create a
reverse zone for that subdomain?

Thanks
Rezuma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Strange password issue

2006-09-06 Thread Jason_Centenni 
Tom, I believe that the passwd_notereqd does in fact override the DDP.
   
 Jason Centenni | The Capital Group Companies | Location:  
  SNO | Extension: 44843   
   Outside: 210-474-4843 | Cell: 210-385-5932 | E-mail:
 [EMAIL PROTECTED]  
 [ Mailing: 3500 Wiseman Blvd.  San Antonio, TX 78251-4321 
   USA ]   
   





   
 Tom Kern
 [EMAIL PROTECTED] 
   To 
   ActiveDir@mail.activedir.org
 Sent by:   cc 
 [EMAIL PROTECTED] 
 ail.activedir.org Subject 
   Re: [ActiveDir] Strange password
   issue   
 09/06/2006 12:09  
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that
i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks



On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote:
  Impossible/irrelevant. If it's a domain account, the policy applies
  regardless, because the account is stored in AD. If it's a local account,
  then the policy doesn't apply regardless; domain account policies don't
  apply to local accounts. Is this a local account or a domain account?

  Laura


  From: [EMAIL PROTECTED] [mailto:
  [EMAIL PROTECTED] On Behalf Of Tom Kern
  Sent: Wednesday, September 06, 2006 11:44 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Strange password issue


  If you mean before the policy was set up, then, no.
  This policy has been in effect for a couple of years and the account was
  created a month ago..

  Maybe the PC is not getting the Default Domain Policy?




  On 9/6/06, Williams, Robert [EMAIL PROTECTED]  wrote:
   Tom,





   This is just a stab in the dark but is it possible that this user's
   password was set prior to the Default Domain Policy being in effect?


   Robert Williams





   From: [EMAIL PROTECTED] [mailto:
   [EMAIL PROTECTED] On Behalf Of Tom Kern
   Sent: Wednesday, September 06, 2006 9:39 AM
   To: activedirectory
   Subject: [ActiveDir] Strange password issue





   I'm having this weird  issue where I have a user account who is able to
   log in with a blank password.


   The Default Domain Policy is set to a min password length of 6
   characters.


   The userAccountControl on the user is set to 512.





   The Domain is at win2k3 DFL and FFL.





   Is there any other way besides a migration tool like Quest that could
   circumvent this policy and allow blank passwords?





   Thanks


   2006-09-06, 11:32:05
   The information contained in this e-mail message and any attachments may
   be privileged and confidential. If the reader of this message is not the
   intended recipient or an agent responsible for delivering it to the
   intended recipient, you are hereby notified that any review,
   dissemination, distribution or copying of this communication is strictly
   prohibited. If you have received this communication in error, please
   notify the sender immediately by replying to this e-mail and delete the
   message and any attachments from your computer.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Strange password issue

2006-09-06 Thread Tom Kern 
ADUC.


On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote:



How was the account created?

Thanks,

Laura




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 1:10 PM
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Strange password issue



This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks

On 9/6/06, Laura A. Robinson [EMAIL PROTECTED]
 wrote: 



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? 


Laura




From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert [EMAIL PROTECTED] 
 wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 


Robert Williams




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory
Subject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.

Re: [ActiveDir] Strange password issue

2006-09-06 Thread Al Mulnick 
>From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. 
If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, 
Tom Kern [EMAIL PROTECTED] wrote:
This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks

On 9/6/06, Laura A. Robinson [EMAIL PROTECTED]
 wrote:



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account?


Laura




From: [EMAIL PROTECTED] [mailto:

[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert [EMAIL PROTECTED]
 wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 


Robert Williams




From: 

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 

On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory

Subject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.

Re: [ActiveDir] Good SBS book suggestion

2006-09-06 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

Can they share calendars?
Can they book appointments in each others calendars?
Got a 'Sharepoint?

Got the ability to remotely get back to that XP pro desktop over a 443 
port without vpn and it's overhead, potential risks and setups as well?


Even with 'hosted' email at an ISP, SBS makes sense.  Now I would be 
remiss if I did not point out Windows Live as a possible collaborative 
platform as well which comes out of beta in October is what I've heard.


But truly .. SBS make sense in this space because while you don't think 
they need the functionality.. people can change and grow with that 
functionality.


Step one... go to Handy Andy's site and click on his step by step SBS 
how to (pictures and everything) at www.sbs-rocks.com


There are three books .. any of the three make a good choice and 
honestly I've written for two, edited on one.


Are there any potential for Macintosh's in this network?  If so get SBS 
Unleashed by Eriq Neale as he's our Mac/SBS guy.


Want to know more about R2?  SBS 2003 r2 administrator's companion by 
Charlie Russel.


Basic beginner to mid - start with the SBS 2003 best practices by Harry 
Brelsford and then follow up with the Advanced book. (www.smbnation.com)


Where are you located as we have SBS user/partner groups all over.

Step two:

Upgrade those XP homes to Pro.  While you can trick those puppies with 
pass thru authentication, as you stated they cannot join a domain.  I 
love ad/domains so much I hack up MCE's to join mine at home.


Step three:

Follow the blog www.msmvps.com/bradley and please holler if you have ANY 
questions.


We are quite proud of our newsgroups and they are quite active and 
healthy. 

