Re: OT: Made me chuckle

[Angus Scott-Fleming]

On 19 Mar 2010 at 10:38, Sherry Abercrombie  wrote:  

> What I find amazing is that the fired employee's account wasn't disabled
> immediately upon termination. Sheesh, talk about asking for trouble. 

RTFA.  It was, he used another employee's account.  I wonder if there should be 
a new company policy:

Upon termination of any employee, all existing passwords will immediately 
be expired.

That would be a LOT of fun to implement in a large company, although in a large 
company it could be tempered with "all existing passwords in the employee's 
department".

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: CMD line way to change CD Rom drive letter

[Angus Scott-Fleming]

On 19 Mar 2010 at 12:31, Steven M. Caesare  wrote:

> Perzactly.
> 
> Not to mention the drive-letter juggling that happens on the low end
> when you add drives, mount .ISO's, insert USB keys, etc...

--- Included Stuff Follows --- 

"USBDLM is a Windows service that gives control over Window's drive letter 
assignment for USB drives. Running as service makes it independent of the 
logged on user's privileges, so there is no need to give the users the 
privilege to change drive letters.

"It automatically solves conflicts between USB drives and network or subst 
drives of the currently logged on user.

"Furthermore you can define new default letters for USB drives and much 
more."

- Included Stuff Ends -
More here with links: http://www.uwe-sieber.de/usbdlm_e.html

It looks like it has some really useful features:

--- Included Stuff Follows --- 

  Configuration
 
Running without a configuration USBDLM only prevents that an new drive 
gets the letter of a network share or a subst drive of the currently 
logged on user. It remounts then to the next letter that is really 
available.

USBDLM is configured thru a text file, the USBDLM.INI. The USBDLM.INI is 
read from the folder of the USBDLM.EXE.

If required, read at Wikipedia how INI files work.

  New default letters for new USB drives (flash or harddrive)

[DriveLetters]
Letter1=U
Letter2=Y
Letter3=Z

USBDLM can have up to 9 'LetterX' entries in each section. They don't have 
to be continuous.

You can also use the short notation:

[DriveLetters]
Letters=U,Y,Z

Have a look into the help file USBDLM_ENG.CHM for more details. If you get 
the 'cannot display the webpage' error then the help file has the NTFS 
file attribute 'downloaded from untrusted source' and Microsoft doesn't 
trust its own CHM file format. To fix this right click the USBDLM_E.CHM, 
select Properties and click Unblock.

The help file is available online as HTML version too.


  Card Readers

The typical 20-in-1 card reader eats one drive letter for each of its 
slots - if we have a card for or not. USBDLM can remove the reader's drive 
letter until a media is inserted.

[Settings]
NoMediaNoLetter=1


USBDLM assigns then a drive letter as configured. If you need different 
drive letters for a multislot cardreader, then use the criterion 
'DeviceType' in a DriveLetters section (MSCR is short for 
MultiSlotCardReader which can be used too):

[DriveLetters1]
DeviceType=MSCR
Letter1=R
Letter2=W
Letter3=


  Excluded drive letters

You can prevent Windows mounting to certain letters by putting them into 
section ExcludedLetters. This is especially useful for letters of network 
shares which Windows may assign to USB drives while booting. Do not 
configure other letters than network, subst and TrueCrypt drives here!

[ExcludedLetters]
Letter1=F
Letter2=
Letter3=

- Included Stuff Ends -

Anyone here have any experience with this?

A

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: dell rant

[Kurt Buff]

zfs is looking better all the time...

On Fri, Mar 19, 2010 at 17:42, Jonathan Link  wrote:
> I'm with ASB on this one.
> Although, I have a SAN, and my drives are even more expensive, so...
>
> On Fri, Mar 19, 2010 at 8:16 PM, Phil Brutsche  wrote:
>>
>> Not $300 RAID firmware, but $300 certifying the firmware to guarantee it
>> will work right with the RAID controller :(
>>
>> On 3/19/2010 7:03 PM, Erik Goldoff wrote:
>> > But $300 RAID Firmware : (
>>
>> --
>>
>> Phil Brutsche
>> p...@optimumdata.com
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Web programming, AD, delegation and the double hop issue

[Kurt Buff]

I've set up NTLM stuff in FF - that's not a problem.

