RE: [ActiveDir] DNS Entries --Laptop Users--
What is the VPN device? Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 06 September 2006 00:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Entries --Laptop Users-- Hi, Problem is i have 2 different records of each laptop (Using VPN Connection) in my DNS. I have secure updates configured in my DNS Conf. we are using DHCP. Laptop users getting a specific VLAN IP Address for there wireless connection which is getting registered in my DNS. This is good. But the Problem is that when these Laptop users login from home using VPN, they get a new IP Address from my VPN Box which is also getting registered in my DNS. I have no clue why this is happening. i m suspecting on DNS conf on local machine under Advanced Tcp Ip settings. I am not sure i am heading right way or not. here is the snapshot attached for same. -- RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] [OT] Windows Vista Security Guide.
This is beta but still interesting - extracted from a blog. https://connect.microsoft.com/InvitationUse.aspx?ProgramID=820Invitatio nID=VSG-P74P-BFTHSiteID=14. Regards, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT]The last departmental picnic [list owner]
My guess the second was on purpose after all the backlash From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, September 05, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner] Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :( On 9/5/06, Tony Murray [EMAIL PROTECTED] wrote: Not sure what's going on so I have temporarily suspended his subscription. Tony List owner and humourless [EMAIL PROTECTED] Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT]The last departmental picnic [list owner]
Given that the culprit hasn't received any of the "backlash", my guess is that it was still an accident. Can't anybody just cut the guy some slack? Yeesh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Wednesday, September 06, 2006 9:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] My guess the second was on purpose after all the backlash From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Tuesday, September 05, 2006 5:54 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT]The last departmental picnic [list owner] Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :( On 9/5/06, Tony Murray [EMAIL PROTECTED] wrote: Not sure what's going on so I have temporarily suspended his subscription. TonyList owner and humourless [EMAIL PROTECTED]Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT]The last departmental picnic [list owner]
Nope - - NO SLACK FOR YOU! /Soup Nazi mode From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, September 06, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] Given that the culprit hasn't received any of the backlash, my guess is that it was still an accident. Can't anybody just cut the guy some slack? Yeesh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Wednesday, September 06, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] My guess the second was on purpose after all the backlash From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, September 05, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner] Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :( On 9/5/06, Tony Murray [EMAIL PROTECTED] wrote: Not sure what's going on so I have temporarily suspended his subscription. Tony List owner and humourless [EMAIL PROTECTED] Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT]The last departmental picnic [list owner]
David Hasselhoff - will be at Borders Books on Oxford Street, London on Monday at 12, Wear Leather and lots of it. -Original Message- From: Laura A. Robinson [EMAIL PROTECTED] Date: Wed, 06 Sep 2006 09:36:20 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] Given that the culprit hasn't received any of the backlash, my guess is that it was still an accident. Can't anybody just cut the guy some slack? Yeesh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Wednesday, September 06, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] My guess – the second was on purpose after all the backlash From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, September 05, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner] Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :( On 9/5/06, Tony Murray [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] wrote: Not sure what's going on so I have temporarily suspended his subscription. Tony List owner and humourless [EMAIL PROTECTED] Sent via the WebMail system at mail.activedir.org : http://mail.activedir.org List info : http://www.activedir.org/List.aspx: http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] Apology
Laura, thank you. In my defense yes I had an attack of computing stupidity and made a mistake. I accidentally added the ActiveDirlist to my own personal DL for sending my friends jokes. As you can see these OT posts are the results. I appreciate all the support from folks who realize a simple mistakeshappen and that one should not be ridiculed for it. I respect these types of information forums and consider them vital to the IT professionals success. I have addressed this with the list owner and he understands my position! Yes, it is true that I inadvertently sent out two jokes. However, since I do not read this post every single day (blasphemy!!)I did not catch my mistake immediately (sorry no uber-geek here ;) )! As I can see no one was adversely affected by these two mistakes I will assume that this now a dead issue. Again, my apologies if anyone's lives were dramatically changed by my senseless jokes... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 7:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] Given that the culprit hasn't received any of the "backlash", my guess is that it was still an accident. Can't anybody just cut the guy some slack? Yeesh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Wednesday, September 06, 2006 9:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] My guess the second was on purpose after all the backlash From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Tuesday, September 05, 2006 5:54 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT]The last departmental picnic [list owner] Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :( On 9/5/06, Tony Murray [EMAIL PROTECTED] wrote: Not sure what's going on so I have temporarily suspended his subscription. TonyList owner and humourless [EMAIL PROTECTED]Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT]The last departmental picnic [list owner]
Heheh. I'll be there.. You'll know who I am as I'll be the first to be man handled out of the door for trying to touch the living legend Rob Hoff it's me .. Hoff Who are you? Rob Your number 1 fan... come here you big hunk 'o' love I know we are going to be reprimanded for this outburst... OK joking's over :) I'm sorry but I couldn’t resist a follow up. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 06 September 2006 14:47 To: ActiveDir.org Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner] David Hasselhoff - will be at Borders Books on Oxford Street, London on Monday at 12, Wear Leather and lots of it. -Original Message- From: Laura A. Robinson [EMAIL PROTECTED] Date: Wed, 06 Sep 2006 09:36:20 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] Given that the culprit hasn't received any of the backlash, my guess is that it was still an accident. Can't anybody just cut the guy some slack? Yeesh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Wednesday, September 06, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] My guess – the second was on purpose after all the backlash From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, September 05, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner] Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :( On 9/5/06, Tony Murray [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] wrote: Not sure what's going on so I have temporarily suspended his subscription. Tony List owner and humourless [EMAIL PROTECTED] Sent via the WebMail system at mail.activedir.org : http://mail.activedir.org List info : http://www.activedir.org/List.aspx: http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx: http://www.activedir.org/ml/threads.aspx .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—± [EMAIL PROTECTED])
[ActiveDir] Strange password issue
I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks
[ActiveDir] adm file management
quick question (hopefully not too daft) ref ADM file management it seems different OS's ship with different versions of the 'standard' ADM files that include conf.adm / interes.adm / system.adm ... say if you are maintaining policies that link to containers holding say XP , 2000, 2003 computers it would not be unreasonable to manage them all from a single host on which you edit policies. am i correct to say that in maintaining the settings in these files are always cumulative - if that's the right word if so then it is correct working practice to always use the MOST RECENT version of an ADM file with no fear of breaking previously functional GPO's ??? GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] adm file management
Graham- You are correct on both counts. ADMs are typically supersets of each other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, etc. And it is definitely best to manage such a mixed environment from the latest platform (e.g. XP). The key of course, is to pay attention to the Supported tags in the newer ADMs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 7:41 AM To: activedir@mail.activedir.org Subject: [ActiveDir] adm file management quick question (hopefully not too daft) ref ADM file management it seems different OS's ship with different versions of the 'standard' ADM files that include conf.adm / interes.adm / system.adm ... say if you are maintaining policies that link to containers holding say XP , 2000, 2003 computers it would not be unreasonable to manage them all from a single host on which you edit policies. am i correct to say that in maintaining the settings in these files are always cumulative - if that's the right word if so then it is correct working practice to always use the MOST RECENT version of an ADM file with no fear of breaking previously functional GPO's ??? GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] adm file management