Get a nntp newsreader and point to the msnews.microsoft.com server and 
find microsoft.public.windows.server.sbs


There are also partner resources at www.microsoft.com/partner and then 
there's the best IT podcast around for small biz at 
http://blogs.technet.com/sbs and then if you want to get more into the 
'managed services'/small biz world check out the podcasts at www.sbsshow.com


Are you an Enterprise guy coming down to SBS?  As we say SBS can drive 
you to drink if you are used to setting up everything by hand.  The my 
business OU is annoying to most but we say leave it alone...set up your 
own  We also say set it up three times.. once to screw it up..once to go 
oh!, and the last to do it right.   Let the wizards set up the AD and 
what not... we never use works like dcpromo unless we are


1.  Bringing an SBS box into an existing domain or
2.  Migrating from a flavor of SBS or server to a SBS domain and doing a 
process that uses seizing FSMO roles to maintain that AD structure as we 
rip it from one server to the ultimate SBS domain. 


Does this help?



Daniel Gilbert wrote:

Susan,

Can you suggest a good ID 10 T's guide to SBS 2003 book?  I assume
from your e-mail address you know more than the average SA about SBS. 
Shameless request for information.  And being the SBS NOOB that I am

looking for any information I can get my hands on to provide my
customer with the best product for their limited budget.

I support a small office (eight users) and their workload and data
storage requirements are such that they really should get a real
server.

I am trying to decide if I suggest they purchase a server with SBS 2003
or a server with Windows Server 2003 R2 Standard edition.  I know there
is a cost difference with SBS 2003 being cheaper.  But, I do not think
they need all of the functionality that comes with SBS.  Their mail is
hosted with a comeericial ISP.  Their office is a mix of XP Home and XP
Pro.  I know the XP Pros can join a domain but the XP Homes can not.

Dan


  


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] new KB article about SetSPN

2006-09-06 Thread Scott Klassen 



For 
anyone who may be interested, it appears that the Setspn.exe support tool for 
W2K3 is a bit broken in its' current form. http://support.microsoft.com/default.aspx?scid=kb;en-us;924177sd=rssspid=3198

Scott 
Klassen

RE: [ActiveDir] Is a Global Security group being used?

2006-09-06 Thread Akomolafe, Deji 



Try Hyena. I believe that it has the option to report on ACLs and list the relevant users/groups



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Figueroa, JohnnySent: Wed 9/6/2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used?

The tough one... being used in resource ACLs


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 10:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used?

What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups?

Laura



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used?

Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this?

Thanks in advance.

Johnny Figueroa

RE: [ActiveDir] Is a Global Security group being used?

2006-09-06 Thread Laura A. Robinson 



Ouch. 
How large an environment are we talking about? You could use something like 
DumpSec to list the DACLs and SACLs (and it's important to list the SACLs, 
because the group could be being used for auditing purposes as well as 
permissions granting) and could then parse the output, but depending on the size 
of the environment and how much you really want to do this, that may not be 
feasible/desirable. Unfortunately, auditing your DCs isn't going to tell you 
where the group is being used in ACLs, if at all.

There 
may be other options that aren't occurring to me at the moment, however. 
:-)

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, 
  JohnnySent: Wednesday, September 06, 2006 2:12 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global 
  Security group being used?
  
  The tough one... being used in resource 
  ACLs
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
  RobinsonSent: Wednesday, September 06, 2006 10:16To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global 
  Security group being used?
  
  What 
  do you mean by "being used"? Are you referring to it being in resource ACLs? 
  Nested into other groups?
  
  Laura
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, 
JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global 
Security group being used?

Does anyone have 
a way to determine if a domain global group is being used?. Will auditing on 
the DCs tell me this?

Thanks in 
advance.

Johnny 
Figueroa

Re: [ActiveDir] Good SBS book suggestion

2006-09-06 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

Product Documentation for Windows Small Business Server 2003 R2:
http://www.microsoft.com/windowsserver2003/sbs/techinfo/productdoc/default.mspx


Read this one in particular:
Download details: Introduction to Windows SBS 2003 for Enterprise IT Pros:
http://www.microsoft.com/downloads/details.aspx?familyid=71211053-ccd6-4f2b-bbd9-5e7b97c232ecdisplaylang=en

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

Can they share calendars?
Can they book appointments in each others calendars?
Got a 'Sharepoint?

Got the ability to remotely get back to that XP pro desktop over a 443 
port without vpn and it's overhead, potential risks and setups as well?


Even with 'hosted' email at an ISP, SBS makes sense.  Now I would be 
remiss if I did not point out Windows Live as a possible collaborative 
platform as well which comes out of beta in October is what I've heard.


But truly .. SBS make sense in this space because while you don't 
think they need the functionality.. people can change and grow with 
that functionality.


Step one... go to Handy Andy's site and click on his step by step SBS 
how to (pictures and everything) at www.sbs-rocks.com


There are three books .. any of the three make a good choice and 
honestly I've written for two, edited on one.


Are there any potential for Macintosh's in this network?  If so get 
SBS Unleashed by Eriq Neale as he's our Mac/SBS guy.


Want to know more about R2?  SBS 2003 r2 administrator's companion by 
Charlie Russel.


Basic beginner to mid - start with the SBS 2003 best practices by 
Harry Brelsford and then follow up with the Advanced book. 
(www.smbnation.com)


Where are you located as we have SBS user/partner groups all over.

Step two:

Upgrade those XP homes to Pro.  While you can trick those puppies with 
pass thru authentication, as you stated they cannot join a domain.  I 
love ad/domains so much I hack up MCE's to join mine at home.


Step three:

Follow the blog www.msmvps.com/bradley and please holler if you have 
ANY questions.


