RE: [ActiveDir] Strange problem

2005-05-11 Thread Gibson, Dana
Replied to the wrong email. Disregard.
Dana

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gibson, Dana
Sent: Wednesday, May 11, 2005 8:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange problem

They are dialing in and RAS is assigning an IP address. Somepone needs
to go in and assess what the environment looks like and maybe even do a
quick test of URC in the environment.
Dana

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 10, 2005 10:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange problem

Delegating enabling a disabled account is a little more involved, well
maybe
not so much so. You can't just delegate that function. The disabled flag
is
maintained in useraccountcontrol which is home to lots of flags[1]. So
delegating that attribute means you delegate things other than ability
to
enable/disable. You also enable password not required, etc. One way
around
that would be to delegate account expiration since that can be
maintained in
a single attribute. If you want to "disable" the account, you simply set
the
date of expiration in the past.

To delegate useraccountcontrol
WP userAccountControl

To delegate accountexpiration
WP accountExpires

   joe



[1] See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad
si/a
ds_user_flag_enum.asp.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Tuesday, May 10, 2005 11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange problem

Thanks everyone for the inputs. I used the delegation wizard but it
wasn't
allowing to "re-enable" disabled account. So I decided to do that the
hard
way. Actually it's fixed, seems that I was just too in a hurry.
This morning everything was working fine and I didn't change anyhting.
So it was like a "replication not done yet" issue.

Thanks! 
 




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Strange problem

2005-05-11 Thread Gibson, Dana
They are dialing in and RAS is assigning an IP address. Somepone needs
to go in and assess what the environment looks like and maybe even do a
quick test of URC in the environment.
Dana

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 10, 2005 10:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange problem

Delegating enabling a disabled account is a little more involved, well
maybe
not so much so. You can't just delegate that function. The disabled flag
is
maintained in useraccountcontrol which is home to lots of flags[1]. So
delegating that attribute means you delegate things other than ability
to
enable/disable. You also enable password not required, etc. One way
around
that would be to delegate account expiration since that can be
maintained in
a single attribute. If you want to "disable" the account, you simply set
the
date of expiration in the past.

To delegate useraccountcontrol
WP userAccountControl

To delegate accountexpiration
WP accountExpires

   joe



[1] See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad
si/a
ds_user_flag_enum.asp.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Tuesday, May 10, 2005 11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange problem

Thanks everyone for the inputs. I used the delegation wizard but it
wasn't
allowing to "re-enable" disabled account. So I decided to do that the
hard
way. Actually it's fixed, seems that I was just too in a hurry.
This morning everything was working fine and I didn't change anyhting.
So it was like a "replication not done yet" issue.

Thanks! 
 




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Strange problem

2005-05-10 Thread Bruyere, Michel
My bad, I used the wrong word, I didn't mean disabled, but locked out account 
;/.




> -Message d'origine-
> De : [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] De la part de joe
> Envoyé : Tuesday, May 10, 2005 1:25 PM
> À : ActiveDir@mail.activedir.org
> Objet : RE: [ActiveDir] Strange problem
> 
> Delegating enabling a disabled account is a little more involved, well
> maybe
> not so much so. You can't just delegate that function. The disabled flag
> is
> maintained in useraccountcontrol which is home to lots of flags[1]. So
> delegating that attribute means you delegate things other than ability to
> enable/disable. You also enable password not required, etc. One way around
> that would be to delegate account expiration since that can be maintained
> in
> a single attribute. If you want to "disable" the account, you simply set
> the
> date of expiration in the past.
> 
> To delegate useraccountcontrol
>   WP userAccountControl
> 
> To delegate accountexpiration
>   WP accountExpires
> 
>joe
> 
> 
> 
> [1] See
> http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/adsi/adsi/a
> ds_user_flag_enum.asp.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
> Sent: Tuesday, May 10, 2005 11:13 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Strange problem
> 
> Thanks everyone for the inputs. I used the delegation wizard but it wasn't
> allowing to "re-enable" disabled account. So I decided to do that the hard
> way. Actually it's fixed, seems that I was just too in a hurry.
> This morning everything was working fine and I didn't change anyhting.
> So it was like a "replication not done yet" issue.
> 
> Thanks!
> 
> 
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Strange problem

2005-05-10 Thread joe
Delegating enabling a disabled account is a little more involved, well maybe
not so much so. You can't just delegate that function. The disabled flag is
maintained in useraccountcontrol which is home to lots of flags[1]. So
delegating that attribute means you delegate things other than ability to
enable/disable. You also enable password not required, etc. One way around
that would be to delegate account expiration since that can be maintained in
a single attribute. If you want to "disable" the account, you simply set the
date of expiration in the past.

