RE: [ActiveDir] Strange password issue
>>If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts.<< maybe I misundarstand what you're saying, but this is not my experience. More than once I've yanked a workstation from the domain and tried to apply a less restricted password to a local account, and I couldn't -- the domain policy persisted tyrannically. From: Laura A. Robinson [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 06, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert <[EMAIL PROTECTED]> wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. <>
Re: [ActiveDir] Moving Users Between Domains
which version ?what about the moveuser.exe app ?On 9/7/06, Tony Murray <[EMAIL PROTECTED]> wrote: ADMT should be used for moving objects between domains.Movetree should now only used for objects that cannot be moved using ADMT ( e.g. Contacts)Tony-- Original Message --From: HBooGz <[EMAIL PROTECTED]>Reply-To: ActiveDir@mail.activedir.orgDate: Thu, 7 Sep 2006 18:50:29 -0400I'd like to move an object from the parent domain to the child domain in apure windows 2003 R2 AD environment.I've done this with the Movetree command back when AD was 2000 - do i still use the same command or is there a different method/possibility ?For informational purposes, I'd like to know how to the vice versa as well (move from child domain to parent domain )This all within one forest and same tree. Thanks,--HBooGz:\>Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx-- HBooGz:\>
Re: [ActiveDir] DNS Entries --Laptop Users--
Jolly, I was not sure abt how VPN Box was configured and as i had a word with Prashant boss, it is not configured for updating records to our DNS. I will talk to Prashant boss abt ths. But the thing is i can see 2 DNS records for one host. One is for VPN and the other one is for Wireless IP Address for the Host. Al, It is letting the device update their own record to DNS. Thanks Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Moving Users Between Domains
ADMT should be used for moving objects between domains. Movetree should now only used for objects that cannot be moved using ADMT (e.g. Contacts) Tony -- Original Message -- From: HBooGz <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Thu, 7 Sep 2006 18:50:29 -0400 I'd like to move an object from the parent domain to the child domain in a pure windows 2003 R2 AD environment. I've done this with the Movetree command back when AD was 2000 - do i still use the same command or is there a different method/possibility ? For informational purposes, I'd like to know how to the vice versa as well ( move from child domain to parent domain ) This all within one forest and same tree. Thanks, -- HBooGz:\> Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Moving Users Between Domains
I'd like to move an object from the parent domain to the child domain in a pure windows 2003 R2 AD environment.I've done this with the Movetree command back when AD was 2000 - do i still use the same command or is there a different method/possibility ? For informational purposes, I'd like to know how to the vice versa as well ( move from child domain to parent domain )This all within one forest and same tree.Thanks,-- HBooGz:\>
RE : Re: [ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139
Hello Tony, Yes, i saw it and i mailed to Scott Anderson who is the author. He adviced me to check that my CAs are well configured, that was i did. Its pb was exactly the same as mine except that replication from AD -> Exch 5.5 does not work. I set diag logging on my ADC to maximum, added a value to an AD mailbox enabled user attribute (description) and forced a full replication. An event ID 8139 appears and i see no modification on my Exchange 5.5 mailbox user. The time is correctly set on my exchange 55, my ADC server and my Global Catalog. Thanks, YannTony Murray <[EMAIL PROTECTED]> a écrit : YannDid you see this?:http://www.mcse.ms/message568787.htmlTony-- Original Message --From: Yann <[EMAIL PROTECTED]>Reply-To: ActiveDir@mail.activedir.orgDate: Thu, 7 Sep 2006 20:25:02 +0200 (CEST)Hello all,I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes),Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders from both sites.I have Two-way replication. But replication from AD to Exchange 5.5 does not work. When I do a full replicationbetween AD and 5.5 from the ADC, every object throws the following warning event 8139 in the app log:The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after the source object 'cn=yann,o=mycompany.com' Consequently, the following set of updates will not be applied to the target object. If this warning persists, make sure that the time is correctly set on both the source and target servers.dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=comchangetype: modifyreplicationsignature:E1EB509F06C5614FB3BF6066ACFCF531userAccountControl::<>msExchMailboxGuid::<>-(Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254)For more information, click [url]http://www.microsoft.com/contentredirect.asp.[/url]I have verified time synch/time zone on all DCs and 5.5 servers. I have not found any solution to my issue. Next step will be a support call to PSS.Anyone with any insight into this would be greatly apprecieated.Thanks,Yann-Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.Sent via the WebMail system at mail.activedir.orgList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE: [ActiveDir] OT: admin account in Vista
My favorite was the user I had who stored them all under “P” in his cardfile. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, September 07, 2006 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: admin account in Vista safe location == post-it note on the side of CPU From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, September 07, 2006 10:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: admin account in Vista "Write down your username and password and store it in a safe location." That's an interesting departure from the usual recommendations. ;-) On 9/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote: Windows Vista Security : Built-in Administrator Account Disabled: http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: admin account in Vista
safe location == post-it note on the side of CPU From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, September 07, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: admin account in Vista "Write down your username and password and store it in a safe location." That's an interesting departure from the usual recommendations. ;-) On 9/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote: Windows Vista Security : Built-in Administrator Account Disabled:http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx--Letting your vendors set your risk analysis these days?http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139
Latest hotifixes... does that mean you pay for NT4 patches or latest hotfixes when that OS was supported? As that could mean two different things Tony Murray wrote: Yann Did you see this?: http://www.mcse.ms/message568787.html Tony -- Original Message -- From: Yann <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Thu, 7 Sep 2006 20:25:02 +0200 (CEST) Hello all, I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes), Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level). MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders from both sites. I have Two-way replication. But replication from AD to Exchange 5.5 does not work. When I do a full replication between AD and 5.5 from the ADC, every object throws the following warning event 8139 in the app log: The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after the source object 'cn=yann,o=mycompany.com' Consequently, the following set of updates will not be applied to the target obje ct. If this warning persists, make sure that the time is correctly set on both the source and target servers. dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=com changetype: modify replicationsignature:E1EB509F06C5614FB3BF6066ACFCF531 userAccountControl: :<> msExchMailboxGuid: :<> - (Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254) For more information, click [url]http://www.microsoft.com/contentredirect.asp.[/url] I have verified time synch/time zone on all DCs and 5.5 servers. I have not found any solution to my issue. Next step will be a support call to PSS. Anyone with any insight into this would be greatly apprecieated. Thanks, Yann - Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139