We are quite proud of our newsgroups and they are quite active and 
healthy.
Get a nntp newsreader and point to the msnews.microsoft.com server and 
find microsoft.public.windows.server.sbs


There are also partner resources at www.microsoft.com/partner and then 
there's the best IT podcast around for small biz at 
http://blogs.technet.com/sbs and then if you want to get more into the 
'managed services'/small biz world check out the podcasts at 
www.sbsshow.com


Are you an Enterprise guy coming down to SBS?  As we say SBS can drive 
you to drink if you are used to setting up everything by hand.  The 
my business OU is annoying to most but we say leave it alone...set 
up your own  We also say set it up three times.. once to screw it 
up..once to go oh!, and the last to do it right.   Let the wizards 
set up the AD and what not... we never use works like dcpromo unless 
we are


1.  Bringing an SBS box into an existing domain or
2.  Migrating from a flavor of SBS or server to a SBS domain and doing 
a process that uses seizing FSMO roles to maintain that AD structure 
as we rip it from one server to the ultimate SBS domain.

Does this help?



Daniel Gilbert wrote:

Susan,

Can you suggest a good ID 10 T's guide to SBS 2003 book?  I assume
from your e-mail address you know more than the average SA about SBS. 
Shameless request for information.  And being the SBS NOOB that I am

looking for any information I can get my hands on to provide my
customer with the best product for their limited budget.

I support a small office (eight users) and their workload and data
storage requirements are such that they really should get a real
server.

I am trying to decide if I suggest they purchase a server with SBS 2003
or a server with Windows Server 2003 R2 Standard edition.  I know there
is a cost difference with SBS 2003 being cheaper.  But, I do not think
they need all of the functionality that comes with SBS.  Their mail is
hosted with a comeericial ISP.  Their office is a mix of XP Home and XP
Pro.  I know the XP Pros can join a domain but the XP Homes can not.

Dan


  




--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Strange password issue

2006-09-06 Thread Laura A. Robinson 
I'm confused as to why the 512 UAC flag is making anybody think that
passwd_notreqd is set. A setting of 512 indicates a normal account. 544
would indicate a normal account with passwd_notreqd set.

Laura

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: Wednesday, September 06, 2006 2:19 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Strange password issue
 
 Tom, I believe that the passwd_notereqd does in fact override the DDP.

  Jason Centenni | The Capital Group Companies | Location:  
   SNO | Extension: 44843   
Outside: 210-474-4843 | Cell: 210-385-5932 | E-mail:
  [EMAIL PROTECTED]  
  [ Mailing: 3500 Wiseman Blvd.  San Antonio, TX 78251-4321 
USA ]   

 
 
 
 
 
   
  
  Tom Kern   
  
  [EMAIL PROTECTED]
  
  
   To 

 ActiveDir@mail.activedir.org
  Sent by: 
   cc 
  [EMAIL PROTECTED]
  
  ail.activedir.org
  Subject 
Re: [ActiveDir] 
 Strange password
issue  
  
  09/06/2006 12:09 
  
  PM   
  
   
  
   
  
  Please respond to
  
  [EMAIL PROTECTED]
  
 tivedir.org   
  
   
  
   
  
 
 
 
 
 This is a domain account.
 
 To rehash-
 
 The Default Domain Policy is set to min password length- 6 charcters.
 This was created 2 years ago and never changed.
 User account is a domain account created a month ago.
 It was bought to my attention that the user can log in with 
 no password.
 I confirmed.
 The userAccountControl attribute of the user object was set 
 to 512(not that i'm certain if setting the passwd_notreqd 
 overrides the DDP).
 The domain/forest is at w2k3 FL.
 
 Thanks
 
 
 
 On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote:
   Impossible/irrelevant. If it's a domain account, the policy applies
   regardless, because the account is stored in AD. If it's a 
 local account,
   then the policy doesn't apply regardless; domain account 
 policies don't
   apply to local accounts. Is this a local account or a 
 domain account?
 
   Laura
 
 
   From: [EMAIL PROTECTED] [mailto:
   [EMAIL PROTECTED] On Behalf Of Tom Kern
   Sent: Wednesday, September 06, 2006 11:44 AM
   To: ActiveDir@mail.activedir.org
   Subject: Re: [ActiveDir] Strange password issue
 
 
   If you mean before the policy was set up, then, no.
   This policy has been in effect for a couple of years and 
 the account was
   created a month ago..
 
   Maybe the PC is not getting the Default Domain Policy?
 
 
 
 
   On 9/6/06, Williams, Robert 
 [EMAIL PROTECTED]  wrote:
Tom,
 
 
 
 
 
This is just a stab in the dark but is it possible that this user's
password was set prior to the Default Domain Policy being 
 in effect?
 
 
Robert Williams
 
 
 
 
 
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange password issue
 
 
 
 
 
I'm having this weird  issue where I have a user account 
 who is able to
log in with a blank password.
 
 
The Default Domain Policy is set to a min password length of 6
characters.
 
 
The userAccountControl on the user is set to 512.
 
 
 
 
 
The Domain is at win2k3 DFL and FFL.
 
 
 
 
 
Is there any other way besides a migration tool like Quest 
 that could
circumvent this policy and allow blank passwords?
 
 
 
 
 
Thanks
 
 
2006-09-06, 11:32:05
The information contained in this e-mail message and any 
 attachments may
be privileged and confidential. If the reader of this 
 message is not the
intended recipient or an

RE: [ActiveDir] Strange password issue

2006-09-06 Thread Akomolafe, Deji 



If it's 512, then that pwd not req is not true.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Al MulnickSent: Wed 9/6/2006 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue
From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. 
On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: 


This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks


On 9/6/06, Laura A. Robinson mailto:[EMAIL PROTECTED] wrote: 



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? 

Laura




From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 

Robert Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.

RE: [ActiveDir] adm file management

2006-09-06 Thread Darren Mar-Elia 
Sure. On XP or 2003, when you open an admin. Template policy, you see at the
bottom that it says, Supported On and then shows the minimum OS or app
level required that supports that policy. Those are the supported tags. In
GP Editor you can do View, Filtering and filter by Supported level so that,
for example, you see only policies that support XP, SP2. It's a handy
feature that was intro'd in XP. 