This is basically true. If you are supporting older clients or unpatched servers, make sure you only edit the GPO's from a machine running XP SP2 or 2003 SP1. Otherwise, you need to install a patch from MS http://support.microsoft.com/default.aspx?kbid=842933 2000, XP SP1, and 2003 RTM cannot view the newest ADM files without popping up about 1000 error messages. The patch resolves this issue, but it requires a reboot on 2000. The new features included in an updated ADM will either work with older clients, or they will only take effect on the clients that can support it. You will usually see a message that goes something like Requires Windows XP or 2003. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 9:41 AM To: activedir@mail.activedir.org Subject: [ActiveDir] adm file management quick question (hopefully not too daft) ref ADM file management it seems different OS's ship with different versions of the 'standard' ADM files that include conf.adm / interes.adm / system.adm ... say if you are maintaining policies that link to containers holding say XP , 2000, 2003 computers it would not be unreasonable to manage them all from a single host on which you edit policies. am i correct to say that in maintaining the settings in these files are always cumulative - if that's the right word if so then it is correct working practice to always use the MOST RECENT version of an ADM file with no fear of breaking previously functional GPO's ??? GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Strange password issue
Tom, This is just a stab in the dark but is it possible that this users password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] adm file management
Darren, thanks 4 mail back in the interim i dug into the 'versioning' of these ADM's and it seems that most recent versions are not always in the same OS i cite comparison of ADM version (ie dates) on different OS conf.adm - 22/2/03 (2003/SP1) - 17/7/04 (xp sp2) system.adm - 18/02/05 (2003 / sp1) - 17/07/04 (xp / sp2) so if i read this tight it would seem the rule of latest OS is not strict - hence my view to come back to the 'most recent' ?? i assume if the 'admin' workstation is running windows server 2003 we are ok to put in the ADM files shipped with say XP sp2, assuming of course as above they are more recent ? Graham- You are correct on both counts. ADMs are typically supersets of each other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, etc. And it is definitely best to manage such a mixed environment from the latest platform (e.g. XP). The key of course, is to pay attention to the Supported tags in the newer ADMs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 7:41 AM To: activedir@mail.activedir.org Subject: [ActiveDir] adm file management quick question (hopefully not too daft) ref ADM file management it seems different OS's ship with different versions of the 'standard' ADM files that include conf.adm / interes.adm / system.adm ... say if you are maintaining policies that link to containers holding say XP , 2000, 2003 computers it would not be unreasonable to manage them all from a single host on which you edit policies. am i correct to say that in maintaining the settings in these files are always cumulative - if that's the right word if so then it is correct working practice to always use the MOST RECENT version of an ADM file with no fear of breaking previously functional GPO's ??? GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Moms Alert Question.
Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active Directory and MOM's and for the life of me cant find where this (Intersite, expected replication time is 15 minutes) is set I have looked at the repl mon program and cant see it.. I know I'm looking at some trees when I should be looking at the forest, but I really need a second pair of eyes here...could anyone direct me where to look for the intersite replication parameter. v/r john Description: The following DCs took more than three times the expected replication time to replicate. Format: DC, Naming Context, Calculated Replication Time (in minutes) Site name: City-CenterCity (Intersite, expected replication time is 15 minutes) CIUTIL01A, Domain:SDCCD, 55 Site name: DistrictOffice (Intersite, expected replication time is 15 minutes) DOUTIL01A, Domain:SDCCD, 55 Name: AD Replication is occurring slowly Severity: Warning Resolution State: New Domain: SDCCD Computer: CDUTIL01A Time of First Event: 9/1/2006 3:01:00 PM Time of Last Event: 9/1/2006 5:01:00 PM Alert latency: -7 min, -26 sec Problem State: Active Repeat Count: 2 Age: Source: AD Replication Monitoring Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows 2000 and Windows Server 2003 \Active Directory Availability\AD Replication is occurring slowly John M. Strongosky Network Support Group, Messaging Administrator, San Diego Community College District SunGard Higher Education Managed Services 9315 Hillery Drive, San Diego California 92126 Tel 619-388-1129 Fax 619-388-1195 Help Desk 619-388-7000 [EMAIL PROTECTED] CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Unable to unpublish old ILS server and replace with new
Netmeeting is utilizing ILS for directory lookup, however, the original ILS server died, so I am trying to unpublish the old and publish the new one. However, I am receive error messages that our beloved search engines and help documentation are not helping much. When I restart all related (IIS and ILS) services, I do not see any error messages in the event log.Here is what is going on...c:\ilscfg ilsserver.example.org /publishRegister ILS service returned error: The system detected an invalid pointer address in attempting to use a pointer argument in a call.c:\ilscfg /listpubILS server: oldilsserver.example.org, Port:1002Found 1 service(s).c:\ilscfg oldilsserver.example.org /unpublish port 1002Unregister ILS service returned error: The system detected an invalid pointer ad dress in attempting to use a pointer argument in a call.c:\ilscfg oldilsserver.example.org /unpublish 1002 Unregister ILS service returned error: The system detected an invalid pointer ad dress in attempting to use a pointer argument in a call. c:\ilscfg oldilsserver.example.org /unpublish port:1002 Unregister ILS service returned error: The system detected an invalid pointer ad dress in attempting to use a pointer argument in a call. References:https://www.microsoft.com/windows2000/en/advanced/help/default.asp?url="" http://search.microsoft.com/results.aspx?mkt=en-USsetlang=en-USq=ilscfgSo, is there a way manually unpublish this information and publish the new ILS server in Active Directory? Thanks!-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] Strange password issue
The password might have been set blank before the password policy was set. William From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: 06 September 2006 15:39 To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.
RE: [ActiveDir] adm file management
I'd add to Darren's comments as follows: 1. Ensure that ADM files are not auto over written by GPO editors. User config/admin templates/system/group policy/turn off automatic update of ADM files 2. Test new ADMs - I have seen adm files which do not support an entry which was supported by an older ADM. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 06 September 2006 16:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adm file management Graham- You are correct on both counts. ADMs are typically supersets of each other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, etc. And it is definitely best to manage such a mixed environment from the latest platform (e.g. XP). The key of course, is to pay attention to the Supported tags in the newer ADMs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 7:41 AM To: activedir@mail.activedir.org Subject: [ActiveDir] adm file management quick question (hopefully not too daft) ref ADM file management it seems different OS's ship with different versions of the 'standard' ADM files that include conf.adm / interes.adm / system.adm ... say if you are maintaining policies that link to containers holding say XP , 2000, 2003 computers it would not be unreasonable to manage them all from a single host on which you edit policies. am i correct to say that in maintaining the settings in these files are always cumulative - if that's the right word if so then it is correct working practice to always use the MOST RECENT version of an ADM file with no fear of breaking previously functional GPO's ??? GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] adm file management
ADM files are silently updated by whatever host machine you use. The recommendation is to use the latest and greatest OS on a dedicated GPO machine so that the latest ADM files are available for use. -mjm Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ Graham Turner wrote: quick question (hopefully not too daft) ref ADM file management it seems different OS's ship with different versions of the 'standard' ADM files that include conf.adm / interes.adm / system.adm ... say if you are maintaining policies that link to containers holding say XP , 2000, 2003 computers it would not be unreasonable to manage them all from a single host on which you edit policies. am i correct to say that in maintaining the settings in these files are always cumulative - if that's the right word if so then it is correct working practice to always use the MOST RECENT version of an ADM file with no fear of breaking previously functional GPO's ??? GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Sharepoint access after user AD migration
Hi Rob, I've been told that the Sharepoint install is SP2. Not aware of which hotfixes are on it yet. I've got aconference call scheduled in an hour to discuss it. Thanks, Mike On 9/5/06, Robert Rutherford [EMAIL PROTECTED] wrote: What Sharepoint servicepack are you running? You need at least one and a hotfix.. cant remember which. I'll look through my old KB to see if I can find the hotfix. Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mike BaudinoSent: 05 September 2006 21:58 To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Sharepoint access after user AD migration Apologies if this is not the most appropriate forum for this question. The situation is an NT4.0 domain with 18,000 users. Migrating to AD Win2k. Two-way trust and sIDHistory filtering is disabled. There's a Sharepoint server in the legacy NT4.0 domain. The NT4.0 users can access the Sharepoint just fine. The users, after being migrated, are not able to access the Sharepoint using their new AD accounts until after the Sharepoint admins add their new AD account to the Sharepoint security. Isn't Sharepoint supposed to be able to take advantage of sIDHistory and, if so, is there some setting we need to change? Thanks,Mike
RE: [ActiveDir] seeAlso
That is good to know. I'm not planning on doing queries based on this attribute; I'll simply be doing enumerations. So I think I should be good to go. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, September 05, 2006 4:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] seeAlso I've not seen it used by any specific app. Bear in mind that it is: multivalued not indexed not a member of the partial attribute set (i.e. not replicated via GC) Tony PS. I've always wanted to extend the schema with a new attribute named tracesOfPeanuts, simply so I can see May Contain: tracesOfPeanuts. :-) -- Original Message -- From: Isenhour, Joseph [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Tue, 5 Sep 2006 15:29:01 -0700 Does anyone know if the seeAlso attribute is used by any specific application or is it up for grabs? I'm thinking about using it to store an alternate contact for a user. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Moms Alert Question.