Yann Did you see this?: http://www.mcse.ms/message568787.html Tony -- Original Message -- From: Yann <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Thu, 7 Sep 2006 20:25:02 +0200 (CEST) Hello all, I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes), Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level). MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders from both sites. I have Two-way replication. But replication from AD to Exchange 5.5 does not work. When I do a full replication between AD and 5.5 from the ADC, every object throws the following warning event 8139 in the app log: The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after the source object 'cn=yann,o=mycompany.com' Consequently, the following set of updates will not be applied to the target obje ct. If this warning persists, make sure that the time is correctly set on both the source and target servers. dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=com changetype: modify replicationsignature:E1EB509F06C5614FB3BF6066ACFCF531 userAccountControl: :<> msExchMailboxGuid: :<> - (Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254) For more information, click [url]http://www.microsoft.com/contentredirect.asp.[/url] I have verified time synch/time zone on all DCs and 5.5 servers. I have not found any solution to my issue. Next step will be a support call to PSS. Anyone with any insight into this would be greatly apprecieated. Thanks, Yann - Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
Sorry, I was distracted by other stuff here. We are in a migration state with 2 Forests. Source forest is win2k native and target forest is win2k3 FFL/DFL. Both Forests have same password policy Using Quest AD Migration Manager. The user was created in the source and then migrated about a month ago. The way this was discovered was, the user's password no longer worked and user claimed to be able to log on with no password(confirmed by help desk staff). Apparently,according to the user and help desk, he was able to log in with his old password for a month until last week when the system would no longer accept his password and then he tried the null password route and it worked. Then, i tried logging in as that user with a null password and confirmed it. When i said UAC was 512, I meant just that- the user was a normal enabled user without the password_notreqd bit set. When I looked in the history in the Quest console, I saw the user was migrated with "copy password" set to true. A seperate provisioning group creates users. They have been delegated that right through AD. We only have 2 EA/DA's here and i'm one of them. I delegated the Quest util to allow this same group to migrate users. Once migrated, the user can no longer log into the source forest. We have no other directory servers. At the moment,users can only change their passwords when they expire and windows prompts them. The Change Password button on the gina has been disabled via GPO. This probably sounds more convoluted than it is, so I apologize and we can just drop this thread if you feel there are way too many unknown variables. Thanks for all your help and interest,guys. On 9/7/06, Al Mulnick <[EMAIL PROTECTED]> wrote: I saw it this morning. Not sure if it was last night, today, yesterday... curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. Tom, how about some more details? What clued you into the user having a blank password? What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? I think some history of the issue and how the user came to be configured this way is needed. Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? Al On 9/7/06, Laura A. Robinson <[EMAIL PROTECTED] > wrote: Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for (&(objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail… You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window).
RE: [ActiveDir] AD object (User accounts) Permissions dissappearing
Print operators is a protected group in 2k3. Robert Williams' post included a full list of the protected groups in 2k & 2k3. The AdminSDHolder attribute is set to 1 for members of protected groups. Another admin thought that several users needed to be in the print operators group to manage print jobs. Here's Robert's post:Maybe AdminSDHolder is biting you? Here’s an article that talks about the Send-As specifically, but it’s more than just that: http://support.microsoft.com/kb/907434/ If the user in question is a member of any of the following groups, then you could be seeing this: The following list describes the protected groups in Windows 2000: • Enterprise Admins • Schema Admins • Domain Admins • Administrators The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or you install Windows 2000 Service Pack 4: • Administrators • Account Operators • Server Operators • Print Operators • Backup Operators • Domain Admins • Schema Admins • Enterprise Admins • Cert Publishers Additionally the following users are also considered protected: • Administrator • Krbtgt The above was taken from: http://support.microsoft.com/kb/817433/ Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Thursday, September 07, 2006 11:19 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD object (User accounts) Permissions dissappearing Can you elaborate? What do you mean by "protected groups", and how did modifying the membership of the Print Operators group cause you grief? Thanks! Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Thursday, September 07, 2006 12:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD object (User accounts) Permissions dissappearing Did someone put that account into one of the protected groups? "Print operators" caused us a lot of grief a while ago. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DannySent: Thursday, September 07, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems.Thanks,...D
[ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139
Hello all, I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes),Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders from both sites. I have Two-way replication. But replication from AD to Exchange 5.5 does not work. When I do a full replicationbetween AD and 5.5 from the ADC, every object throws the following warning event 8139 in the app log: The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after the source object 'cn=yann,o=mycompany.com' Consequently, the following set of updates will not be applied to the target object. If this warning persists, make sure that the time is correctly set on both the source and target servers.dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=com changetype: modifyreplicationsignature:E1EB509F06C5614FB3BF6066ACFCF531userAccountControl::<>msExchMailboxGuid::<>-(Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254)For more information, click [url]http://www.microsoft.com/contentredirect.asp.[/url] I have verified time synch/time zone on all DCs and 5.5 servers. I have not found any solution to my issue. Next step will be a support call to PSS. Anyone with any insight into this would be greatly apprecieated.Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
Re: [ActiveDir] AD object (User accounts) Permissions dissappearing
No, but the user is part of a group that is part of a group that has Admin-type permissions on an OU for their site.On 9/7/06, Brian Desmond < [EMAIL PROTECTED]> wrote: This user isn't a domain admin or enterprise admin is he/she? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Danny Sent: Thursday, September 07, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server. Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems. Thanks, ...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] AD object (User accounts) Permissions dissappearing
You are right! Thanks!On 9/7/06, Williams, Robert <[EMAIL PROTECTED]> wrote: Maybe AdminSDHolder is biting you? Here's an article that talks about the Send-As specifically, but it's more than just that: http://support.microsoft.com/kb/907434/ If the user in question is a member of any of the following groups, then you could be seeing this: The following list describes the protected groups in Windows 2000: • Enterprise Admins • Schema Admins • Domain Admins • Administrators The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or you install Windows 2000 Service Pack 4: • Administrators • Account Operators • Server Operators • Print Operators • Backup Operators • Domain Admins • Schema Admins • Enterprise Admins • Cert Publishers Additionally the following users are also considered protected: • Administrator • Krbtgt The above was taken from: http://support.microsoft.com/kb/817433/ Robert Williams From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Danny Sent: Thursday, September 07, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server. Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems. Thanks, ...D 2006-09-07, 13:03:30 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] nslookup. AD beginer question