To delegate useraccountcontrol
WP userAccountControl

To delegate accountexpiration
WP accountExpires

   joe



[1] See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/a
ds_user_flag_enum.asp.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Tuesday, May 10, 2005 11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange problem

Thanks everyone for the inputs. I used the delegation wizard but it wasn't
allowing to "re-enable" disabled account. So I decided to do that the hard
way. Actually it's fixed, seems that I was just too in a hurry.
This morning everything was working fine and I didn't change anyhting.
So it was like a "replication not done yet" issue.

Thanks! 
 




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Strange problem

2005-05-10 Thread Bruyere, Michel
Thanks everyone for the inputs. I used the delegation wizard but it
wasn't allowing to "re-enable" disabled account. So I decided to do that
the hard way. Actually it's fixed, seems that I was just too in a hurry.
This morning everything was working fine and I didn't change anyhting.
So it was like a "replication not done yet" issue.

Thanks! 
 




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Strange problem

2005-05-10 Thread Dan Holme
To add to what Joe just said, you might run

DSACLS  /S /T

This command will reset the permissions on the OU *and* all objects
beneath it to the default set by the schema.  This might help prevent
any "junk" other than the perms you're trying to set from causing
problems...  This is what it sounds like -- a RESET TO DEFAULT -- so
don't use it if you have other delegation attached to the OU that you
want to preserve.  However, the default DOES include "inherit", so any
perms attached explicitly to OUs (or the domain) "above" this OU will be
inherited.


Dan
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Strange problem

2005-05-10 Thread joe
You should need

For changing passwords without knowing old password
CA Change Password 

For unlocking locked accounts
WP lockoutTime

For expiring passwords (force password to be changed on next logon)
WP pwdLastSet


Here is a dsacls command that will do the delegation (all one line)

dsacls BASE_DN /I:S /G "dom\grp:CA;Reset Password;user"
"dom\grp:WP;lockoutTime;user" "dom\grp:WP;pwdLastSet;user"

Ex:

dsacls cn=users,dc=joe,dc=com /I:S /G "joe\accounttechs:CA;Reset
Password;user" "joe\accounttechs:WP;lockoutTime;user"
"joe\accounttechs:WP;pwdLastSet;user"



I just tried this and it worked fine. 



Things I would check if things aren't working fine.

1. Verify with dsacls dump the delegated permissions
2. Verify replication of the group to all DCs
3. Verify via whoami or sectok that the group is in the token of the user
attempting to make changes. This simply helps verify replication to the DC
that auth'ed the user. 

  joe




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, May 09, 2005 4:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Strange problem

Hi, 
I delegated the password management to the technicians group.
There is a glitch though, they can't seem to be able to reset password even
if I gave the permission to do so (on the OU). All the get is Access denied
(and the check box to set the "change password a next logon" bit is grayed. 
The permissions have been set in the security tab, using the Advanced view
of ADUC.

Here are the security settings for the Technicians group:

reset password
change password
read pwdLastSet
write pwdLastSet
read LockoutTime
write LockoutTime
read accountrestrictions


What I'm missing here? 


Thanks


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


Re: [ActiveDir] Strange problem

2005-05-10 Thread Hans Halbmayr
hi michel,

> (and the check box to set the "change password a
next logon" bit is grayed. 
 
i think it's a feature! right click the user select
properties/account and you can force the user to
change the password at next logon. the second way is
to delegate access to the Account Options and the
check box is not grayed. i think that is not the best
way.

i have delegated the reset password per script. imo it
works when you delegate pwdLastSet and Reset Password.
try the delegation witzard.