John, I'm not 100% sure if this is what you're seeing, but check out the Active Directory Management Pack Guide located here: http://www.microsoft.com/downloads/details.aspx?familyid=2B9D3613-5516-4 F44-8550-B21E054F5047displaylang=en Around page 14, you'll see where you can set this value. Please be sure to read through the whole document as it contains lots of useful information about configuring the ADMP. Here's a snippet from the above: SNIP The maximum intersite replication latency threshold value is the maximum amount of time it takes for a change to replicate across the entire forest. By default, this value is set to 15 minutes. If it takes longer than 15 minutes for replication to occur, you will receive a warning. Consult your system architect to review what the expected maximum threshold value is for your environment. Usually, this value is monitored closely to ensure that any applicable SLAs for your organization are being met. After you have determined an appropriate value for your environment, modify the setting accordingly. The most common scenario involves ensuring that basic help desk procedures, such as resetting passwords, replicate from corporate headquarters to a branch office within a reasonable amount of time as determined by the SLA. /SNIP The document tells you where to change this value. Another good read for the ADMP is the Active Directory Management Pack Technical Reference: http://www.microsoft.com/downloads/details.aspx?familyid=2F0237D8-FDA1-4 925-87D6-7D609E5D0807displaylang=en I hope that helps...the thing with the Management Packs is to read the guides (a few times). Have a great day! Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: Wednesday, September 06, 2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Moms Alert Question. Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active Directory and MOM's and for the life of me cant find where this (Intersite, expected replication time is 15 minutes) is set I have looked at the repl mon program and cant see it.. I know I'm looking at some trees when I should be looking at the forest, but I really need a second pair of eyes here...could anyone direct me where to look for the intersite replication parameter. v/r john Description: The following DCs took more than three times the expected replication time to replicate. Format: DC, Naming Context, Calculated Replication Time (in minutes) Site name: City-CenterCity (Intersite, expected replication time is 15 minutes) CIUTIL01A, Domain:SDCCD, 55 Site name: DistrictOffice (Intersite, expected replication time is 15 minutes) DOUTIL01A, Domain:SDCCD, 55 Name: AD Replication is occurring slowly Severity: Warning Resolution State: New Domain: SDCCD Computer: CDUTIL01A Time of First Event: 9/1/2006 3:01:00 PM Time of Last Event: 9/1/2006 5:01:00 PM Alert latency: -7 min, -26 sec Problem State: Active Repeat Count: 2 Age: Source: AD Replication Monitoring Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows 2000 and Windows Server 2003 \Active Directory Availability\AD Replication is occurring slowly John M. Strongosky Network Support Group, Messaging Administrator, San Diego Community College District SunGard Higher Education Managed Services 9315 Hillery Drive, San Diego California 92126 Tel 619-388-1129 Fax 619-388-1195 Help Desk 619-388-7000 [EMAIL PROTECTED] CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx 2006-09-06, 12:31:21 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] adm file management
Graham- Yes, the dates can be confusing. I typically take these as groupings. So, all of the ADMs that ship with a given OS/Service Pack should stay together. The reality is that the two conf.adm files you list below are identical in content (windiff is a good tool for this), even though their dates are not identical. In the case of system.adm 2003/SP1 added some additional policies for the secure mode IE stuff that wasn't in XP,SP2, but otherwise it was identical (I list out the differences between the XP,SP2 and 2003, SP1 ADMs at www.gpoguy.com/admdiffs.htm). To answer your question, yes, if you are managing GP from a 2003 server machine, then you could certainly have ADMs from XP, SP2 in your GPOs. By default, the ADMs in 2003's c:\windows\inf folder will auto-update each GPO you edit so over time, unless you change that default behavior, your GPOs will be upgraded to 2003,SP1, but in general, as long as you are on 2003, SP1 or XP, SP2, you should be good to go. Clear as mud? Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 8:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adm file management Darren, thanks 4 mail back in the interim i dug into the 'versioning' of these ADM's and it seems that most recent versions are not always in the same OS i cite comparison of ADM version (ie dates) on different OS conf.adm - 22/2/03 (2003/SP1) - 17/7/04 (xp sp2) system.adm - 18/02/05 (2003 / sp1) - 17/07/04 (xp / sp2) so if i read this tight it would seem the rule of latest OS is not strict - hence my view to come back to the 'most recent' ?? i assume if the 'admin' workstation is running windows server 2003 we are ok to put in the ADM files shipped with say XP sp2, assuming of course as above they are more recent ? Graham- You are correct on both counts. ADMs are typically supersets of each other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, etc. And it is definitely best to manage such a mixed environment from the latest platform (e.g. XP). The key of course, is to pay attention to the Supported tags in the newer ADMs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 7:41 AM To: activedir@mail.activedir.org Subject: [ActiveDir] adm file management quick question (hopefully not too daft) ref ADM file management it seems different OS's ship with different versions of the 'standard' ADM files that include conf.adm / interes.adm / system.adm ... say if you are maintaining policies that link to containers holding say XP , 2000, 2003 computers it would not be unreasonable to manage them all from a single host on which you edit policies. am i correct to say that in maintaining the settings in these files are always cumulative - if that's the right word if so then it is correct working practice to always use the MOST RECENT version of an ADM file with no fear of breaking previously functional GPO's ??? GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Strange password issue
Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Moms Alert Question.