Using the version of DCDIAG that comes with the 2003 SP1 support tools: Type: dcdiag /test:dns /e /v That will tell you what shape your DNS system is in. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Monday, August 28, 2006 11:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] Distribution list Maintenance. Policy dilemma
I would make the manager that wants the DL maintain it. First, make sure that there is a written policy (approved by a higher management level) that specifies that the manager is responsible for updates. Then after you create each DL, set the “Managed By” attribute to be the appropriate manager and give them permission to make changes to it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, September 05, 2006 9:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Distribution list Maintenance. Policy dilemma Hi, I have Department managers asking me to create DL in exchange of people who don’t work in the company… There is not technical problem to do that, but I am finding out, that the previous guy was doing that via contacts in AD. The problem is that in this business, a consultant will work one day for you and next to your competitor. My question is, what is the common practice in terms DL. Does anyone know a good way of maintaining them? Most of the time, I don’t get notified when we no longer work with a consultant. How do you guys deal with DL maintenance? .Any suggestion?
Re: [ActiveDir] Separate Administrator password policy
What would be the difference between those solutions and smart cards as you see it? You make me think I missed something in the previous conversations. On 9/7/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote: Or use smartcards.Laura> -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]] On Behalf Of> [EMAIL PROTECTED] > Sent: Thursday, September 07, 2006 6:35 AM> To: ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] Separate Administrator password policy >> Why not use certificates or rsa for admin accounts?> IF you have a pki environment that would be my suggestion.> Then only then default administrator account would be> insecure. But that can be mitigated with very long password. >> An other option is to put admin accounts in a separate child> or top domain.>> /petter borling>> -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]] On Behalf Of> [EMAIL PROTECTED] > Sent: den 7 september 2006 05:54> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] Separate Administrator password policy>> Hi Al, >> All good questions. I'll answer here, but if it starts to> get hairy, lets take it offline (same as my post to Susan - I> don't want this to become a deep discussion of our product on> the list). >> > Not to pick, but it occurs to me that you're trying to> complicate the> > problem. While I agree that changing the passwords every 24 hours> > (whatever freq works is likely going to be fine), is not a > bad idea,> > it has the likely problem of being very problematic. This> is similar> > to a push vs. pull paradigm and if looked at that way, you have> > similar issues such as connectivity and reliability. i.e.> how do you> > ensure that the password change was successful if there's a network> outage? Or just a network blip?> > Is it important that you do so is assumed from the previous > > information to date.>> 100% reliability is mandatory in this kind of app. Funny> that you raise push vs. pull, as we have two modes of> operations, called push and pull.> :-) We "push" passwords to server-class target systems > (e.g., AD, mainframes, whatever), and "pull" password changes> from workstations (i.e., the workstations push to the> server). The handshake used ensures that password changes> are 100% reliable - we abort if there isn't a connection, > etc.; and password history is retained just in case something> went wrong anyways.>> > A solution that scales up, down, or laterally is appropriate.> > Something that allows an account to traverse the different sites, > > possibly into the hundreds or even thousands, and allows almost> > instant revocation of the user account with administrative> privileges> > should that become necessary during the course of normal business. >> Scaling is easy enough - just arrange for different devices,> of which there may be tens of thousands, to contact a central> server at somewhat randomized times, and keep trying in case> of powerdown, connection failures, etc. etc. This eliminates > nasty traffic bursts.>> Traversing sites is easy too - use HTTPS to connect to the> central server, and use whatever proxy settings are needed to> "get out.">> Instant revocation is another matter. Our approach provides > for timed revocation on workstations (due to limitations> fundamental to pull mode), and instant revocation on servers> (since push allows for it).>> > Now, if only we had such an technology... >> We sell it, more or less as described.>> > Some suggestions that come to mind would be everything from a> > "toaster"-like device placed at the client site to a> certificate based >> > credential system come to mind. Hybrid ideas also> entertained. Plenty> > of pros and cons for each, such as the ability to have something> > tangible at the client site that can also be a > multi-functional device>> > and can work semi-autonmously to monitor even if the WAN link goes> > away (different issues can be monitored.) It can also> provide the 8th> > layer with a sense of investment and partnership. Downside is that > > it's more to manage and monitor. But that can be mitigated> by allowing>> > it to be sales person installable meaning that if something> > goes wrong with the device, then you roll a salesperson to > replace it.>> > That gives the salesperson reason to have more facetime with the> client and gives a chance to sell more business.>> A service on each client device is probably cheaper than yet > another machine at the client site, if you're managing lots> of small-ish clients... Of course, you pointed to other,> unrelated but quite useful functionality above, such as WAN> link monitoring. >> > The conversation could be longer, but I'm sure that a solution is> > possible that fits many of the criteria defined. Because> the original>> > problem scope is to remove the administrative access, using > a hybrid> > solution that relies on certificates and a toaster item> would be more> > likely. The details an
Re: [ActiveDir] OT: admin account in Vista
"Write down your username and password and store it in a safe location." That's an interesting departure from the usual recommendations. ;-) On 9/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote: Windows Vista Security : Built-in Administrator Account Disabled: http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx--Letting your vendors set your risk analysis these days?http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
I saw it this morning. Not sure if it was last night, today, yesterday... curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. Tom, how about some more details? What clued you into the user having a blank password? What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? I think some history of the issue and how the user came to be configured this way is needed. Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? Al On 9/7/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote: Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for (&(objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail… You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue >From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern < [EMAIL PROTECTED]> wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson < [EMAIL PROTECTED] > wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@ma
RE: [ActiveDir] AD object (User accounts) Permissions dissappearing
This user isn’t a domain admin or enterprise admin is he/she? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Thursday, September 07, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server. Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems. Thanks, ...D
RE: [ActiveDir] AD object (User accounts) Permissions dissappearing
Can you elaborate? What do you mean by "protected groups", and how did modifying the membership of the Print Operators group cause you grief? Thanks! Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Thursday, September 07, 2006 12:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD object (User accounts) Permissions dissappearing Did someone put that account into one of the protected groups? "Print operators" caused us a lot of grief a while ago. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DannySent: Thursday, September 07, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems.Thanks,...D
Re: [ActiveDir] Is a Global Security group being used?