It's the Kerberos stuff that I think is biting us. I'm looking at
'network.negotiate-auth.delegation-uris' for some help, among other
things.

Kurt

On Fri, Mar 19, 2010 at 18:04, Richard Stovall  wrote:
> Regarding Firefox, you can allow it to do integrated auth with IIS if
> you want to.  Search for Firefox and NTLM.  There are two about:config
> entries to change, IIRC.  One to turn it on, the second to enumerate
> the trusted sites.  The Firefox gurus prolly know a way to push this
> out globally via GPO.  (Or disable it, if that's preferred.)
>
> On Fri, Mar 19, 2010 at 8:15 PM, Kurt Buff  wrote:
>> All,
>>
>> We've hired a new web guy (I am not a programmer/web developer), and
>> while he's pretty good, it's all been plain web stuff for him before
>> now - nothing like the AD stuff we're throwing at him.
>>
>> He's got nice web pages going with queries to AD, like phone lists and
>> such, where roles and accountability aren't an issue, but we're also
>> trying to get some pages up that are more workflow-ish, and require
>> approvals by specific users.
>>
>> Does anyone have a set of resources on how to work through this kind
>> of thing? We've got a few books, and I've helped him with a buncha
>> googling, but if you can point me at some good docs, I'd appreciate
>> it.
>>
>> If it matters, we're a Win2k3 shop, running at 2003 FFL/DFL.
>>
>> Also, I'm not up on all of the backend technicalities, so background
>> material for this for me wouldn't hurt either
>>
>> One other thing we're working on is to add Firefox to the mix - any
>> help there would be useful.
>>
>>
>> Thanks,
>>
>> Kurt
>>
>> PS - here are some of the web resources I've looked at, and fed the
>> web guy - I don't have the names of the books handy, as the web guy
>> took them home for the weekend, but I know that Joe Kaplan is
>> co-author on one of them:
>>
>> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
>>
>> http://blogs.technet.com/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx
>>
>> http://blogs.technet.com/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx
>>
>> http://support.microsoft.com/kb/907273
>>
>> http://grolmsnet.de/kerbtut/firefox.html
>>
>> https://developer.mozilla.org/en/Integrated_Authentication
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Web programming, AD, delegation and the double hop issue

[Kurt Buff]

Excellent. That's a great link.

Thanks.

On Fri, Mar 19, 2010 at 17:49, Free, Bob  wrote:
>> I know that Joe Kaplan is co-author on one of them:
>
> Can't go wrong with Joe Kaplan (and Ryan Dunn) 
> http://directoryprogramming.net/
>
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Friday, March 19, 2010 5:16 PM
> To: NT System Admin Issues
> Subject: OTish: Web programming, AD, delegation and the double hop issue
>
> All,
>
> We've hired a new web guy (I am not a programmer/web developer), and
> while he's pretty good, it's all been plain web stuff for him before
> now - nothing like the AD stuff we're throwing at him.
>
> He's got nice web pages going with queries to AD, like phone lists and
> such, where roles and accountability aren't an issue, but we're also
> trying to get some pages up that are more workflow-ish, and require
> approvals by specific users.
>
> Does anyone have a set of resources on how to work through this kind
> of thing? We've got a few books, and I've helped him with a buncha
> googling, but if you can point me at some good docs, I'd appreciate
> it.
>
> If it matters, we're a Win2k3 shop, running at 2003 FFL/DFL.
>
> Also, I'm not up on all of the backend technicalities, so background
> material for this for me wouldn't hurt either
>
> One other thing we're working on is to add Firefox to the mix - any
> help there would be useful.
>
>
> Thanks,
>
> Kurt
>
> PS - here are some of the web resources I've looked at, and fed the
> web guy - I don't have the names of the books handy, as the web guy
> took them home for the weekend, but I know that Joe Kaplan is
> co-author on one of them:
>
> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
>
> http://blogs.technet.com/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx
>
> http://blogs.technet.com/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx
>
> http://support.microsoft.com/kb/907273
>
> http://grolmsnet.de/kerbtut/firefox.html
>
> https://developer.mozilla.org/en/Integrated_Authentication
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: dell rant

[Erik Goldoff]

Don’t mistake my comment, I agree as well.  Running the Compaq/HP SMART
arrays using *only* the Compaq/HP drives with certified firmware I had very
little problem, and that which I did was supported and swiftly handled by
their warranty team.  That’s what I want, no, demand on enterprise storage …

 

Erik Goldoff

IT  Consultant

Systems, Networks, & Security 

'  Security is an ongoing process, not a one time event ! '

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Friday, March 19, 2010 8:42 PM
To: NT System Admin Issues
Subject: Re: dell rant

 

I'm with ASB on this one.