Answered my own question,,, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: Wednesday, September 06, 2006 8:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Moms Alert Question. Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active Directory and MOM's and for the life of me cant find where this (Intersite, expected replication time is 15 minutes) is set I have looked at the repl mon program and cant see it.. I know I'm looking at some trees when I should be looking at the forest, but I really need a second pair of eyes here...could anyone direct me where to look for the intersite replication parameter. v/r john Description: The following DCs took more than three times the expected replication time to replicate. Format: DC, Naming Context, Calculated Replication Time (in minutes) Site name: City-CenterCity (Intersite, expected replication time is 15 minutes) CIUTIL01A, Domain:SDCCD, 55 Site name: DistrictOffice (Intersite, expected replication time is 15 minutes) DOUTIL01A, Domain:SDCCD, 55 Name: AD Replication is occurring slowly Severity: Warning Resolution State: New Domain: SDCCD Computer: CDUTIL01A Time of First Event: 9/1/2006 3:01:00 PM Time of Last Event: 9/1/2006 5:01:00 PM Alert latency: -7 min, -26 sec Problem State: Active Repeat Count: 2 Age: Source: AD Replication Monitoring Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows 2000 and Windows Server 2003 \Active Directory Availability\AD Replication is occurring slowly John M. Strongosky Network Support Group, Messaging Administrator, San Diego Community College District SunGard Higher Education Managed Services 9315 Hillery Drive, San Diego California 92126 Tel 619-388-1129 Fax 619-388-1195 Help Desk 619-388-7000 [EMAIL PROTECTED] CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Is a Global Security group being used?
Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
RE: [ActiveDir] Sharepoint access after user AD migration
Hmm wasnt that then Quite a bit on Google grabbed this http://www.sharepointblogs.com/dustin/archive/2004/09/10/756.aspx Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: 06 September 2006 17:04 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Sharepoint access after user AD migration Hi Rob, I've been told that the Sharepoint install is SP2. Not aware of which hotfixes are on it yet. I've got aconference call scheduled in an hour to discuss it. Thanks, Mike On 9/5/06, Robert Rutherford [EMAIL PROTECTED] wrote: What Sharepoint servicepack are you running? You need at least one and a hotfix.. cant remember which. I'll look through my old KB to see if I can find the hotfix. Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mike Baudino Sent: 05 September 2006 21:58 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Sharepoint access after user AD migration Apologies if this is not the most appropriate forum for this question. The situation is an NT4.0 domain with 18,000 users. Migrating to AD Win2k. Two-way trust and sIDHistory filtering is disabled. There's a Sharepoint server in the legacy NT4.0 domain. The NT4.0 users can access the Sharepoint just fine. The users, after being migrated, are not able to access the Sharepoint using their new AD accounts until after the Sharepoint admins add their new AD account to the Sharepoint security. Isn't Sharepoint supposed to be able to take advantage of sIDHistory and, if so, is there some setting we need to change? Thanks, Mike
Re: [ActiveDir] Strange password issue
This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Is a Global Security group being used?
What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
Re: [ActiveDir] Is a Global Security group being used?
Change it to a Distribution Group and see who screams - if anyone does change it back to a security group again. M. -Original Message- From: Figueroa, Johnny [EMAIL PROTECTED] Date: Wed, 6 Sep 2006 09:43:58 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
[ActiveDir] more DNS questions
Hi, I have 2 internal DNS servers and 2 external DNS servers. We are delegating the subdomain sub.domain.com to another server in the same building that is managed by the Unix guys. We have also given them 16 ip address in the range x.y.z.65-80 One of their SA is asking me to update the reverse RR for several records in this way. x.y.z.67 CNAME 67.z.y.x.rev.sub.domain.com But when I go to our dns server all I find for the reverse zone is something like. z.y.x.in-addr.arpa, so when I tried to create a cname record there I get something like 67.z.y.x.in-addr.arpa instead of 67.z.y.x.rev.sub.domain.com How can I get what this dude is asking me to do??? Do I need to create a reverse zone for that subdomain? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] adm file management
Darren, i value your (and all others who help me) correspondence from the mailing list and also the content of your web site. 'clear as mud' sums it up !! final qu - you referenced a concept of 'supported tags' - is it easy 4 u to explain in a nutshell GT Graham- Yes, the dates can be confusing. I typically take these as groupings. So, all of the ADMs that ship with a given OS/Service Pack should stay together. The reality is that the two conf.adm files you list below are identical in content (windiff is a good tool for this), even though their dates are not identical. In the case of system.adm 2003/SP1 added some additional policies for the secure mode IE stuff that wasn't in XP,SP2, but otherwise it was identical (I list out the differences between the XP,SP2 and 2003, SP1 ADMs at www.gpoguy.com/admdiffs.htm). To answer your question, yes, if you are managing GP from a 2003 server machine, then you could certainly have ADMs from XP, SP2 in your GPOs. By default, the ADMs in 2003's c:\windows\inf folder will auto-update each GPO you edit so over time, unless you change that default behavior, your GPOs will be upgraded to 2003,SP1, but in general, as long as you are on 2003, SP1 or XP, SP2, you should be good to go. Clear as mud? Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 8:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adm file management Darren, thanks 4 mail back in the interim i dug into the 'versioning' of these ADM's and it seems that most recent versions are not always in the same OS i cite comparison of ADM version (ie dates) on different OS conf.adm - 22/2/03 (2003/SP1) - 17/7/04 (xp sp2) system.adm - 18/02/05 (2003 / sp1) - 17/07/04 (xp / sp2) so if i read this tight it would seem the rule of latest OS is not strict - hence my view to come back to the 'most recent' ?? i assume if the 'admin' workstation is running windows server 2003 we are ok to put in the ADM files shipped with say XP sp2, assuming of course as above they are more recent ? Graham- You are correct on both counts. ADMs are typically supersets of each other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, etc. And it is definitely best to manage such a mixed environment from the latest platform (e.g. XP). The key of course, is to pay attention to the Supported tags in the newer ADMs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 7:41 AM To: activedir@mail.activedir.org Subject: [ActiveDir] adm file management quick question (hopefully not too daft) ref ADM file management it seems different OS's ship with different versions of the 'standard' ADM files that include conf.adm / interes.adm / system.adm ... say if you are maintaining policies that link to containers holding say XP , 2000, 2003 computers it would not be unreasonable to manage them all from a single host on which you edit policies. am i correct to say that in maintaining the settings in these files are always cumulative - if that's the right word if so then it is correct working practice to always use the MOST RECENT version of an ADM file with no fear of breaking previously functional GPO's ??? GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Strange password issue
How was the account created? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
[ActiveDir] Good SBS book suggestion
Susan, Can you suggest a good ID 10 T's guide to SBS 2003 book? I assume from your e-mail address you know more than the average SA about SBS. Shameless request for information. And being the SBS NOOB that I am looking for any information I can get my hands on to provide my customer with the best product for their limited budget. I support a small office (eight users) and their workload and data storage requirements are such that they really should get a real server. I am trying to decide if I suggest they purchase a server with SBS 2003 or a server with Windows Server 2003 R2 Standard edition. I know there is a cost difference with SBS 2003 being cheaper. But, I do not think they need all of the functionality that comes with SBS. Their mail is hosted with a comeericial ISP. Their office is a mix of XP Home and XP Pro. I know the XP Pros can join a domain but the XP Homes can not. Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Moms Alert Question.