Artistic license on my part. M. -Original Message- From: "Laura A. Robinson" <[EMAIL PROTECTED]> Date: Thu, 07 Sep 2006 12:32:50 To: Subject: RE: [ActiveDir] Is a Global Security group being used? I didn't say you were insane, just that this might not be the best idea. :-) I won't comment on what we say at TechEd. ;-) Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Thursday, September 07, 2006 11:41 AM > To: ActiveDir.org > Subject: Re: [ActiveDir] Is a Global Security group being used? > > The question was "a way" - not "the best way". This method > was actually suggested by MS at TechED one year, so I am not > totally insane. > -Original Message- > From: "Laura A. Robinson" <[EMAIL PROTECTED]> > Date: Wed, 06 Sep 2006 13:44:53 > To: > Subject: RE: [ActiveDir] Is a Global Security group being used? > > While that's an interesting approach, unless this is a very > small environment (as in, there's no help desk that's going > to be baffled by the screaming and no multi-gazillionaire > CXOs who are going to be doing the screaming), that might not > be such a good idea. ;-) > > Laura > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > > Sent: Wednesday, September 06, 2006 1:18 PM > > To: ActiveDir.org > > Subject: Re: [ActiveDir] Is a Global Security group being used? > > > > Change it to a Distribution Group and see who screams - if > anyone does > > change it back to a security group again. > > > > M. > > > > -Original Message- > > From: "Figueroa, Johnny" <[EMAIL PROTECTED]> > > Date: Wed, 6 Sep 2006 09:43:58 > > To: > > Subject: [ActiveDir] Is a Global Security group being used? > > > > Does anyone have a way to determine if a domain global > group is being > > used?. Will auditing on the DCs tell me this? > > > > Thanks in advance. > > > > Johnny Figueroa > > > > .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—± > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > .+w֧B+v*rz+v*汫 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED])
Re: [ActiveDir] AD object (User accounts) Permissions dissappearing
If the permissions are being reset it is the result of DSPROP. Google adminSDHolder or look at this: -- http://www.msresource.net/content/view/38/46/ The reason this is happening is because these users are members (directly or indirectly) of groups considered protected, e.g. administrators, backup operators, etc. --Paul - Original Message - From: Danny To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 4:48 PM Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems.Thanks,...D
Re: [ActiveDir] Strange password issue
Yeah, I think I saw your post last night. Mail was taking 70 minutes to come through last night. It's not really academic or obsolete, as this proves that it couldn't have been 544 and set back to 512. Which means that it is more than likely the password, or lack of, was set when the policy wasn't in place. --Paul - Original Message - From: Laura A. Robinson To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 4:56 PM Subject: RE: [ActiveDir] Strange password issue Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for (&(objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue >From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern <[EMAIL PROTECTED]> wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks
RE: [ActiveDir] OT: uptime.exe in a 2003/sp1 world - problem
I've had some problems with the NT 4 RK version (1.x), are you using the 2000 RK version(2.0)? It was a fairly significant update IIRC. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, September 07, 2006 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: uptime.exe in a 2003/sp1 world - problem Hi, I have moved a job that employs uptime.exe (in a loop using the FOR command) from a Windows 2000/SP4 server to a Windows 2003/SP1 server. Now part way through the job, I get: Event Type: Information Event Source:Application Popup Event Category: None Event ID: 26 Date:9/7/2006 Time:9:29:36 AM User:N/A Computer: ODDJOB221 Description: Application popup: UPTIME.EXE - Application Error : The instruction at "0x7c837cf5" referenced memory at "0xfffd". The memory could not be "read". Click on OK to terminate the program Click on CANCEL to debug the program For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Any thoughts? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD object (User accounts) Permissions dissappearing
Maybe AdminSDHolder is biting you? Here’s an article that talks about the Send-As specifically, but it’s more than just that: http://support.microsoft.com/kb/907434/ If the user in question is a member of any of the following groups, then you could be seeing this: The following list describes the protected groups in Windows 2000: • Enterprise Admins • Schema Admins • Domain Admins • Administrators The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or you install Windows 2000 Service Pack 4: • Administrators • Account Operators • Server Operators • Print Operators • Backup Operators • Domain Admins • Schema Admins • Enterprise Admins • Cert Publishers Additionally the following users are also considered protected: • Administrator • Krbtgt The above was taken from: http://support.microsoft.com/kb/817433/ Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Thursday, September 07, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server. Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems. Thanks, ...D 2006-09-07, 13:03:30 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] AD object (User accounts) Permissions dissappearing
Did someone put that account into one of the protected groups? "Print operators" caused us a lot of grief a while ago. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DannySent: Thursday, September 07, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems.Thanks,...D
RE: [ActiveDir] Is a Global Security group being used?