Although, I have a SAN, and my drives are even more expensive, so...

On Fri, Mar 19, 2010 at 8:16 PM, Phil Brutsche  wrote:

Not $300 RAID firmware, but $300 certifying the firmware to guarantee it
will work right with the RAID controller :(

On 3/19/2010 7:03 PM, Erik Goldoff wrote:
> But $300 RAID Firmware : (


--

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DFS setup with 300 gb data

[Andrew Levicki]

Other variables are the speed of the LAN and the available performance  
of the DFS servers.



===

Andrew Levicki MCSE MCITP CCNA

On 2010/03/20, at 9:30, "Charlie Kaiser"   
wrote:


New client, setting up a domain DFS implementation for them The  
folder to be

replicated contains 300+ GB with about 70K folders. The root folder
structure is only a dozen or so, though.

Replication is going to be with one other server for failover  
redundancy.


Most of the files are small (under 10 MB)

The machines are on the same LAN.

I'm looking for some ideas of how long initial replication of these  
files

will take. Any rough ideas?

Thanks!

***
Charlie Kaiser
charl...@golden-eagle.org
Kingman, AZ
***


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Deploy xpmode updates av and such

[Malcolm Reitz]

We're gonna try like heck not to use it. Don't want to have to support 2
OSes on a single PC for the reasons you've mentioned and more.

-Malcolm

-Original Message-
From: jgarciaitl...@gmail.com [mailto:jgarciaitl...@gmail.com] 
Sent: Friday, March 19, 2010 19:44
To: NT System Admin Issues
Subject: Deploy xpmode updates av and such

Any ideas of deploying for xpmode in windows 7?
Sent via BlackBerry from T-Mobile

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Web programming, AD, delegation and the double hop issue

[Richard Stovall]

Regarding Firefox, you can allow it to do integrated auth with IIS if
you want to.  Search for Firefox and NTLM.  There are two about:config
entries to change, IIRC.  One to turn it on, the second to enumerate
the trusted sites.  The Firefox gurus prolly know a way to push this
out globally via GPO.  (Or disable it, if that's preferred.)

On Fri, Mar 19, 2010 at 8:15 PM, Kurt Buff  wrote:
> All,
>
> We've hired a new web guy (I am not a programmer/web developer), and
> while he's pretty good, it's all been plain web stuff for him before
> now - nothing like the AD stuff we're throwing at him.
>
> He's got nice web pages going with queries to AD, like phone lists and
> such, where roles and accountability aren't an issue, but we're also
> trying to get some pages up that are more workflow-ish, and require
> approvals by specific users.
>
> Does anyone have a set of resources on how to work through this kind
> of thing? We've got a few books, and I've helped him with a buncha
> googling, but if you can point me at some good docs, I'd appreciate
> it.
>
> If it matters, we're a Win2k3 shop, running at 2003 FFL/DFL.
>
> Also, I'm not up on all of the backend technicalities, so background
> material for this for me wouldn't hurt either
>
> One other thing we're working on is to add Firefox to the mix - any
> help there would be useful.
>
>
> Thanks,
>
> Kurt
>
> PS - here are some of the web resources I've looked at, and fed the
> web guy - I don't have the names of the books handy, as the web guy
> took them home for the weekend, but I know that Joe Kaplan is
> co-author on one of them:
>
> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
>
> http://blogs.technet.com/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx
>
> http://blogs.technet.com/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx
>
> http://support.microsoft.com/kb/907273
>
> http://grolmsnet.de/kerbtut/firefox.html
>
> https://developer.mozilla.org/en/Integrated_Authentication
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Deploy xpmode updates av and such

[Richard Stovall]

This is, IMHO, the Achilles heel of XP Mode.  I don't have any of the
fancy tools from MS for VM deployment, so what I've done for my
less-than-a-handful of XP Mode deployments is join them to the domain
and put them in their own OU for WSUS purposes, etc.  For my own XPM
VM, I changed the default credentials to be a domain user, but that
sort of stuff is dependent on the end user, I suppose.  Particularly
if you don't have a comprehensive management solution.