Robert, it looks like it, like I said I couldn't see the trees For me I've got to read these things more than a few times...my old brain is not what it once wasto many beers probablynah maybe to many rumsnah... Thanks again, john -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Wednesday, September 06, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moms Alert Question. John, I'm not 100% sure if this is what you're seeing, but check out the Active Directory Management Pack Guide located here: http://www.microsoft.com/downloads/details.aspx?familyid=2B9D3613-5516-4 F44-8550-B21E054F5047displaylang=en Around page 14, you'll see where you can set this value. Please be sure to read through the whole document as it contains lots of useful information about configuring the ADMP. Here's a snippet from the above: SNIP The maximum intersite replication latency threshold value is the maximum amount of time it takes for a change to replicate across the entire forest. By default, this value is set to 15 minutes. If it takes longer than 15 minutes for replication to occur, you will receive a warning. Consult your system architect to review what the expected maximum threshold value is for your environment. Usually, this value is monitored closely to ensure that any applicable SLAs for your organization are being met. After you have determined an appropriate value for your environment, modify the setting accordingly. The most common scenario involves ensuring that basic help desk procedures, such as resetting passwords, replicate from corporate headquarters to a branch office within a reasonable amount of time as determined by the SLA. /SNIP The document tells you where to change this value. Another good read for the ADMP is the Active Directory Management Pack Technical Reference: http://www.microsoft.com/downloads/details.aspx?familyid=2F0237D8-FDA1-4 925-87D6-7D609E5D0807displaylang=en I hope that helps...the thing with the Management Packs is to read the guides (a few times). Have a great day! Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: Wednesday, September 06, 2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Moms Alert Question. Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active Directory and MOM's and for the life of me cant find where this (Intersite, expected replication time is 15 minutes) is set I have looked at the repl mon program and cant see it.. I know I'm looking at some trees when I should be looking at the forest, but I really need a second pair of eyes here...could anyone direct me where to look for the intersite replication parameter. v/r john Description: The following DCs took more than three times the expected replication time to replicate. Format: DC, Naming Context, Calculated Replication Time (in minutes) Site name: City-CenterCity (Intersite, expected replication time is 15 minutes) CIUTIL01A, Domain:SDCCD, 55 Site name: DistrictOffice (Intersite, expected replication time is 15 minutes) DOUTIL01A, Domain:SDCCD, 55 Name: AD Replication is occurring slowly Severity: Warning Resolution State: New Domain: SDCCD Computer: CDUTIL01A Time of First Event: 9/1/2006 3:01:00 PM Time of Last Event: 9/1/2006 5:01:00 PM Alert latency: -7 min, -26 sec Problem State: Active Repeat Count: 2 Age: Source: AD Replication Monitoring Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows 2000 and Windows Server 2003 \Active Directory Availability\AD Replication is occurring slowly John M. Strongosky Network Support Group, Messaging Administrator, San Diego Community College District SunGard Higher Education Managed Services 9315 Hillery Drive, San Diego California 92126 Tel 619-388-1129 Fax 619-388-1195 Help Desk 619-388-7000 [EMAIL PROTECTED] CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx 2006-09-06, 12:31:21 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message
RE: [ActiveDir] Is a Global Security group being used?
While that's an interesting approach, unless this is a very small environment (as in, there's no help desk that's going to be baffled by the screaming and no multi-gazillionaire CXOs who are going to be doing the screaming), that might not be such a good idea. ;-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, September 06, 2006 1:18 PM To: ActiveDir.org Subject: Re: [ActiveDir] Is a Global Security group being used? Change it to a Distribution Group and see who screams - if anyone does change it back to a security group again. M. -Original Message- From: Figueroa, Johnny [EMAIL PROTECTED] Date: Wed, 6 Sep 2006 09:43:58 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—± List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Strange password issue
It is possible to programmatically create an account that bypasses the password length policy. The password not required flag will let you enable the account with blank password, in contravention of your password policy. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tom KernSent: Wed 9/6/2006 10:09 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Is a Global Security group being used?
The tough one... being used in resource ACLs From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 10:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
RE: [ActiveDir] more DNS questions
Do you have a zone called "rev" in your sub.domain.com fwd lookup zone? If not, I want to say that the requestor didn't quite explain what he needs properly. The in-addr-arpa tag that you see is standard for reverse entries. Unless you are doing something fancy in your environment, that's what you'd typically use. Creating cnames in reverse lookup zones for vanity domains is ... shall we say exotic. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Wed 9/6/2006 10:25 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] more DNS questions Hi, I have 2 internal DNS servers and 2 external DNS servers. We are delegating the subdomain sub.domain.com to another server in the same building that is managed by the Unix guys. We have also given them 16 ip address in the range x.y.z.65-80 One of their SA is asking me to update the reverse RR for several records in this way. x.y.z.67 CNAME 67.z.y.x.rev.sub.domain.com But when I go to our dns server all I find for the reverse zone is something like. z.y.x.in-addr.arpa, so when I tried to create a cname record there I get something like 67.z.y.x.in-addr.arpa instead of 67.z.y.x.rev.sub.domain.com How can I get what this dude is asking me to do??? Do I need to create a reverse zone for that subdomain? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
Tom, I believe that the passwd_notereqd does in fact override the DDP. Jason Centenni | The Capital Group Companies | Location: SNO | Extension: 44843 Outside: 210-474-4843 | Cell: 210-385-5932 | E-mail: [EMAIL PROTECTED] [ Mailing: 3500 Wiseman Blvd. San Antonio, TX 78251-4321 USA ] Tom Kern [EMAIL PROTECTED] To ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject Re: [ActiveDir] Strange password issue 09/06/2006 12:09 PM Please respond to [EMAIL PROTECTED] tivedir.org This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
ADUC. On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: How was the account created? Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 1:10 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Strange password issue
>From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Good SBS book suggestion
Can they share calendars? Can they book appointments in each others calendars? Got a 'Sharepoint? Got the ability to remotely get back to that XP pro desktop over a 443 port without vpn and it's overhead, potential risks and setups as well? Even with 'hosted' email at an ISP, SBS makes sense. Now I would be remiss if I did not point out Windows Live as a possible collaborative platform as well which comes out of beta in October is what I've heard. But truly .. SBS make sense in this space because while you don't think they need the functionality.. people can change and grow with that functionality. Step one... go to Handy Andy's site and click on his step by step SBS how to (pictures and everything) at www.sbs-rocks.com There are three books .. any of the three make a good choice and honestly I've written for two, edited on one. Are there any potential for Macintosh's in this network? If so get SBS Unleashed by Eriq Neale as he's our Mac/SBS guy. Want to know more about R2? SBS 2003 r2 administrator's companion by Charlie Russel. Basic beginner to mid - start with the SBS 2003 best practices by Harry Brelsford and then follow up with the Advanced book. (www.smbnation.com) Where are you located as we have SBS user/partner groups all over. Step two: Upgrade those XP homes to Pro. While you can trick those puppies with pass thru authentication, as you stated they cannot join a domain. I love ad/domains so much I hack up MCE's to join mine at home. Step three: Follow the blog www.msmvps.com/bradley and please holler if you have ANY questions. We are quite proud of our newsgroups and they are quite active and healthy. Get a nntp newsreader and point to the msnews.microsoft.com server and find microsoft.public.windows.server.sbs There are also partner resources at www.microsoft.com/partner and then there's the best IT podcast around for small biz at http://blogs.technet.com/sbs and then if you want to get more into the 'managed services'/small biz world check out the podcasts at www.sbsshow.com Are you an Enterprise guy coming down to SBS? As we say SBS can drive you to drink if you are used to setting up everything by hand. The my business OU is annoying to most but we say leave it alone...set up your own We also say set it up three times.. once to screw it up..once to go oh!, and the last to do it right. Let the wizards set up the AD and what not... we never use works like dcpromo unless we are 1. Bringing an SBS box into an existing domain or 2. Migrating from a flavor of SBS or server to a SBS domain and doing a process that uses seizing FSMO roles to maintain that AD structure as we rip it from one server to the ultimate SBS domain. Does this help? Daniel Gilbert wrote: Susan, Can you suggest a good ID 10 T's guide to SBS 2003 book? I assume from your e-mail address you know more than the average SA about SBS. Shameless request for information. And being the SBS NOOB that I am looking for any information I can get my hands on to provide my customer with the best product for their limited budget. I support a small office (eight users) and their workload and data storage requirements are such that they really should get a real server. I am trying to decide if I suggest they purchase a server with SBS 2003 or a server with Windows Server 2003 R2 Standard edition. I know there is a cost difference with SBS 2003 being cheaper. But, I do not think they need all of the functionality that comes with SBS. Their mail is hosted with a comeericial ISP. Their office is a mix of XP Home and XP Pro. I know the XP Pros can join a domain but the XP Homes can not. Dan -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] new KB article about SetSPN
For anyone who may be interested, it appears that the Setspn.exe support tool for W2K3 is a bit broken in its' current form. http://support.microsoft.com/default.aspx?scid=kb;en-us;924177sd=rssspid=3198 Scott Klassen
RE: [ActiveDir] Is a Global Security group being used?