I didn't say you were insane, just that this might not be the best idea. :-) I won't comment on what we say at TechEd. ;-) Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Thursday, September 07, 2006 11:41 AM > To: ActiveDir.org > Subject: Re: [ActiveDir] Is a Global Security group being used? > > The question was "a way" - not "the best way". This method > was actually suggested by MS at TechED one year, so I am not > totally insane. > -Original Message- > From: "Laura A. Robinson" <[EMAIL PROTECTED]> > Date: Wed, 06 Sep 2006 13:44:53 > To: > Subject: RE: [ActiveDir] Is a Global Security group being used? > > While that's an interesting approach, unless this is a very > small environment (as in, there's no help desk that's going > to be baffled by the screaming and no multi-gazillionaire > CXOs who are going to be doing the screaming), that might not > be such a good idea. ;-) > > Laura > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > > Sent: Wednesday, September 06, 2006 1:18 PM > > To: ActiveDir.org > > Subject: Re: [ActiveDir] Is a Global Security group being used? > > > > Change it to a Distribution Group and see who screams - if > anyone does > > change it back to a security group again. > > > > M. > > > > -Original Message- > > From: "Figueroa, Johnny" <[EMAIL PROTECTED]> > > Date: Wed, 6 Sep 2006 09:43:58 > > To: > > Subject: [ActiveDir] Is a Global Security group being used? > > > > Does anyone have a way to determine if a domain global > group is being > > used?. Will auditing on the DCs tell me this? > > > > Thanks in advance. > > > > Johnny Figueroa > > > > .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—± > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > .+w֧B+v*rz+v*汫 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Strange password issue
Yep, your e-mail definitely hit the list. I'm confused as to why the 512 UAC flag is making anybody think that passwd_notreqd is set. A setting of 512 indicates a normal account. 544 would indicate a normal account with passwd_notreqd set. Laura If that is the e-mail you are talking about. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, September 07, 2006 8:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, September 07, 2006 7:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for (&(objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: den 6 september 2006 21:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail… You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue >From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern <[EMAIL PROTECTED]> wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson <[EMAIL PROTECTED] > wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue
RE: [ActiveDir] Is a Global Security group being used?
We met with the Microsoft Identity and Access Management product group recently and this was mentioned as the method used internally. Patrick Patrick Parker . The Dot Net Factory . (877) 996-4276 . [EMAIL PROTECTED] EmpowerID for Microsoft Active Directory & ADAM – Manage . Collaborate . Empower Patrick Parker . The Dot Net Factory . (877) 996-4276 . [EMAIL PROTECTED] EmpowerID for Microsoft Active Directory – Manage . Collaborate . Empower -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 07, 2006 11:41 AM To: ActiveDir.org Subject: Re: [ActiveDir] Is a Global Security group being used? The question was "a way" - not "the best way". This method was actually suggested by MS at TechED one year, so I am not totally insane. -Original Message- From: "Laura A. Robinson" <[EMAIL PROTECTED]> Date: Wed, 06 Sep 2006 13:44:53 To: Subject: RE: [ActiveDir] Is a Global Security group being used? While that's an interesting approach, unless this is a very small environment (as in, there's no help desk that's going to be baffled by the screaming and no multi-gazillionaire CXOs who are going to be doing the screaming), that might not be such a good idea. ;-) Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Wednesday, September 06, 2006 1:18 PM > To: ActiveDir.org > Subject: Re: [ActiveDir] Is a Global Security group being used? > > Change it to a Distribution Group and see who screams - if anyone does > change it back to a security group again. > > M. > > -Original Message- > From: "Figueroa, Johnny" <[EMAIL PROTECTED]> > Date: Wed, 6 Sep 2006 09:43:58 > To: > Subject: [ActiveDir] Is a Global Security group being used? > > Does anyone have a way to determine if a domain global group is being > used?. Will auditing on the DCs tell me this? > > Thanks in advance. > > Johnny Figueroa > > .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—± List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx .+w֧B+v*rz+v*汫 [EMAIL PROTECTED])
RE: [ActiveDir] Strange password issue
Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for (&(objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail… You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue >From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern <[EMAIL PROTECTED]> wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson <[EMAIL PROTECTED] > wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in ef
RE: [ActiveDir] Separate Administrator password policy
Or use smartcards. Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, September 07, 2006 6:35 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Separate Administrator password policy > > Why not use certificates or rsa for admin accounts? > IF you have a pki environment that would be my suggestion. > Then only then default administrator account would be > insecure. But that can be mitigated with very long password. > > An other option is to put admin accounts in a separate child > or top domain. > > /petter borling > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: den 7 september 2006 05:54 > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Separate Administrator password policy > > Hi Al, > > All good questions. I'll answer here, but if it starts to > get hairy, lets take it offline (same as my post to Susan - I > don't want this to become a deep discussion of our product on > the list). > > > Not to pick, but it occurs to me that you're trying to > complicate the > > problem. While I agree that changing the passwords every 24 hours > > (whatever freq works is likely going to be fine), is not a > bad idea, > > it has the likely problem of being very problematic. This > is similar > > to a push vs. pull paradigm and if looked at that way, you have > > similar issues such as connectivity and reliability. i.e. > how do you > > ensure that the password change was successful if there's a network > outage? Or just a network blip? > > Is it important that you do so is assumed from the previous > > information to date. > > 100% reliability is mandatory in this kind of app. Funny > that you raise push vs. pull, as we have two modes of > operations, called push and pull. > :-) We "push" passwords to server-class target systems > (e.g., AD, mainframes, whatever), and "pull" password changes > from workstations (i.e., the workstations push to the > server). The handshake used ensures that password changes > are 100% reliable - we abort if there isn't a connection, > etc.; and password history is retained just in case something > went wrong anyways. > > > A solution that scales up, down, or laterally is appropriate. > > Something that allows an account to traverse the different sites, > > possibly into the hundreds or even thousands, and allows almost > > instant revocation of the user account with administrative > privileges > > should that become necessary during the course of normal business. > > Scaling is easy enough - just arrange for different devices, > of which there may be tens of thousands, to contact a central > server at somewhat randomized times, and keep trying in case > of powerdown, connection failures, etc. etc. This eliminates > nasty traffic bursts. > > Traversing sites is easy too - use HTTPS to connect to the > central server, and use whatever proxy settings are needed to > "get out." > > Instant revocation is another matter. Our approach provides > for timed revocation on workstations (due to limitations > fundamental to pull mode), and instant revocation on servers > (since push allows for it). > > > Now, if only we had such an technology... > > We sell it, more or less as described. > > > Some suggestions that come to mind would be everything from a > > "toaster"-like device placed at the client site to a > certificate based > > > credential system come to mind. Hybrid ideas also > entertained. Plenty > > of pros and cons for each, such as the ability to have something > > tangible at the client site that can also be a > multi-functional device > > > and can work semi-autonmously to monitor even if the WAN link goes > > away (different issues can be monitored.) It can also > provide the 8th > > layer with a sense of investment and partnership. Downside is that > > it's more to manage and monitor. But that can be mitigated > by allowing > > > it to be sales person installable meaning that if something > > goes wrong with the device, then you roll a salesperson to > replace it. > > > That gives the salesperson reason to have more facetime with the > client and gives a chance to sell more business. > > A service on each client device is probably cheaper than yet > another machine at the client site, if you're managing lots > of small-ish clients... Of course, you pointed to other, > unrelated but quite useful functionality above, such as WAN > link monitoring. > > > The conversation could be longer, but I'm sure that a solution is > > possible that fits many of the criteria defined. Because > the original > > > problem scope is to remove the administrative access, using > a hybrid > > solution that relies on certificates and a toaster item > would be more > > likely. The details and pricing would need
[ActiveDir] AD object (User accounts) Permissions dissappearing
Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems.Thanks,...D
Re: [ActiveDir] Is a Global Security group being used?
The question was "a way" - not "the best way". This method was actually suggested by MS at TechED one year, so I am not totally insane. -Original Message- From: "Laura A. Robinson" <[EMAIL PROTECTED]> Date: Wed, 06 Sep 2006 13:44:53 To: Subject: RE: [ActiveDir] Is a Global Security group being used? While that's an interesting approach, unless this is a very small environment (as in, there's no help desk that's going to be baffled by the screaming and no multi-gazillionaire CXOs who are going to be doing the screaming), that might not be such a good idea. ;-) Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Wednesday, September 06, 2006 1:18 PM > To: ActiveDir.org > Subject: Re: [ActiveDir] Is a Global Security group being used? > > Change it to a Distribution Group and see who screams - if > anyone does change it back to a security group again. > > M. > > -Original Message- > From: "Figueroa, Johnny" <[EMAIL PROTECTED]> > Date: Wed, 6 Sep 2006 09:43:58 > To: > Subject: [ActiveDir] Is a Global Security group being used? > > Does anyone have a way to determine if a domain global group > is being used?. Will auditing on the DCs tell me this? > > Thanks in advance. > > Johnny Figueroa > > .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—± List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
Does it have a hash though? There's no password. It's null. I don't know the answer to that. It could, I suppose, pad it out but...who knows? --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org ; [EMAIL PROTECTED] Sent: Thursday, September 07, 2006 3:10 PM Subject: Re: [ActiveDir] Strange password issue This brings up a very good point, HOW is it checking the password length? As we pointed out earlier once the hash is created there should not be a way to easily check the password length. Andrew Fidel "Paul Williams" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 09/07/2006 07:35 AM Please respond toActiveDir@mail.activedir.org Tocc Subject Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for (&(objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issuePressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue >From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern <[EMAIL PROTECTED]> wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson <[EMAIL PROTECTED] > wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activ
Re: [ActiveDir] DNS Entries --Laptop Users--
1. I Didnt understand what exactly u r asking?2. Yes DHCP Is configured properly. That's not what I asked. I asked if it's updating the records for the device or is it letting the devices update their own? Al On 9/6/06, Ravi Dogra <[EMAIL PROTECTED]> wrote: 1. I Didnt understand what exactly u r asking?2. Yes DHCP Is configured properly.3. Yes it is running on DC 4. No, not running any other credential.5. VPN Machine is entirely a different BOX on other site.6. It doesnt register in my DNS. (Will extract other information fromSite B Admin)update you very soon... ThanksRDList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: uptime.exe in a 2003/sp1 world - problem
Hi, I have moved a job that employs uptime.exe (in a loop using the FOR command) from a Windows 2000/SP4 server to a Windows 2003/SP1 server. Now part way through the job, I get: Event Type: Information Event Source: Application Popup Event Category: None Event ID: 26 Date: 9/7/2006 Time: 9:29:36 AM User: N/A Computer: ODDJOB221 Description: Application popup: UPTIME.EXE - Application Error : The instruction at "0x7c837cf5" referenced memory at "0xfffd". The memory could not be "read". Click on OK to terminate the program Click on CANCEL to debug the program For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Any thoughts? TIA! Mike Thommes
Re: [ActiveDir] Strange password issue