The good (or reasonably good) news on all of this, is that with the
introduction of Vista, the whole ADM and ADM management story changes. No
longer will ADM (called ADMX in Vista) files be stored within each GPO and
no longer will they be automatically updated. You will have a central
store that holds all ADMXs and you can update it centrally and
purposefully.

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, September 06, 2006 10:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] adm file management

Darren, i value your (and all others who help me) correspondence from the
mailing list and also the content of your web site.

'clear as mud' sums it up !!

final qu - you referenced a concept of 'supported tags' - is it easy 4 u to
explain in a nutshell

GT

 Graham-
 Yes, the dates can be confusing. I typically take these as groupings. 
 So, all of the ADMs that ship with a given OS/Service Pack should stay
together.
 The reality is that the two conf.adm files you list below are 
 identical in content (windiff is a good tool for this), even though 
 their dates are not identical. In the case of system.adm 2003/SP1 
 added some additional policies for the secure mode IE stuff that 
 wasn't in XP,SP2, but otherwise it was identical (I list out the 
 differences between the XP,SP2 and 2003, SP1 ADMs at 
 www.gpoguy.com/admdiffs.htm). To answer your question, yes, if you are 
 managing GP from a 2003 server machine, then you could certainly have 
 ADMs from XP, SP2 in your GPOs. By default, the ADMs in 2003's 
 c:\windows\inf folder will auto-update each GPO you edit so over time, 
 unless you change that default behavior, your GPOs will be upgraded 
 to 2003,SP1, but in general, as long as you are on 2003, SP1 or XP, SP2,
you should be good to go.

 Clear as mud?

 Darren

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
 Sent: Wednesday, September 06, 2006 8:21 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] adm file management

 Darren, thanks 4 mail back

 in the interim i dug into the 'versioning' of these ADM's and it seems 
 that most recent versions are not always in the same OS

 i cite comparison of ADM version (ie dates) on different OS

 conf.adm - 22/2/03 (2003/SP1) - 17/7/04 (xp sp2) system.adm -  
 18/02/05
 (2003 / sp1)  - 17/07/04 (xp / sp2)

 so if i read this tight it would seem the rule of latest OS is not 
 strict - hence my view to come back to the 'most recent' ??

 i assume if the 'admin' workstation is running windows server 2003 we 
 are ok to put in the ADM files shipped with say XP sp2, assuming of 
 course as above they are more recent ?





 Graham-
 You are correct on both counts. ADMs are typically supersets of each 
 other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, 
 etc. And it is definitely best to manage such a mixed environment 
 from the latest platform (e.g. XP). The key of course, is to pay 
 attention to the Supported tags in the newer ADMs.

 Darren

 Darren Mar-Elia
 For comprehensive Windows Group Policy Information, check out
 www.gpoguy.com-- the best source for GPO FAQs, video training, tools 
 and whitepapers. Also check out the Windows Group Policy Guide, the 
 definitive resource for Group Policy information.



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Graham 
 Turner
 Sent: Wednesday, September 06, 2006 7:41 AM
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] adm file management

 quick question (hopefully not too daft) ref ADM file management

 it seems different OS's ship with different versions of the 'standard'
 ADM files that include conf.adm / interes.adm / system.adm ...

 say if you are maintaining policies that link to containers holding 
 say XP , 2000,
 2003 computers it would not be unreasonable to manage them all from a 
 single host on which you edit policies.

 am i correct to say that in maintaining the settings in these files 
 are always cumulative - if that's the right word

 if so then it is correct working practice to always use the MOST 
 RECENT version of an ADM file with no fear of breaking previously 
 functional GPO's ???

 GT





 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List

RE: [ActiveDir] Strange password issue

2006-09-06 Thread Paul Williams 








PWD_NOT_REQ is 32.



You can create an
account with this set and bypass the need to set a password (ADSI does this
automatically if you dont set a password when you create an enabled user without
a password), but you cant set it back to 512 (normal) when its blank, like Al
says:



C:\admod -b
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com objectclass::user
samaccountname::test-user useraccountcontrol::544 -unsafe -add



AdMod
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005



DN Count: 1

Using server:
connoa-dc-01.connoa.concorp.contoso.com

Adding
specified objects...

 DN:
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...



The command
completed successfully







C:\admod -b
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com useraccountcontrol::512
-unsafe



AdMod
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005



DN Count: 1

Using server:
connoa-dc-01.connoa.concorp.contoso.com

Modifying
specified objects...

 DN:
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn

oa.concorp.contoso.com]
Error 0x35 (53) - Unwilling To Perform





ERROR: Too many
errors encountered, terminating...



The command did
not complete successfully





--Paul













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange
password issue





From what I recall,
if the password is not required, then there's no need to check the minimum
length. Since it would be overridden at the user object level, that does
not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment. I'll take your word that the password not required is true for
this user. 

If you remove that setting (i.e. require the user to have a password) then that
password would, by policy, have to be at least 6 chars in length. 






On 9/6/06, Tom Kern
[EMAIL PROTECTED] wrote:





This is a domain account.











To rehash-











The Default Domain Policy is set to min password length- 6 charcters.





This was created 2 years ago and never changed.





User account is a domain account created a month ago.





It was bought to my attention that the user can log in with no
password.





I confirmed.





The userAccountControl attribute of the user object was set to 512(not
that i'm certain if setting the passwd_notreqd overrides the DDP).





The domain/forest is at w2k3 FL.