Try Hyena. I believe that it has the option to report on ACLs and list the relevant users/groups Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Figueroa, JohnnySent: Wed 9/6/2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? The tough one... being used in resource ACLs From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 10:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
RE: [ActiveDir] Is a Global Security group being used?
Ouch. How large an environment are we talking about? You could use something like DumpSec to list the DACLs and SACLs (and it's important to list the SACLs, because the group could be being used for auditing purposes as well as permissions granting) and could then parse the output, but depending on the size of the environment and how much you really want to do this, that may not be feasible/desirable. Unfortunately, auditing your DCs isn't going to tell you where the group is being used in ACLs, if at all. There may be other options that aren't occurring to me at the moment, however. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 2:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? The tough one... being used in resource ACLs From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 10:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
Re: [ActiveDir] Good SBS book suggestion
Product Documentation for Windows Small Business Server 2003 R2: http://www.microsoft.com/windowsserver2003/sbs/techinfo/productdoc/default.mspx Read this one in particular: Download details: Introduction to Windows SBS 2003 for Enterprise IT Pros: http://www.microsoft.com/downloads/details.aspx?familyid=71211053-ccd6-4f2b-bbd9-5e7b97c232ecdisplaylang=en Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Can they share calendars? Can they book appointments in each others calendars? Got a 'Sharepoint? Got the ability to remotely get back to that XP pro desktop over a 443 port without vpn and it's overhead, potential risks and setups as well? Even with 'hosted' email at an ISP, SBS makes sense. Now I would be remiss if I did not point out Windows Live as a possible collaborative platform as well which comes out of beta in October is what I've heard. But truly .. SBS make sense in this space because while you don't think they need the functionality.. people can change and grow with that functionality. Step one... go to Handy Andy's site and click on his step by step SBS how to (pictures and everything) at www.sbs-rocks.com There are three books .. any of the three make a good choice and honestly I've written for two, edited on one. Are there any potential for Macintosh's in this network? If so get SBS Unleashed by Eriq Neale as he's our Mac/SBS guy. Want to know more about R2? SBS 2003 r2 administrator's companion by Charlie Russel. Basic beginner to mid - start with the SBS 2003 best practices by Harry Brelsford and then follow up with the Advanced book. (www.smbnation.com) Where are you located as we have SBS user/partner groups all over. Step two: Upgrade those XP homes to Pro. While you can trick those puppies with pass thru authentication, as you stated they cannot join a domain. I love ad/domains so much I hack up MCE's to join mine at home. Step three: Follow the blog www.msmvps.com/bradley and please holler if you have ANY questions. We are quite proud of our newsgroups and they are quite active and healthy. Get a nntp newsreader and point to the msnews.microsoft.com server and find microsoft.public.windows.server.sbs There are also partner resources at www.microsoft.com/partner and then there's the best IT podcast around for small biz at http://blogs.technet.com/sbs and then if you want to get more into the 'managed services'/small biz world check out the podcasts at www.sbsshow.com Are you an Enterprise guy coming down to SBS? As we say SBS can drive you to drink if you are used to setting up everything by hand. The my business OU is annoying to most but we say leave it alone...set up your own We also say set it up three times.. once to screw it up..once to go oh!, and the last to do it right. Let the wizards set up the AD and what not... we never use works like dcpromo unless we are 1. Bringing an SBS box into an existing domain or 2. Migrating from a flavor of SBS or server to a SBS domain and doing a process that uses seizing FSMO roles to maintain that AD structure as we rip it from one server to the ultimate SBS domain. Does this help? Daniel Gilbert wrote: Susan, Can you suggest a good ID 10 T's guide to SBS 2003 book? I assume from your e-mail address you know more than the average SA about SBS. Shameless request for information. And being the SBS NOOB that I am looking for any information I can get my hands on to provide my customer with the best product for their limited budget. I support a small office (eight users) and their workload and data storage requirements are such that they really should get a real server. I am trying to decide if I suggest they purchase a server with SBS 2003 or a server with Windows Server 2003 R2 Standard edition. I know there is a cost difference with SBS 2003 being cheaper. But, I do not think they need all of the functionality that comes with SBS. Their mail is hosted with a comeericial ISP. Their office is a mix of XP Home and XP Pro. I know the XP Pros can join a domain but the XP Homes can not. Dan -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Strange password issue
I'm confused as to why the 512 UAC flag is making anybody think that passwd_notreqd is set. A setting of 512 indicates a normal account. 544 would indicate a normal account with passwd_notreqd set. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 06, 2006 2:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue Tom, I believe that the passwd_notereqd does in fact override the DDP. Jason Centenni | The Capital Group Companies | Location: SNO | Extension: 44843 Outside: 210-474-4843 | Cell: 210-385-5932 | E-mail: [EMAIL PROTECTED] [ Mailing: 3500 Wiseman Blvd. San Antonio, TX 78251-4321 USA ] Tom Kern [EMAIL PROTECTED] To ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject Re: [ActiveDir] Strange password issue 09/06/2006 12:09 PM Please respond to [EMAIL PROTECTED] tivedir.org This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an
RE: [ActiveDir] Strange password issue
If it's 512, then that pwd not req is not true. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al MulnickSent: Wed 9/6/2006 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson mailto:[EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] adm file management
Sure. On XP or 2003, when you open an admin. Template policy, you see at the bottom that it says, Supported On and then shows the minimum OS or app level required that supports that policy. Those are the supported tags. In GP Editor you can do View, Filtering and filter by Supported level so that, for example, you see only policies that support XP, SP2. It's a handy feature that was intro'd in XP. The good (or reasonably good) news on all of this, is that with the introduction of Vista, the whole ADM and ADM management story changes. No longer will ADM (called ADMX in Vista) files be stored within each GPO and no longer will they be automatically updated. You will have a central store that holds all ADMXs and you can update it centrally and purposefully. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 10:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adm file management Darren, i value your (and all others who help me) correspondence from the mailing list and also the content of your web site. 'clear as mud' sums it up !! final qu - you referenced a concept of 'supported tags' - is it easy 4 u to explain in a nutshell GT Graham- Yes, the dates can be confusing. I typically take these as groupings. So, all of the ADMs that ship with a given OS/Service Pack should stay together. The reality is that the two conf.adm files you list below are identical in content (windiff is a good tool for this), even though their dates are not identical. In the case of system.adm 2003/SP1 added some additional policies for the secure mode IE stuff that wasn't in XP,SP2, but otherwise it was identical (I list out the differences between the XP,SP2 and 2003, SP1 ADMs at www.gpoguy.com/admdiffs.htm). To answer your question, yes, if you are managing GP from a 2003 server machine, then you could certainly have ADMs from XP, SP2 in your GPOs. By default, the ADMs in 2003's c:\windows\inf folder will auto-update each GPO you edit so over time, unless you change that default behavior, your GPOs will be upgraded to 2003,SP1, but in general, as long as you are on 2003, SP1 or XP, SP2, you should be good to go. Clear as mud? Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 8:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adm file management Darren, thanks 4 mail back in the interim i dug into the 'versioning' of these ADM's and it seems that most recent versions are not always in the same OS i cite comparison of ADM version (ie dates) on different OS conf.adm - 22/2/03 (2003/SP1) - 17/7/04 (xp sp2) system.adm - 18/02/05 (2003 / sp1) - 17/07/04 (xp / sp2) so if i read this tight it would seem the rule of latest OS is not strict - hence my view to come back to the 'most recent' ?? i assume if the 'admin' workstation is running windows server 2003 we are ok to put in the ADM files shipped with say XP sp2, assuming of course as above they are more recent ? Graham- You are correct on both counts. ADMs are typically supersets of each other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, etc. And it is definitely best to manage such a mixed environment from the latest platform (e.g. XP). The key of course, is to pay attention to the Supported tags in the newer ADMs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, September 06, 2006 7:41 AM To: activedir@mail.activedir.org Subject: [ActiveDir] adm file management quick question (hopefully not too daft) ref ADM file management it seems different OS's ship with different versions of the 'standard' ADM files that include conf.adm / interes.adm / system.adm ... say if you are maintaining policies that link to containers holding say XP , 2000, 2003 computers it would not be unreasonable to manage them all from a single host on which you edit policies. am i correct to say that in maintaining the settings in these files are always cumulative - if that's the right word if so then it is correct working practice to always use the MOST RECENT version of an ADM file with no fear of breaking previously functional GPO's ??? GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
RE: [ActiveDir] Strange password issue
PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Strange password issue
Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Is a Global Security group being used?