This brings up a very good point, HOW is it checking the password length? As we pointed out earlier once the hash is created there should not be a way to easily check the password length. Andrew Fidel "Paul Williams" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 09/07/2006 07:35 AM Please respond to ActiveDir@mail.activedir.org To cc Subject Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for (&(objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: den 6 september 2006 21:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail… You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue >From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern <[EMAIL PROTECTED]> wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson <[EMAIL PROTECTED] > wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert <[EMAIL PROTECTED] > wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way be
[ActiveDir] aexp.asp Changing user password via web
Hi, When you deploy MS Exchange it also install a bunch of asp scripts in IIS. For instance MS iisadmpwd/aexp.asp that allow users to change their password via browser!! I was wondering how secure is to have this scripts accessible from internet? Any suggestion? Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] NTFRS - Journal Wrap Errors
Demote the second DC first, just concentrate on getting the first DC working problem. Then do the D4 on the first DC. Wait a while to verify it worked. Re-promote the second DC. Thanks, Anthony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Burg Sent: Thursday, September 07, 2006 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTFRS - Journal Wrap Errors Ok... Can someone tell me what happens if I do the D2 and it doesn't work? Am I where I am right now, or will the current sysvol share be removed? What about the D4? How long do these take in a very small domain? Will a system state/AD restore get me back to where I am now? I am trying to give the business their options/risks since this problem has been going on long before I arrived on the scene... Thanks Aaron -Original Message- From: Kurt Falde <[EMAIL PROTECTED]> Date: Thursday, Sep 7, 2006 3:51 am Subject: RE: [ActiveDir] NTFRS - Journal Wrap Errors If you only have a single DC then youshould utilize D4 for an authoritative restore as it's own contents arethe valid contents and there is no where else to pull from. You may needto restart FRS or possibly run a D2 on the new DC to get FRS replicating onthat server as well. Check out downloading Sonar.exe for viewing FRSstats so that you can see if your backlogged files start replicating betweenthe DC's once you do this. FRSdiag is also useful if you need totroubleshoot as well. Sonar http://www.microsoft.com/downloads/details.aspx?FamilyID8cb0fb-fe09-477 c-8148-25ae02cf15d8&DisplayLang=en FRSdiag http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyidC CB658E-8553-4DE7-811A-562563EB5EBF Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Burg Sent: Thursday, September 07, 20061:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTFRS -Journal Wrap Errors Hi- I am new to the list and was hoping someone could help with an uglysituation I was brought in to clean up: I am working with a W2K native mode domain with only ONE active domaincontroller (W2K SP4). There is a second DC, but it was brought on-line afterthe journal wrap errors (Event 13568 ) began and has never replicated sysvol(doesn't even exist on the box). It appears AD and such are working with thenew DC... just not NTFRS. The original DC does have sysvol and appears to be working to authenticateclients as normal. I need to get the journal wrap errors resolved so I canbring the second DC on-line, transfer FSMO roles and get the old box rebuiltsince it doesn't even have redundant drives - Yikes! Everything I have read says to do a D2 non-authoritative restore, butsince I only have the one DC, where would it restore from? I have run an NTbackup of c:\ and system state to try and get some comfort, but still am afraidof making matters worse. Any suggestions/recommendations would be very much appreciated...Iwould like to get this cleaned up this week! Thanks so much, Aaron [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] NTFRS - Journal Wrap Errors
Ok... Can someone tell me what happens if I do the D2 and it doesn't work? Am I where I am right now, or will the current sysvol share be removed? What about the D4? How long do these take in a very small domain? Will a system state/AD restore get me back to where I am now? I am trying to give the business their options/risks since this problem has been going on long before I arrived on the scene... Thanks Aaron -Original Message- From: Kurt Falde <[EMAIL PROTECTED]> Date: Thursday, Sep 7, 2006 3:51 am Subject: RE: [ActiveDir] NTFRS - Journal Wrap Errors If you only have a single DC then youshould utilize D4 for an authoritative restore as it's own contents arethe valid contents and there is no where else to pull from. You may needto restart FRS or possibly run a D2 on the new DC to get FRS replicating onthat server as well. Check out downloading Sonar.exe for viewing FRSstats so that you can see if your backlogged files start replicating betweenthe DC's once you do this. FRSdiag is also useful if you need totroubleshoot as well. Sonar http://www.microsoft.com/downloads/details.aspx?FamilyID8cb0fb-fe09-477c-8148-25ae02cf15d8&DisplayLang=en FRSdiag http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyidCCB658E-8553-4DE7-811A-562563EB5EBF Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Burg Sent: Thursday, September 07, 20061:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTFRS -Journal Wrap Errors Hi- I am new to the list and was hoping someone could help with an uglysituation I was brought in to clean up: I am working with a W2K native mode domain with only ONE active domaincontroller (W2K SP4). There is a second DC, but it was brought on-line afterthe journal wrap errors (Event 13568 ) began and has never replicated sysvol(doesn't even exist on the box). It appears AD and such are working with thenew DC... just not NTFRS. The original DC does have sysvol and appears to be working to authenticateclients as normal. I need to get the journal wrap errors resolved so I canbring the second DC on-line, transfer FSMO roles and get the old box rebuiltsince it doesn't even have redundant drives - Yikes! Everything I have read says to do a D2 non-authoritative restore, butsince I only have the one DC, where would it restore from? I have run an NTbackup of c:\ and system state to try and get some comfort, but still am afraidof making matters worse. Any suggestions/recommendations would be very much appreciated...Iwould like to get this cleaned up this week! Thanks so much, Aaron [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] ADAM
Hello - I know Microsoft ADAM supports LDAP referrals but I wanted to know if it's possible to create them and if so how. I'd like to create a container in the directory that returns contents based on a referral to another part of the directory. Thanks Jim Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail.