Thanks

















On 9/6/06, Laura A.
Robinson [EMAIL PROTECTED]  wrote: 







Impossible/irrelevant.If it's a
domain account, the policy applies regardless, because the account is stored in
AD. If it's a local account, then the policy doesn't apply regardless; domain
account policies don't apply to local accounts. Is this a local account or a
domain account? 











Laura















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Tom Kern





Sent: Wednesday,
September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange
password issue













If you mean before the policy was set up, then, no.





This policy has been in effect for acouple ofyears and the
account was created a month ago..











Maybe the PC is not getting the Default Domain Policy?



















On 9/6/06, Williams,
Robert [EMAIL PROTECTED]  wrote:








Tom,



This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain Policy
being in effect? 



Robert Williams











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September 06,
2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange
password issue











I'm
having this weird issue where I have a user account who is able to log in
with a blank password.





The
Default Domain Policy is set to a min password length of 6 characters.





The
userAccountControl on the user is set to 512.











The
Domain is at win2k3 DFL and FFL.











Is
there any other way besides a migration tool like Quest that could circumvent
this policy and allow blank passwords?















Thanks







2006-09-06, 11:32:05
The information contained in this e-mail message and any attachments may be
privileged and confidential. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying to
this e-mail and delete the message and any attachments from your computer.

RE: [ActiveDir] Strange password issue

2006-09-06 Thread Paul Williams 








Pressed send before I
finished typing! : (



Following on from the
last mail



You can, however,
modify the policy so that you can have shorter passwords, create the user, and
then change the password policy back. Perhaps someone did this?



If you test this,
when you set the policy to zero it says no password required (in the Window).





--Paul













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange
password issue





From what I recall,
if the password is not required, then there's no need to check the minimum
length. Since it would be overridden at the user object level, that does
not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment. I'll take your word that the password not required is true for
this user. 

If you remove that setting (i.e. require the user to have a password) then that
password would, by policy, have to be at least 6 chars in length. 






On 9/6/06, Tom Kern
[EMAIL PROTECTED] wrote:





This is a domain account.











To rehash-











The Default Domain Policy is set to min password length- 6 charcters.





This was created 2 years ago and never changed.





User account is a domain account created a month ago.





It was bought to my attention that the user can log in with no
password.





I confirmed.





The userAccountControl attribute of the user object was set to 512(not
that i'm certain if setting the passwd_notreqd overrides the DDP).





The domain/forest is at w2k3 FL.











Thanks

















On 9/6/06, Laura A.
Robinson [EMAIL PROTECTED]  wrote: 







Impossible/irrelevant.If it's a
domain account, the policy applies regardless, because the account is stored in
AD. If it's a local account, then the policy doesn't apply regardless; domain
account policies don't apply to local accounts. Is this a local account or a
domain account? 











Laura















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Tom Kern





Sent: Wednesday,
September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange
password issue













If you mean before the policy was set up, then, no.





This policy has been in effect for acouple ofyears and the
account was created a month ago..











Maybe the PC is not getting the Default Domain Policy?



















On 9/6/06, Williams,
Robert [EMAIL PROTECTED]  wrote:








Tom,



This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain Policy
being in effect? 



Robert Williams











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September 06,
2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange
password issue











I'm
having this weird issue where I have a user account who is able to log in
with a blank password.





The
Default Domain Policy is set to a min password length of 6 characters.





The
userAccountControl on the user is set to 512.











The
Domain is at win2k3 DFL and FFL.











Is
there any other way besides a migration tool like Quest that could circumvent
this policy and allow blank passwords?















Thanks







2006-09-06, 11:32:05
The information contained in this e-mail message and any attachments may be
privileged and confidential. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying to
this e-mail and delete the message and any attachments from your computer.

RE: [ActiveDir] Is a Global Security group being used?

2006-09-06 Thread Laura A. Robinson 



There 
are lots of utilities to report ACLs. The issue is, depending upon the size of 
the environment, this could be a lot of work that may not be worth it, depending 
on how badly the OP wants to know if the group is being used 
anywhere.

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, 
  DejiSent: Wednesday, September 06, 2006 2:46 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global 
  Security group being used?
  
  
  Try Hyena. I believe that 
  it has the option to report on ACLs and list the relevant 
  users/groups
  
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: Figueroa, JohnnySent: Wed 
  9/6/2006 11:12 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global 
  Security group being used?
  
  The tough one... being used in resource 
  ACLs
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
  RobinsonSent: Wednesday, September 06, 2006 10:16To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global 
  Security group being used?
  
  What 
  do you mean by "being used"? Are you referring to it being in resource ACLs? 
  Nested into other groups?
  
  Laura
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, 
JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global 
Security group being used?

Does anyone have 
a way to determine if a domain global group is being used?. Will auditing on 
the DCs tell me this?

Thanks in 
advance.

Johnny 
Figueroa

[ActiveDir] OT: admin account in Vista

2006-09-06 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

Windows Vista Security : Built-in Administrator Account Disabled:
http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DNS Entries --Laptop Users--

2006-09-06 Thread Ravi Dogra 

1. I Didnt understand what exactly u r asking?
2. Yes DHCP Is configured properly.
3. Yes it is running on DC
4. No, not running any other credential.
5. VPN Machine is entirely a different BOX on other site.
6. It doesnt register in my DNS. (Will extract other information from
Site B Admin)

update you very soon...

