[ActiveDir] [OT] Odd Folder under Forward Lookup Zone
Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme attachment: winmail.dat
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
Thanks, all. Ulf, you explanation was great! I am sure it was someone (probably me!) just typed a .1 in some setting on the printer and allowed it to register in DNS. Many thanks. -- nme Noah Eiger _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, January 24, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Just 9:30 pm here, so not really late. Many are mixing up the zones with the DNS-Subdomains or whatever they are actually called. But in this case he even had it right, he said that under the domain zone he has the _*-folders as well as a folder 1. I had to reread too ;-) How are things? See you in March? Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 21:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone That's what I would expect. But since the original poster called it a zone I figured I'd ask. What are you doing up so late? :) On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: No Zone - no properties ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 20:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
[ActiveDir] PHP Module for Windows
Hi - I reviewed PlexSSO (www.ioplex.com http://www.ioplex.com/ ), but it appears to only run on Linux. Does anyone know of an off the shelf module that will run under Windows? Thanks. -- nme Noah Eiger
RE: [ActiveDir] PHP Module for Windows
Thanks. I had a feeling that was the answer. I will pass it on to our developer. -- nme -Original Message- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 24, 2007 6:06 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] PHP Module for Windows On Wed, 24 Jan 2007 15:26:47 -0800 EIS Lists [EMAIL PROTECTED] wrote: I reviewed PlexSSO (www.ioplex.com http://www.ioplex.com/ ), but it appears to only run on Linux. Does anyone know of an off the shelf module that will run under Windows? A number of people have asked us about this. I've been telling them just use IIS w/ IWA but I must admit I've never tried running PHP w/ IIS so I'm not sure if it would work. If you need the other is_memberof stuff or the AD scripting stuff in 2.0 then I'm afraid there's no way unless you write a C extension (and even then I don't think it would be as nice :-). Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Password policy change
That should work. :-) There are actually many web-, phone- and login-prompt- accessible password change/synchronization/reset applications out there, some of which support password updates to multiple types of systems, rather than just AD. PROMOTIONAL ALERT - CLOSE YOUR EYES TO AVOID ADVERTISING One such is http://psynch.com/ /PROMOTIONAL ALERT - COULDN'T HELP MYSELF Linking one of these to OWA should be trivial. With this product, and probably others, you should have no trouble detecting password expiry and bouncing the user to the 'change now' page either. Good luck, -- Idan On Mon, 29 Aug 2005, Cothern Jeff D. Team EITC wrote: I have a possible solution for the OWA users. I havent used this particular software but we use one of their other products and it works well. I'll let the website speak for itself. But I believe this would provide a means via the web for your users to change their passwords. http://www.anixis.com/products/ppeweb/default.htm Jeff Cothern -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, August 29, 2005 4:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change OWA doesn't have a built in password change function but you can activate the standard IIS password changing module called iisadmpwd which is placed in the options section of the OWA interface. However if the password has expired you be out of luck. Once article that covers this is: http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 27 August 2005 08:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original
RE: [ActiveDir] Simultaneous password change on multiple DCs
Hi folks, Seems like thank you notes are in order all around: Dave, for the kind words. :-) Dean, for the update regarding Windows 2003, and in particular the fact that it can replicate 'cleared intruder lockout' urgently. Dèjì, for the pointer to acctinfo.dll, which lets administrators reset a user's password and clear lockout on the user's home site, rather than centrally. Two more short notes: 1) acctinfo.dll is very good at what it does: letting an administrator reset a user's password and clear lockouts on the user's home site. If the user interface is not MMC, or there is a self-service UI involved, or there is need to clear the lockout on multiple DCs, rather than just on the home site, then acctinfo.dll is not quite enough. 2) While looking for more details about acctinfo.dll, I ran across this helpful presentation, and would recommend it as follow-on reading for anyone interested in the topic of lockouts and passwords in AD: support.microsoft.com/servicedesks/ webcasts/en/wc022703/WC022703.ppt Cheers, - Idan On Mon, 4 Aug 2003, Fugleberg, David A wrote: Thanks for the post, Idan. When I started this thread in the first place, I had absolutely no intention of knocking your product, so if anybody got a bad impression of it because of this thread, I sincerely apologize. In fact, that's why I didn't mention the product or vendor in the post - but I guess the cat is out of the bag, probably because you're the only vendor that even seems to recognize that there's an issue with AD replication in specific environments that needs to be addressed to make such a password management solution truly useful. My intent in posting the question in the first place (sans specific vendor/product info) was to learn from this community what their experience has been with such simultaneous changes in AD. I suspect that even some organizations without P-Synch have tried similar things on their own through scripting or other means...I know that a similar scheme was suggested here long before we heard about P-Synch. Our environment is pretty much exactly what you described in your post. Good point that there's no 'free lunch', and that the advantages come with the price of some additional replication. I was just trying to quantify that tradeoff a bit. I knew that with all the experts on this list I could get some good, objective viewpoints to help me with that. Again, thanks for your informative post - I've been most impressed with the quality of the technical support at M-Tech, and your post is a good example. Oh, one more thing - Deji asked why anybody would need more that acctinfo.dll - my answer would be that P-Synch does way more than manage AD passwords; it can manage passwords across many platforms, provide self-service resets, etc. Since one of its targets happens to be AD, it has all kinds of configurable features to work well in different AD scenarios. One of those optional features is the ability to figure out where the user is and target their local DC. The person doing the change is using a browser at that point, so acctinfo.dll does them no good. Dave -Original Message- From: Dummy account for mailing lists [mailto:[EMAIL PROTECTED] Sent: Sunday, August 03, 2003 7:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs Hi guys, At the risk of getting a bit flamed, let me wade into this. :-) I work for the vendor that makes this software (P-Synch from M-Tech), and I think a bit of clarification would be helpful: * The problem we address with the facility than supports writing a new password to multiple DCs is slow replication of the transition of the intruder lockout attribute on AD user objects from the locked to the unlocked state. The following scenario is the one and only situation in which we would suggest to a customer to write password updates to more than one DC at a time: - There is a large, distributed AD domain (one production example is 400 DCs spread over 70 countries). - Users throughout the distributed domain access either a central help desk or a central password-reset web application to reset forgotten passwords, and in particular to clear intruder lockouts. - The central server or help desk facility by default sets paswords and clears lockouts on a central DC (typically not the FSMO). - Users must subsequently and immediately access resources from DCs other than the one where the password reset / intruder unlock happened. - The AD domain runs Windows 2000 (slow replication of intruder unlocks was supposedly fixed for 2003, but I haven't verified yet). * If any of these is false for your organization - don't write password updates / intruder unlocks to multiple DCs