There are lots of utilities to report ACLs. The issue is, depending upon the size of the environment, this could be a lot of work that may not be worth it, depending on how badly the OP wants to know if the group is being used anywhere. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Wednesday, September 06, 2006 2:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? Try Hyena. I believe that it has the option to report on ACLs and list the relevant users/groups Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Figueroa, JohnnySent: Wed 9/6/2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? The tough one... being used in resource ACLs From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 10:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
[ActiveDir] OT: admin account in Vista
Windows Vista Security : Built-in Administrator Account Disabled: http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS Entries --Laptop Users--
1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. 3. Yes it is running on DC 4. No, not running any other credential. 5. VPN Machine is entirely a different BOX on other site. 6. It doesnt register in my DNS. (Will extract other information from Site B Admin) update you very soon... Thanks RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] Apology
In a rare bit of poking-head-up-for-air from AD-unrelated work, I saw this and had to mention that I forgive you Brandon, and while I would _never_ add such a list to my jokes DL, I did think the cups pic was funny :op Hello to everyone, hope everyones well hope to be back to the list before too long Rich Rich Milburn MVP Directory Services Field Platform Development Applebees International, Inc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brandon Pierce Sent: Wednesday, September 06, 2006 8:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Apology Laura, thank you. In my defense yes I had an attack of computing stupidity and made a mistake. I accidentally added the ActiveDirlist to my own personal DL for sending my friends jokes. As you can see these OT posts are the results. I appreciate all the support from folks who realize a simple mistakeshappen and that one should not be ridiculed for it. I respect these types of information forums and consider them vital to the IT professionals success. I have addressed this with the list owner and he understands my position! Yes, it is true that I inadvertently sent out two jokes. However, since I do not read this post every single day (blasphemy!!)I did not catch my mistake immediately (sorry no uber-geek here ;) )! As I can see no one was adversely affected by these two mistakes I will assume that this now a dead issue. Again, my apologies if anyone's lives were dramatically changed by my senseless jokes... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, September 06, 2006 7:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] Given that the culprit hasn't received any of the backlash, my guess is that it was still an accident. Can't anybody just cut the guy some slack? Yeesh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Wednesday, September 06, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] My guess the second was on purpose after all the backlash From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, September 05, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner] Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :( On 9/5/06, Tony Murray [EMAIL PROTECTED] wrote: Not sure what's going on so I have temporarily suspended his subscription. Tony List owner and humourless [EMAIL PROTECTED] Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Is a Global Security group being used?
Thank you everyone. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 12:34To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? There are lots of utilities to report ACLs. The issue is, depending upon the size of the environment, this could be a lot of work that may not be worth it, depending on how badly the OP wants to know if the group is being used anywhere. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Wednesday, September 06, 2006 2:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? Try Hyena. I believe that it has the option to report on ACLs and list the relevant users/groups Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Figueroa, JohnnySent: Wed 9/6/2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? The tough one... being used in resource ACLs From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 10:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
Re: [ActiveDir] Separate Administrator password policy
Hi Susan, No, we haven't tried with small business server.. Our average customer has 11,000 employees. :-) That said, I can't imagine why it wouldn't work. Moreover, we do work with lots of IT outsourcers / managed service providers, and support things like multi-tenant, hopping firewalls, etc. That's getting a bit far outside of this list's topic, and starting to sound a bit too much like advertising, though. Continue offline please? Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Please visit M-Tech in booth 80 at the Insight booth at GTC East Conference: September 25-28, 2006 in Albany, New York. M-Tech's CTO will be featured in the September 27 3:00PM panel discussion: Identity Management, Track: Embracing Technology The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Mon, 4 Sep 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: ... as I go click on your web site to figure out your company and if it's SBSized :-) Remember my space... managed services and var/vaps. [EMAIL PROTECTED] wrote: Susan, Your point about lots of admins coming and going, with transient access to hundreds or thousands of machines, is an important and separate one from the multiple password policies question that this thread started out with. I think trying to revoke all the admin creds that a given person had access to in the last N days (N could be very large) is a hard problem, and may be unnecessary. If you change all those admin passwords frequently (e.g., every 24 hrs), then you can rest assured that the person who just left the org won't have access to anything sensitive tomorrow. That's good enough in most cases. Of course, changing every admin cred every 24 hours creates a completely new problem: how do you do that, in a manner that still makes the admin creds reliably accessible to the people who need them, and only the people who need them, only when they need them, and (heck, while we're at it) with an audit log that shows which person looked up which cred. Problems like this usually cause products to be written. E-mail me if you want to get the advertising pitch for our particular solution. :-) L8r, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Separate Administrator password policy
Hi Al, All good questions. I'll answer here, but if it starts to get hairy, lets take it offline (same as my post to Susan - I don't want this to become a deep discussion of our product on the list). Not to pick, but it occurs to me that you're trying to complicate the problem. While I agree that changing the passwords every 24 hours (whatever freq works is likely going to be fine), is not a bad idea, it has the likely problem of being very problematic. This is similar to a push vs. pull paradigm and if looked at that way, you have similar issues such as connectivity and reliability. i.e. how do you ensure that the password change was successful if there's a network outage? Or just a network blip? Is it important that you do so is assumed from the previous information to date. 100% reliability is mandatory in this kind of app. Funny that you raise push vs. pull, as we have two modes of operations, called push and pull. :-) We push passwords to server-class target systems (e.g., AD, mainframes, whatever), and pull password changes from workstations (i.e., the workstations push to the server). The handshake used ensures that password changes are 100% reliable - we abort if there isn't a connection, etc.; and password history is retained just in case something went wrong anyways. A solution that scales up, down, or laterally is appropriate. Something that allows an account to traverse the different sites, possibly into the hundreds or even thousands, and allows almost instant revocation of the user account with administrative privileges should that become necessary during the course of normal business. Scaling is easy enough - just arrange for different devices, of which there may be tens of thousands, to contact a central server at somewhat randomized times, and keep trying in case of powerdown, connection failures, etc. etc. This eliminates nasty traffic bursts. Traversing sites is easy too - use HTTPS to connect to the central server, and use whatever proxy settings are needed to get out. Instant revocation is another matter. Our approach provides for timed revocation on workstations (due to limitations fundamental to pull mode), and instant revocation on servers (since push allows for it). Now, if only we had such an technology... We sell it, more or less as described. Some