Thanks
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT] Apology

2006-09-06 Thread Rich Milburn 








In a rare bit of poking-head-up-for-air
from AD-unrelated work, I saw this and had to mention that I forgive you Brandon, and while I
would _never_ add such a list to
my jokes DL, I did think the cups pic was funny :op



Hello to everyone,
hope everyones well hope to be back to the list before too long



Rich



Rich Milburn

MVP 
Directory Services

Field Platform
Development

Applebees International,
Inc.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brandon Pierce
Sent: Wednesday, September 06,
2006 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]
Apology





Laura, thank you. In my defense
yes I had an attack of computing stupidity and made a mistake. I
accidentally added the ActiveDirlist to my own personal DL for sending my
friends jokes. As you can see these OT posts are the results. I
appreciate all the support from folks who realize a simple mistakeshappen
and that one should not be ridiculed for it. I respect these
types of information forums and consider them vital to the IT professionals
success. I have addressed this with the list owner and he understands my
position! Yes, it is true that I inadvertently sent out two jokes.
However, since I do not read this post every single day (blasphemy!!)I
did not catch my mistake immediately (sorry no uber-geek here ;) )! As I
can see no one was adversely affected by these two mistakes I will assume that
this now a dead issue. Again, my apologies if anyone's lives were
dramatically changed by my senseless jokes...









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Wednesday, September 06,
2006 7:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]The
last departmental picnic [list owner]



Given that the culprit hasn't received any
of the backlash, my guess is that it was still an accident. Can't
anybody just cut the guy some slack? Yeesh.













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Wednesday, September 06,
2006 9:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]The
last departmental picnic [list owner]

My guess  the second was on purpose
after all the backlash 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, September 05, 2006
5:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT]The
last departmental picnic [list owner]





Yeah, I just let him know
he messed up on this one. Can't argue with banning him after 2 messups.
:(



On 9/5/06, Tony
Murray  [EMAIL PROTECTED]
wrote:

Not sure what's going on so I have temporarily suspended his
subscription. 

Tony
List owner and humourless [EMAIL PROTECTED]





Sent via the WebMail system at mail.activedir.org





List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx











---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- 
PRIVILEGED / 
CONFIDENTIAL INFORMATION may be contained in this message or any attachments. 
This information is strictly confidential and may be subject to attorney-client 
privilege. This message is intended only for the use of the named addressee. If 
you are not the intended recipient of this message, unauthorized forwarding, 
printing, copying, distribution, or using such information is strictly 
prohibited and may be unlawful. If you have received this in error, you should 
kindly notify the sender by reply e-mail and immediately destroy this message. 
Unauthorized interception of this e-mail is a violation of federal criminal law. 
Applebee's International, Inc. reserves the right to monitor and review the 
content of all messages sent to and from this e-mail address. Messages sent to 
or from this e-mail address may be stored on the Applebee's International, Inc. 
e-mail system.

RE: [ActiveDir] Is a Global Security group being used?

2006-09-06 Thread Figueroa, Johnny 



Thank you everyone.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
RobinsonSent: Wednesday, September 06, 2006 12:34To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global 
Security group being used?

There 
are lots of utilities to report ACLs. The issue is, depending upon the size of 
the environment, this could be a lot of work that may not be worth it, depending 
on how badly the OP wants to know if the group is being used 
anywhere.

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, 
  DejiSent: Wednesday, September 06, 2006 2:46 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global 
  Security group being used?
  
  
  Try Hyena. I believe that 
  it has the option to report on ACLs and list the relevant 
  users/groups
  
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: Figueroa, JohnnySent: Wed 
  9/6/2006 11:12 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global 
  Security group being used?
  
  The tough one... being used in resource 
  ACLs
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
  RobinsonSent: Wednesday, September 06, 2006 10:16To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global 
  Security group being used?
  
  What 
  do you mean by "being used"? Are you referring to it being in resource ACLs? 
  Nested into other groups?
  
  Laura
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, 
JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global 
Security group being used?

Does anyone have 
a way to determine if a domain global group is being used?. Will auditing on 
the DCs tell me this?

Thanks in 
advance.

Johnny 
Figueroa

Re: [ActiveDir] Separate Administrator password policy

2006-09-06 Thread [EMAIL PROTECTED] 

Hi Susan,

No, we haven't tried with small business server..  Our average customer has 
11,000 employees.  :-)


That said, I can't imagine why it wouldn't work.  Moreover, we do work with 
lots of IT outsourcers / managed service providers, and support things like 
multi-tenant, hopping firewalls, etc.  That's getting a bit far outside of 
this list's topic, and starting to sound a bit too much like advertising, 
though.  Continue offline please?


Cheers,

--
Idan Shoham
Chief Technology Officer
M-Tech Information Technology, Inc.
[EMAIL PROTECTED]
http://mtechIT.com


Please visit M-Tech in booth 80 at the Insight booth at GTC East Conference:
  September 25-28, 2006 in Albany, New York.
M-Tech's CTO will be featured in the September 27 3:00PM panel discussion:
  Identity Management, Track: Embracing Technology



 The information in this email is confidential and may be legally
 privileged.  It is intended solely for the addressee.  Access to this
 email by anyone else is unauthorized.  If you are not the intended
 recipient, any disclosure, copying, distribution or any action taken or
 omitted to be taken in reliance on it, is prohibited and may be unlawful.


On Mon, 4 Sep 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

... as I go click on your web site to figure out your company  and if it's 
SBSized :-)  Remember my space... managed services and var/vaps.


[EMAIL PROTECTED] wrote:

Susan,

Your point about lots of admins coming and going, with transient access to 
hundreds or thousands of machines, is an important and separate one from 
the multiple password policies question that this thread started out with.


I think trying to revoke all the admin creds that a given person had
access to in the last N days (N could be very large) is a hard problem,
and may be unnecessary.  If you change all those admin passwords
frequently (e.g., every 24 hrs), then you can rest assured that the
person who just left the org won't have access to anything sensitive
tomorrow.  That's good enough in most cases.