RE: [ActiveDir] Strange password issue
Yes, there is. The password policy is checked as soon as the password entered (using characters) is written into the directory, whether it is a new password or a changed password. If a password hash is written into the directory the system cannot check if the password that generated the hash meets the password policy or not. Migration tools like ADMT and Quest DMW migrate passwords by migrating the hash and not the actual password. For those accounts that were migrated, the password policy comes into effect as soon as the user is forced to change the password, but until that time You mention Quest's migration tool. Are you saying the user was migrated from another forest/domain outside the existing forest and where it was created using ADUC? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Wed 2006-09-06 16:38 To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
Re: [ActiveDir] Strange password issue
But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for (&(objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue >From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern <[EMAIL PROTECTED]> wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson <[EMAIL PROTECTED] > wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert <[EMAIL PROTECTED] > wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl o
Re: [ActiveDir] DNS Entries --Laptop Users--
Hi Ravi, Are you talking about your own company or is is for someone else's scenario ? If it for your own company then : 1) VPN box is CISCO PIX 515e 2) Your VPN box forwards all DNS queries to your DC/ Primary DNS server. 3) As far as i remember It does register machines (As the moment your machine comes to domain and gets ip from domain it would register with DNS) Now i am bit perplexed...what seems to be the problem here? Regards, Jaspreet Singh Jolly On 9/6/06, Ravi Dogra <[EMAIL PROTECTED]> wrote: 1. I Didnt understand what exactly u r asking?2. Yes DHCP Is configured properly.3. Yes it is running on DC 4. No, not running any other credential.5. VPN Machine is entirely a different BOX on other site.6. It doesnt register in my DNS. (Will extract other information fromSite B Admin)update you very soon... ThanksRDList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] NTFRS - Journal Wrap Errors
If you only have a single DC then you should utilize D4 for an authoritative restore as it’s own contents are the valid contents and there is no where else to pull from. You may need to restart FRS or possibly run a D2 on the new DC to get FRS replicating on that server as well. Check out downloading Sonar.exe for viewing FRS stats so that you can see if your backlogged files start replicating between the DC’s once you do this. FRSdiag is also useful if you need to troubleshoot as well. Sonar http://www.microsoft.com/downloads/details.aspx?FamilyID=158cb0fb-fe09-477c-8148-25ae02cf15d8&DisplayLang=en FRSdiag http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=43CB658E-8553-4DE7-811A-562563EB5EBF Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Burg Sent: Thursday, September 07, 2006 1:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTFRS - Journal Wrap Errors Hi- I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up: I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week! Thanks so much, Aaron [EMAIL PROTECTED]
RE: [ActiveDir] Strange password issue
UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for (&(objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail… You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue >From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern <[EMAIL PROTECTED]> wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson <[EMAIL PROTECTED] > wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert <[EMAIL PROTECTED] > wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Separate Administrator password policy
Why not use certificates or rsa for admin accounts? IF you have a pki environment that would be my suggestion. Then only then default administrator account would be insecure. But that can be mitigated with very long password. An other option is to put admin accounts in a separate child or top domain. /petter borling -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: den 7 september 2006 05:54 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Separate Administrator password policy Hi Al, All good questions. I'll answer here, but if it starts to get hairy, lets take it offline (same as my post to Susan - I don't want this to become a deep discussion of our product on the list). > Not to pick, but it occurs to me that you're trying to complicate the > problem. While I agree that changing the passwords every 24 hours > (whatever freq works is likely going to be fine), is not a bad idea, > it has the likely problem of being very problematic. This is similar > to a push vs. pull paradigm and if looked at that way, you have > similar issues such as connectivity and reliability. i.e. how do you > ensure that the password change was successful if there's a network outage? Or just a network blip? > Is it important that you do so is assumed from the previous > information to date. 100% reliability is mandatory in this kind of app. Funny that you raise push vs. pull, as we have two modes of operations, called push and pull. :-) We "push" passwords to server-class target systems (e.g., AD, mainframes, whatever), and "pull" password changes from workstations (i.e., the workstations push to the server). The handshake used ensures that password changes are 100% reliable - we abort if there isn't a connection, etc.; and password history is retained just in case something went wrong anyways. > A solution that scales up, down, or laterally is appropriate. > Something that allows an account to traverse the different sites, > possibly into the hundreds or even thousands, and allows almost > instant revocation of the user account with administrative privileges > should that become necessary during the course of normal business. Scaling is easy enough - just arrange for different devices, of which there may be tens of thousands, to contact a central server at somewhat randomized times, and keep trying in case of powerdown, connection failures, etc. etc. This eliminates nasty traffic bursts. Traversing sites is easy too - use HTTPS to connect to the central server, and use whatever proxy settings are needed to "get out." Instant revocation is another matter. Our approach provides for timed revocation on workstations (due to limitations fundamental to pull mode), and instant revocation on servers (since push allows for it). > Now, if only we had such an technology... We sell it, more or less as described. > Some suggestions that come to mind would be everything from a > "toaster"-like device placed at the client site to a certificate based > credential system come to mind. Hybrid ideas also entertained. Plenty > of pros and cons for each, such as the ability to have something > tangible at the client site that can also be a multi-functional device > and can work semi-autonmously to monitor even if the WAN link goes > away (different issues can be monitored.) It can also provide the 8th > layer with a sense of investment and partnership. Downside is that > it's more to manage and monitor. But that can be mitigated by allowing > it to be sales person installable meaning that if something > goes wrong with the device, then you roll a salesperson to replace it. > That gives the salesperson reason to have more facetime with the client and gives a chance to sell more business. A service on each client device is probably cheaper than yet another machine at the client site, if you're managing lots of small-ish clients... Of course, you pointed to other, unrelated but quite useful functionality above, such as WAN link monitoring. > The conversation could be longer, but I'm sure that a solution is > possible that fits many of the criteria defined. Because the original > problem scope is to remove the administrative access, using a hybrid > solution that relies on certificates and a toaster item would be more > likely. The details and pricing would need to be hammered out in such > a way that the final solution is reliable, inexpensive (drive > adoption), and easy to use (dumb down the interface such that your > salesforce or interns could deploy or you could even just drop ship > one to the client and they could hook it up in 5 steps or less - > similar to voip device installation in that sense.) Personally, I'm not big on appliances ("toasters") -- in the end they are mostly just cheap Intel/AMD boxes, but without the hardware support that Dell/HP/IBM offer. Niche market vendors really can't offer the k