hans


--- "Bruyere, Michel" <[EMAIL PROTECTED]> wrote:
> Hi, 
>   I delegated the password management to the
> technicians group.
> There is a glitch though, they can't seem to be able
> to reset password
> even if I gave the permission to do so (on the OU).
> All the get is
> Access denied (and the check box to set the "change
> password a next
> logon" bit is grayed. 
> The permissions have been set in the security tab,
> using the Advanced
> view of ADUC.
> 
> Here are the security settings for the Technicians
> group:
> 
> reset password
> change password
> read pwdLastSet
> write pwdLastSet
> read LockoutTime
> write LockoutTime
> read accountrestrictions
> 
> 
> What I'm missing here? 
> 
> 
> Thanks
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
>
http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Strange problem

2005-05-10 Thread Jorge de Almeida Pinto
Are those accounts members of some default MS admin groups? (e.g. domain
admins, account operators, etc.)

#JORGE# 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: maandag 9 mei 2005 22:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Strange problem

Hi, 
I delegated the password management to the technicians group.
There is a glitch though, they can't seem to be able to reset password even
if I gave the permission to do so (on the OU). All the get is Access denied
(and the check box to set the "change password a next logon" bit is grayed. 
The permissions have been set in the security tab, using the Advanced view
of ADUC.

Here are the security settings for the Technicians group:

reset password
change password
read pwdLastSet
write pwdLastSet
read LockoutTime
write LockoutTime
read accountrestrictions


What I'm missing here? 


Thanks


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Strange problem

2005-05-09 Thread Al Mulnick


Wouldn't it have been easier to use the delegation wizard to do that for
you so you don't miss something? 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/directory/activedirectory/stepbystep/ctrlwiz.mspx



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, May 09, 2005 4:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Strange problem

Hi, 
I delegated the password management to the technicians group.
There is a glitch though, they can't seem to be able to reset password
even if I gave the permission to do so (on the OU). All the get is
Access denied (and the check box to set the "change password a next
logon" bit is grayed. 
The permissions have been set in the security tab, using the Advanced
view of ADUC.

Here are the security settings for the Technicians group:

reset password
change password
read pwdLastSet
write pwdLastSet
read LockoutTime
write LockoutTime
read accountrestrictions


What I'm missing here? 


Thanks


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[ActiveDir] Strange problem

2005-05-09 Thread Bruyere, Michel
Hi, 
I delegated the password management to the technicians group.
There is a glitch though, they can't seem to be able to reset password
even if I gave the permission to do so (on the OU). All the get is
Access denied (and the check box to set the "change password a next
logon" bit is grayed. 
The permissions have been set in the security tab, using the Advanced
view of ADUC.

Here are the security settings for the Technicians group:

reset password
change password
read pwdLastSet
write pwdLastSet
read LockoutTime
write LockoutTime
read accountrestrictions


What I'm missing here? 


Thanks


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] strange problem, possibly SP4 related?

2003-07-21 Thread Rick Kingslan
Title: Message



Ken,
 
I can say that in all of the testing and in all of the 
systems that we have moved - I haven't seen this behavior.  But, there is a 
first for almost everything.
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ken 
CornetetSent: Monday, July 21, 2003 2:40 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] strange problem, 
possibly SP4 related?

We applied SP4 to all of our windows 2000 servers 
yesterday, and this morning I noticed something very odd. DNS on alll of 
our domain controllers for our main domain (a dozen or so servers) decided to 
convert a standard secondary zone that they were all hosting into an AD 
integrated zone! 
 
Other domains DCs are hosting secondary DNS zones, 
and they did not change.
 
I can't say for certain this was due to applying SP4, 
and I can't say this didn't happen before yesterday, but it certainly is 
suspcicious. Anyone hear of anything like 
this?


[ActiveDir] strange problem, possibly SP4 related?

2003-07-21 Thread Ken Cornetet
Title: Message



We applied SP4 to all of our windows 2000 servers 
yesterday, and this morning I noticed something very odd. DNS on alll of 
our domain controllers for our main domain (a dozen or so servers) decided to 
convert a standard secondary zone that they were all hosting into an AD 
integrated zone! 
 
Other domains DCs are hosting secondary DNS zones, 
and they did not change.
 
I can't say for certain this was due to applying SP4, 
and I can't say this didn't happen before yesterday, but it certainly is 
suspcicious. Anyone hear of anything like 
this?