RE: [ActiveDir] Strange problem
Replied to the wrong email. Disregard. Dana -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gibson, Dana Sent: Wednesday, May 11, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange problem They are dialing in and RAS is assigning an IP address. Somepone needs to go in and assess what the environment looks like and maybe even do a quick test of URC in the environment. Dana -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 10, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange problem Delegating enabling a disabled account is a little more involved, well maybe not so much so. You can't just delegate that function. The disabled flag is maintained in useraccountcontrol which is home to lots of flags[1]. So delegating that attribute means you delegate things other than ability to enable/disable. You also enable password not required, etc. One way around that would be to delegate account expiration since that can be maintained in a single attribute. If you want to "disable" the account, you simply set the date of expiration in the past. To delegate useraccountcontrol WP userAccountControl To delegate accountexpiration WP accountExpires joe [1] See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad si/a ds_user_flag_enum.asp. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, May 10, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange problem Thanks everyone for the inputs. I used the delegation wizard but it wasn't allowing to "re-enable" disabled account. So I decided to do that the hard way. Actually it's fixed, seems that I was just too in a hurry. This morning everything was working fine and I didn't change anyhting. So it was like a "replication not done yet" issue. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange problem
They are dialing in and RAS is assigning an IP address. Somepone needs to go in and assess what the environment looks like and maybe even do a quick test of URC in the environment. Dana -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 10, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange problem Delegating enabling a disabled account is a little more involved, well maybe not so much so. You can't just delegate that function. The disabled flag is maintained in useraccountcontrol which is home to lots of flags[1]. So delegating that attribute means you delegate things other than ability to enable/disable. You also enable password not required, etc. One way around that would be to delegate account expiration since that can be maintained in a single attribute. If you want to "disable" the account, you simply set the date of expiration in the past. To delegate useraccountcontrol WP userAccountControl To delegate accountexpiration WP accountExpires joe [1] See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad si/a ds_user_flag_enum.asp. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, May 10, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange problem Thanks everyone for the inputs. I used the delegation wizard but it wasn't allowing to "re-enable" disabled account. So I decided to do that the hard way. Actually it's fixed, seems that I was just too in a hurry. This morning everything was working fine and I didn't change anyhting. So it was like a "replication not done yet" issue. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange problem
My bad, I used the wrong word, I didn't mean disabled, but locked out account ;/. > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] De la part de joe > Envoyé : Tuesday, May 10, 2005 1:25 PM > À : ActiveDir@mail.activedir.org > Objet : RE: [ActiveDir] Strange problem > > Delegating enabling a disabled account is a little more involved, well > maybe > not so much so. You can't just delegate that function. The disabled flag > is > maintained in useraccountcontrol which is home to lots of flags[1]. So > delegating that attribute means you delegate things other than ability to > enable/disable. You also enable password not required, etc. One way around > that would be to delegate account expiration since that can be maintained > in > a single attribute. If you want to "disable" the account, you simply set > the > date of expiration in the past. > > To delegate useraccountcontrol > WP userAccountControl > > To delegate accountexpiration > WP accountExpires > >joe > > > > [1] See > http://msdn.microsoft.com/library/default.asp?url=/library/en- > us/adsi/adsi/a > ds_user_flag_enum.asp. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel > Sent: Tuesday, May 10, 2005 11:13 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Strange problem > > Thanks everyone for the inputs. I used the delegation wizard but it wasn't > allowing to "re-enable" disabled account. So I decided to do that the hard > way. Actually it's fixed, seems that I was just too in a hurry. > This morning everything was working fine and I didn't change anyhting. > So it was like a "replication not done yet" issue. > > Thanks! > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange problem
Delegating enabling a disabled account is a little more involved, well maybe not so much so. You can't just delegate that function. The disabled flag is maintained in useraccountcontrol which is home to lots of flags[1]. So delegating that attribute means you delegate things other than ability to enable/disable. You also enable password not required, etc. One way around that would be to delegate account expiration since that can be maintained in a single attribute. If you want to "disable" the account, you simply set the date of expiration in the past. To delegate useraccountcontrol WP userAccountControl To delegate accountexpiration WP accountExpires joe [1] See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/a ds_user_flag_enum.asp. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, May 10, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange problem Thanks everyone for the inputs. I used the delegation wizard but it wasn't allowing to "re-enable" disabled account. So I decided to do that the hard way. Actually it's fixed, seems that I was just too in a hurry. This morning everything was working fine and I didn't change anyhting. So it was like a "replication not done yet" issue. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange problem
Thanks everyone for the inputs. I used the delegation wizard but it wasn't allowing to "re-enable" disabled account. So I decided to do that the hard way. Actually it's fixed, seems that I was just too in a hurry. This morning everything was working fine and I didn't change anyhting. So it was like a "replication not done yet" issue. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange problem
To add to what Joe just said, you might run DSACLS /S /T This command will reset the permissions on the OU *and* all objects beneath it to the default set by the schema. This might help prevent any "junk" other than the perms you're trying to set from causing problems... This is what it sounds like -- a RESET TO DEFAULT -- so don't use it if you have other delegation attached to the OU that you want to preserve. However, the default DOES include "inherit", so any perms attached explicitly to OUs (or the domain) "above" this OU will be inherited. Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange problem