Of course, changing every admin cred every 24 hours creates a completely
new problem: how do you do that, in a manner that still makes the admin
creds reliably accessible to the people who need them, and only the people
who need them, only when they need them, and (heck, while we're at it)
with an audit log that shows which person looked up which cred.

Problems like this usually cause products to be written.  E-mail me if
you want to get the advertising pitch for our particular solution.  :-)

L8r,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Separate Administrator password policy

2006-09-06 Thread [EMAIL PROTECTED] 

Hi Al,

All good questions.  I'll answer here, but if it starts to get hairy, lets 
take it offline (same as my post to Susan - I don't want this to become a 
deep discussion of our product on the list).



Not to pick, but it occurs to me that you're trying to complicate the
problem.  While I agree that changing the passwords every 24 hours (whatever
freq works is likely going to be fine), is not a bad idea, it has the likely
problem of being very problematic.  This is similar to a push vs. pull
paradigm and if looked at that way, you have similar issues such as
connectivity and reliability.  i.e. how do you ensure that the password
change was successful if there's a network outage? Or just a network blip?
Is it important that you do so is assumed from the previous information to
date.


100% reliability is mandatory in this kind of app.  Funny that you raise
push vs. pull, as we have two modes of operations, called push and pull.
:-)  We push passwords to server-class target systems (e.g., AD,
mainframes, whatever), and pull password changes from workstations
(i.e., the workstations push to the server).  The handshake used ensures
that password changes are 100% reliable - we abort if there isn't a
connection, etc.; and password history is retained just in case
something went wrong anyways.


A solution that scales up, down, or laterally is appropriate.  Something
that allows an account to traverse the different sites, possibly into the
hundreds or even thousands, and allows almost instant revocation of the user
account with administrative privileges should that become necessary during
the course of normal business.


Scaling is easy enough - just arrange for different devices, of which
there may be tens of thousands, to contact a central server at somewhat
randomized times, and keep trying in case of powerdown, connection
failures, etc. etc.  This eliminates nasty traffic bursts.

Traversing sites is easy too - use HTTPS to connect to the central
server, and use whatever proxy settings are needed to get out.

Instant revocation is another matter.  Our approach provides for timed
revocation on workstations (due to limitations fundamental to pull mode),
and instant revocation on servers (since push allows for it).


Now, if only we had such an technology...


We sell it, more or less as described.


Some suggestions that come to mind would be everything from a toaster-like
device placed at the client site to a certificate based credential system
come to mind. Hybrid ideas also entertained. Plenty of pros and cons for
each, such as the ability to have something tangible at the client site that
can also be a multi-functional device and can work semi-autonmously to
monitor even if the WAN link goes away (different issues can be monitored.)
It can also provide the 8th layer with a sense of investment and
partnership.  Downside is that it's more to manage and monitor. But that can
be mitigated by allowing it to be gasp sales person installable meaning
that if something goes wrong with the device, then you roll a salesperson to
replace it.  That gives the salesperson reason to have more facetime with
the client and gives a chance to sell more business.


A service on each client device is probably cheaper than yet another
machine at the client site, if you're managing lots of small-ish
clients...  Of course, you pointed to other, unrelated but quite useful
functionality above, such as WAN link monitoring.


The conversation could be longer, but I'm sure that a solution is possible
that fits many of the criteria defined.  Because the original problem scope
is to remove the administrative access, using a hybrid solution that relies
on certificates and a toaster item would be more likely.  The details and
pricing would need to be hammered out in such a way that the final solution
is reliable, inexpensive (drive adoption), and easy to use (dumb down the
interface such that your salesforce or interns could deploy or you could
even just drop ship one to the client and they could hook it up in 5 steps
or less - similar to voip device installation in that sense.)


Personally, I'm not big on appliances (toasters) -- in the end they are
mostly just cheap Intel/AMD boxes, but without the hardware support that
Dell/HP/IBM offer.  Niche market vendors really can't offer the kind of
hardware support that these huge vendors do.  Better for nice guys (yeah,
that's me) to stick to what they *can* do well - specialized software,
and avoid what others do well - local and prompt hardware support.


Just my random thoughts. I haven't really put much effort into it, Susan. :)


Maybe random, but insightful.  :-)

--
Idan Shoham
Chief Technology Officer
M-Tech Information Technology, Inc.
[EMAIL PROTECTED]
http://mtechIT.com
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] NTFRS - Journal Wrap Errors

2006-09-06 Thread Aaron Burg 
Hi-

I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up:

I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS.


The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes!


Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse.


Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week!

Thanks so much,
Aaron
[EMAIL PROTECTED]

RE: [ActiveDir] NTFRS - Journal Wrap Errors

2006-09-06 Thread Akomolafe, Deji 



how old is the offline DC? Does the online DC have a LOT of things (beside FSMO) that you need to sync with the offline DC? I mean, are there are lot of objects that have been created on the online DCs that have not been replicated to the offline?

IF all you want to do is transfer FSMO, I'd just turn off this problematic DC, bring up the offline (known good) DC and doa FSMO roles seizure.

If you still want to go through journal wrap troubleshooting, let us know. I have a couple of references to give you. You can also search this list's archives because journal wrap has been discussed to death here on several occassions.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Aaron BurgSent: Wed 9/6/2006 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NTFRS - Journal Wrap Errors

Hi-

I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up:

I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. 

The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! 

Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. 

Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week!

Thanks so much,
Aaron
[EMAIL PROTECTED]

Re: [ActiveDir] NTFRS - Journal Wrap Errors

2006-09-06 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

http://www.eventid.net/display.asp?eventid=13568

I've seen that on a SBS box.
You did the reg edit?


http://support.microsoft.com/default.aspx?scid=kb;en-us;292438
http://support.microsoft.com/default.aspx?scid=kb;en-us;887303


RESOLUTION
==

[...]