suggestions that come to mind would be everything from a toaster-like device placed at the client site to a certificate based credential system come to mind. Hybrid ideas also entertained. Plenty of pros and cons for each, such as the ability to have something tangible at the client site that can also be a multi-functional device and can work semi-autonmously to monitor even if the WAN link goes away (different issues can be monitored.) It can also provide the 8th layer with a sense of investment and partnership. Downside is that it's more to manage and monitor. But that can be mitigated by allowing it to be gasp sales person installable meaning that if something goes wrong with the device, then you roll a salesperson to replace it. That gives the salesperson reason to have more facetime with the client and gives a chance to sell more business. A service on each client device is probably cheaper than yet another machine at the client site, if you're managing lots of small-ish clients... Of course, you pointed to other, unrelated but quite useful functionality above, such as WAN link monitoring. The conversation could be longer, but I'm sure that a solution is possible that fits many of the criteria defined. Because the original problem scope is to remove the administrative access, using a hybrid solution that relies on certificates and a toaster item would be more likely. The details and pricing would need to be hammered out in such a way that the final solution is reliable, inexpensive (drive adoption), and easy to use (dumb down the interface such that your salesforce or interns could deploy or you could even just drop ship one to the client and they could hook it up in 5 steps or less - similar to voip device installation in that sense.) Personally, I'm not big on appliances (toasters) -- in the end they are mostly just cheap Intel/AMD boxes, but without the hardware support that Dell/HP/IBM offer. Niche market vendors really can't offer the kind of hardware support that these huge vendors do. Better for nice guys (yeah, that's me) to stick to what they *can* do well - specialized software, and avoid what others do well - local and prompt hardware support. Just my random thoughts. I haven't really put much effort into it, Susan. :) Maybe random, but insightful. :-) -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] NTFRS - Journal Wrap Errors
Hi- I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up: I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week! Thanks so much, Aaron [EMAIL PROTECTED]
RE: [ActiveDir] NTFRS - Journal Wrap Errors
how old is the offline DC? Does the online DC have a LOT of things (beside FSMO) that you need to sync with the offline DC? I mean, are there are lot of objects that have been created on the online DCs that have not been replicated to the offline? IF all you want to do is transfer FSMO, I'd just turn off this problematic DC, bring up the offline (known good) DC and doa FSMO roles seizure. If you still want to go through journal wrap troubleshooting, let us know. I have a couple of references to give you. You can also search this list's archives because journal wrap has been discussed to death here on several occassions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron BurgSent: Wed 9/6/2006 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NTFRS - Journal Wrap Errors Hi- I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up: I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week! Thanks so much, Aaron [EMAIL PROTECTED]
Re: [ActiveDir] NTFRS - Journal Wrap Errors
http://www.eventid.net/display.asp?eventid=13568 I've seen that on a SBS box. You did the reg edit? http://support.microsoft.com/default.aspx?scid=kb;en-us;292438 http://support.microsoft.com/default.aspx?scid=kb;en-us;887303 RESOLUTION == [...] To modify the default behavior, make the following changes in the registry to instruct FRS to handle the JRNL_WRAP_ERROR status automatically: 1. Stop FRS. 2. Start Registry Editor (Regedt32.exe). 3. Locate and click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters 4. On the Edit menu, click Add Value, and then add the following registry value: Value name: Enable Journal Wrap Automatic Restore Data type: REG_DWORD Radix: Hexadecimal Value data: 1 (Default 0) 5. Quit Registry Editor. 6. Restart FRS. If these steps do not modify the default settings and the automatic re-initialization is not turned on, you need to manually re-initialize the replica tree. At a convenient time, make the following changes to the registry: 1. Stop FRS. 2. Start Registry Editor (Regedt32.exe). 3. Locate and click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process at Startup 4. On the Edit menu, click Add Value, and then add the following registry value: Value name: BurFlags Data type: REG_DWORD Radix: Hexadecimal Value data: D2 5. Quit Registry Editor. 6. Restart FRS. Aaron Burg wrote: Hi- I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up: I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week! Thanks so much, Aaron [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] NTFRS - Journal Wrap Errors
Thanks for the reply. I did see some of the topics covering this, but they all seemed to cover situations where there were several DCs functioning. The newer DC was built about 1 year ago, but it never synced correctly and was powered down for over 60 days at a time. Since this is a very small, basic setup, there are no fancy or custom GPs or special groups. The problem is that no one really knows much about the infrastructure since so many people have hacked at it over the past 2 years. Since the offline DC has never fully replicated with the original one, at what point in the seizure does it create its own sysvol? I would prefer to resolve the journal issue if possible. My confusion is how to do it without a good DC to restore from? Thanks again, Aaron On 9/6/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: how old is the offline DC? Does the online DC have a LOT of things (beside FSMO) that you need to sync with the offline DC? I mean, are there are lot of objects that have been created on the online DCs that have not been replicated to the offline? IF all you want to do is transfer FSMO, I'd just turn off this problematic DC, bring up the offline (known good) DC and doa FSMO roles seizure. If you still want to go through journal wrap troubleshooting, let us know. I have a couple of references to give you. You can also search this list's archives because journal wrap has been discussed to death here on several occassions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron BurgSent: Wed 9/6/2006 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NTFRS - Journal Wrap Errors Hi- I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up: I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week! Thanks so much, Aaron [EMAIL PROTECTED]
RE: [ActiveDir] NTFRS - Journal Wrap Errors
two recommendations: 1] don't mention that you have a "second DC" anymore because you don't appear to have a good "secondDC" at all. The one you have does not sound reliable, so don't introduce it into the environment again. 2] follow Susan's recommendation. Post back if it doesn't work for you. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron BurgSent: Wed 9/6/2006 10:28 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] NTFRS - Journal Wrap Errors Thanks for the reply. I did see some of the topics covering this, but they all seemed to cover situations where there were several DCs functioning. The newer DC was built about 1 year ago, but it never synced correctly and was powered down for over 60 days at a time. Since this is a very small, basic setup, there are no fancy or custom GPs or special groups. The problem is that no one really knows much about the infrastructure since so many people have hacked at it over the past 2 years. Since the offline DC has never fully replicated with the original one, at what point in the seizure does it create its own sysvol? I would prefer to resolve the journal issue if possible. My confusion is how to do it without a good DC to restore from? Thanks again, Aaron On 9/6/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: how old is the offline DC? Does the online DC have a LOT of things (beside FSMO) that you need to sync with the offline DC? I mean, are there are lot of objects that have been created on the online DCs that have not been replicated to the offline? IF all you want to do is transfer FSMO, I'd just turn off this problematic DC, bring up the offline (known good) DC and doa FSMO roles seizure. If you still want to go through journal wrap troubleshooting, let us know. I have a couple of references to give you. You can also search this list's archives because journal wrap has been discussed to death here on several occassions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron BurgSent: Wed 9/6/2006 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NTFRS - Journal Wrap Errors Hi- I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up: I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week! Thanks so much, Aaron [EMAIL PROTECTED]