You should need For changing passwords without knowing old password CA Change Password For unlocking locked accounts WP lockoutTime For expiring passwords (force password to be changed on next logon) WP pwdLastSet Here is a dsacls command that will do the delegation (all one line) dsacls BASE_DN /I:S /G "dom\grp:CA;Reset Password;user" "dom\grp:WP;lockoutTime;user" "dom\grp:WP;pwdLastSet;user" Ex: dsacls cn=users,dc=joe,dc=com /I:S /G "joe\accounttechs:CA;Reset Password;user" "joe\accounttechs:WP;lockoutTime;user" "joe\accounttechs:WP;pwdLastSet;user" I just tried this and it worked fine. Things I would check if things aren't working fine. 1. Verify with dsacls dump the delegated permissions 2. Verify replication of the group to all DCs 3. Verify via whoami or sectok that the group is in the token of the user attempting to make changes. This simply helps verify replication to the DC that auth'ed the user. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, May 09, 2005 4:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange problem Hi, I delegated the password management to the technicians group. There is a glitch though, they can't seem to be able to reset password even if I gave the permission to do so (on the OU). All the get is Access denied (and the check box to set the "change password a next logon" bit is grayed. The permissions have been set in the security tab, using the Advanced view of ADUC. Here are the security settings for the Technicians group: reset password change password read pwdLastSet write pwdLastSet read LockoutTime write LockoutTime read accountrestrictions What I'm missing here? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Strange problem
hi michel, > (and the check box to set the "change password a next logon" bit is grayed. i think it's a feature! right click the user select properties/account and you can force the user to change the password at next logon. the second way is to delegate access to the Account Options and the check box is not grayed. i think that is not the best way. i have delegated the reset password per script. imo it works when you delegate pwdLastSet and Reset Password. try the delegation witzard. hans --- "Bruyere, Michel" <[EMAIL PROTECTED]> wrote: > Hi, > I delegated the password management to the > technicians group. > There is a glitch though, they can't seem to be able > to reset password > even if I gave the permission to do so (on the OU). > All the get is > Access denied (and the check box to set the "change > password a next > logon" bit is grayed. > The permissions have been set in the security tab, > using the Advanced > view of ADUC. > > Here are the security settings for the Technicians > group: > > reset password > change password > read pwdLastSet > write pwdLastSet > read LockoutTime > write LockoutTime > read accountrestrictions > > > What I'm missing here? > > > Thanks > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange problem
Are those accounts members of some default MS admin groups? (e.g. domain admins, account operators, etc.) #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: maandag 9 mei 2005 22:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange problem Hi, I delegated the password management to the technicians group. There is a glitch though, they can't seem to be able to reset password even if I gave the permission to do so (on the OU). All the get is Access denied (and the check box to set the "change password a next logon" bit is grayed. The permissions have been set in the security tab, using the Advanced view of ADUC. Here are the security settings for the Technicians group: reset password change password read pwdLastSet write pwdLastSet read LockoutTime write LockoutTime read accountrestrictions What I'm missing here? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange problem
Wouldn't it have been easier to use the delegation wizard to do that for you so you don't miss something? http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/directory/activedirectory/stepbystep/ctrlwiz.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, May 09, 2005 4:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange problem Hi, I delegated the password management to the technicians group. There is a glitch though, they can't seem to be able to reset password even if I gave the permission to do so (on the OU). All the get is Access denied (and the check box to set the "change password a next logon" bit is grayed. The permissions have been set in the security tab, using the Advanced view of ADUC. Here are the security settings for the Technicians group: reset password change password read pwdLastSet write pwdLastSet read LockoutTime write LockoutTime read accountrestrictions What I'm missing here? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Strange problem
Hi, I delegated the password management to the technicians group. There is a glitch though, they can't seem to be able to reset password even if I gave the permission to do so (on the OU). All the get is Access denied (and the check box to set the "change password a next logon" bit is grayed. The permissions have been set in the security tab, using the Advanced view of ADUC. Here are the security settings for the Technicians group: reset password change password read pwdLastSet write pwdLastSet read LockoutTime write LockoutTime read accountrestrictions What I'm missing here? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange problem, possibly SP4 related?
Title: Message Ken, I can say that in all of the testing and in all of the systems that we have moved - I haven't seen this behavior. But, there is a first for almost everything. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Monday, July 21, 2003 2:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] strange problem, possibly SP4 related? We applied SP4 to all of our windows 2000 servers yesterday, and this morning I noticed something very odd. DNS on alll of our domain controllers for our main domain (a dozen or so servers) decided to convert a standard secondary zone that they were all hosting into an AD integrated zone! Other domains DCs are hosting secondary DNS zones, and they did not change. I can't say for certain this was due to applying SP4, and I can't say this didn't happen before yesterday, but it certainly is suspcicious. Anyone hear of anything like this?
[ActiveDir] strange problem, possibly SP4 related?
Title: Message We applied SP4 to all of our windows 2000 servers yesterday, and this morning I noticed something very odd. DNS on alll of our domain controllers for our main domain (a dozen or so servers) decided to convert a standard secondary zone that they were all hosting into an AD integrated zone! Other domains DCs are hosting secondary DNS zones, and they did not change. I can't say for certain this was due to applying SP4, and I can't say this didn't happen before yesterday, but it certainly is suspcicious. Anyone hear of anything like this?