To modify the default behavior, make the following changes in the 
registry to

instruct FRS to handle the JRNL_WRAP_ERROR status automatically:
1. Stop FRS.
2. Start Registry Editor (Regedt32.exe).
3. Locate and click the following key in the registry:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
4. On the Edit menu, click Add Value, and then add the following 
registry value:

  Value name: Enable Journal Wrap Automatic Restore
  Data type: REG_DWORD
  Radix: Hexadecimal
  Value data: 1 (Default 0)
5. Quit Registry Editor.
6. Restart FRS.

If these steps do not modify the default settings and the automatic
re-initialization is not turned on, you need to manually re-initialize the
replica tree. At a convenient time, make the following changes to the 
registry:


1. Stop FRS.
2. Start Registry Editor (Regedt32.exe).
3. Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process 
at Startup
4. On the Edit menu, click Add Value, and then add the following 
registry value:

  Value name: BurFlags
  Data type: REG_DWORD
  Radix: Hexadecimal
  Value data: D2
5. Quit Registry Editor.
6. Restart FRS.


Aaron Burg wrote:

Hi-
 
I am new to the list and was hoping someone could help with an ugly 
situation I was brought in to clean up:
 
I am working with a W2K native mode domain with only ONE active domain 
controller (W2K SP4). There is a second DC, but it was brought on-line 
after the journal wrap errors (Event 13568 ) began and has never 
replicated sysvol (doesn't even exist on the box). It appears AD and 
such are working with the new DC... just not NTFRS.
 
The original DC does have sysvol and appears to be working to 
authenticate clients as normal. I need to get the journal wrap errors 
resolved so I can bring the second DC on-line, transfer FSMO roles and 
get the old box rebuilt since it doesn't even have redundant drives - 
Yikes!
 
Everything I have read says to do a D2 non-authoritative restore, but 
since I only have the one DC, where would it restore from? I have run 
an NT backup of c:\ and system state to try and get some comfort, but 
still am afraid of making matters worse.
 
Any suggestions/recommendations would be very much appreciated...I 
would like to get this cleaned up this week!
 
Thanks so much,

Aaron
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] NTFRS - Journal Wrap Errors

2006-09-06 Thread Aaron Burg 
Thanks for the reply. I did see some of the topics covering this, but they all seemed to cover situations where there were several DCs functioning.

The newer DC was built about 1 year ago, but it never synced correctly and was powered down for over 60 days at a time. Since this is a very small, basic setup, there are no fancy or custom GPs or special  groups. The problem is that no one really knows much about the infrastructure since so many people have hacked at it over the past 2 years.


Since the offline DC has never fully replicated with the original one, at what point in the seizure does it create its own sysvol?

I would prefer to resolve the journal issue if possible. My confusion is how to do it without a good DC to restore from?

Thanks again,
Aaron
On 9/6/06, Akomolafe, Deji [EMAIL PROTECTED] wrote:




how old is the offline DC? Does the online DC have a LOT of things (beside FSMO) that you need to sync with the offline DC? I mean, are there are lot of objects that have been created on the online DCs that have not been replicated to the offline?


IF all you want to do is transfer FSMO, I'd just turn off this problematic DC, bring up the offline (known good) DC and doa FSMO roles seizure.

If you still want to go through journal wrap troubleshooting, let us know. I have a couple of references to give you. You can also search this list's archives because journal wrap has been discussed to death here on several occassions.




Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon



From: Aaron BurgSent: Wed 9/6/2006 10:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] NTFRS - Journal Wrap Errors


Hi-

I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up:

I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. 


The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! 


Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. 


Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week!

Thanks so much,
Aaron
[EMAIL PROTECTED]

RE: [ActiveDir] NTFRS - Journal Wrap Errors

2006-09-06 Thread Akomolafe, Deji 



two recommendations:

1] don't mention that you have a "second DC" anymore because you don't appear to have a good "secondDC" at all. The one you have does not sound reliable, so don't introduce it into the environment again.

2] follow Susan's recommendation. Post back if it doesn't work for you.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Aaron BurgSent: Wed 9/6/2006 10:28 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] NTFRS - Journal Wrap Errors

Thanks for the reply. I did see some of the topics covering this, but they all seemed to cover situations where there were several DCs functioning.

The newer DC was built about 1 year ago, but it never synced correctly and was powered down for over 60 days at a time. Since this is a very small, basic setup, there are no fancy or custom GPs or special groups. The problem is that no one really knows much about the infrastructure since so many people have hacked at it over the past 2 years. 

Since the offline DC has never fully replicated with the original one, at what point in the seizure does it create its own sysvol?

I would prefer to resolve the journal issue if possible. My confusion is how to do it without a good DC to restore from?

Thanks again,
Aaron
On 9/6/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: 




how old is the offline DC? Does the online DC have a LOT of things (beside FSMO) that you need to sync with the offline DC? I mean, are there are lot of objects that have been created on the online DCs that have not been replicated to the offline? 

IF all you want to do is transfer FSMO, I'd just turn off this problematic DC, bring up the offline (known good) DC and doa FSMO roles seizure.

If you still want to go through journal wrap troubleshooting, let us know. I have a couple of references to give you. You can also search this list's archives because journal wrap has been discussed to death here on several occassions. 



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon 


From: Aaron BurgSent: Wed 9/6/2006 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NTFRS - Journal Wrap Errors


Hi-

I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up:

I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. 

The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! 

Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. 

Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week!

Thanks so much,
Aaron
[EMAIL PROTECTED]