On Fri, Mar 19, 2010 at 8:44 PM,   wrote:
> Any ideas of deploying for xpmode in windows 7?
> Sent via BlackBerry from T-Mobile
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: OTish: Web programming, AD, delegation and the double hop issue

[Free, Bob]

> I know that Joe Kaplan is co-author on one of them:

Can't go wrong with Joe Kaplan (and Ryan Dunn) http://directoryprogramming.net/



-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Friday, March 19, 2010 5:16 PM
To: NT System Admin Issues
Subject: OTish: Web programming, AD, delegation and the double hop issue

All,

We've hired a new web guy (I am not a programmer/web developer), and
while he's pretty good, it's all been plain web stuff for him before
now - nothing like the AD stuff we're throwing at him.

He's got nice web pages going with queries to AD, like phone lists and
such, where roles and accountability aren't an issue, but we're also
trying to get some pages up that are more workflow-ish, and require
approvals by specific users.

Does anyone have a set of resources on how to work through this kind
of thing? We've got a few books, and I've helped him with a buncha
googling, but if you can point me at some good docs, I'd appreciate
it.

If it matters, we're a Win2k3 shop, running at 2003 FFL/DFL.

Also, I'm not up on all of the backend technicalities, so background
material for this for me wouldn't hurt either

One other thing we're working on is to add Firefox to the mix - any
help there would be useful.


Thanks,

Kurt

PS - here are some of the web resources I've looked at, and fed the
web guy - I don't have the names of the books handy, as the web guy
took them home for the weekend, but I know that Joe Kaplan is
co-author on one of them:

http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx

http://blogs.technet.com/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

http://blogs.technet.com/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx

http://support.microsoft.com/kb/907273

http://grolmsnet.de/kerbtut/firefox.html

https://developer.mozilla.org/en/Integrated_Authentication

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: dell rant

[Richard Stovall]

Tis different, IMHO.  If I'm buying a low end server with SATA drives
I don't expect to have to pay Dell or HP for OEM drives with some
custom firmware, which is exactly what you're getting.  If you're
buying drives for a name brand SAN, then that's a different story.
I'm not at all happy that 1TB "FATA" drives for my EVA cost damn near
$1000 each, but I'll pay it for that application.  This is a different
beast altogether.

IMHO.

On Fri, Mar 19, 2010 at 8:42 PM, Jonathan Link  wrote:
> I'm with ASB on this one.
> Although, I have a SAN, and my drives are even more expensive, so...
>
> On Fri, Mar 19, 2010 at 8:16 PM, Phil Brutsche  wrote:
>>
>> Not $300 RAID firmware, but $300 certifying the firmware to guarantee it
>> will work right with the RAID controller :(
>>
>> On 3/19/2010 7:03 PM, Erik Goldoff wrote:
>> > But $300 RAID Firmware : (
>>
>> --
>>
>> Phil Brutsche
>> p...@optimumdata.com
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Deploy xpmode updates av and such

[jgarciaitlist]

Any ideas of deploying for xpmode in windows 7?
Sent via BlackBerry from T-Mobile

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: dell rant

[Jonathan Link]

I'm with ASB on this one.
Although, I have a SAN, and my drives are even more expensive, so...

On Fri, Mar 19, 2010 at 8:16 PM, Phil Brutsche  wrote:

> Not $300 RAID firmware, but $300 certifying the firmware to guarantee it
> will work right with the RAID controller :(
>
> On 3/19/2010 7:03 PM, Erik Goldoff wrote:
> > But $300 RAID Firmware : (
>
> --
>
> Phil Brutsche
> p...@optimumdata.com
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

DFS setup with 300 gb data

[Charlie Kaiser]

New client, setting up a domain DFS implementation for them The folder to be
replicated contains 300+ GB with about 70K folders. The root folder
structure is only a dozen or so, though.

Replication is going to be with one other server for failover redundancy.

Most of the files are small (under 10 MB)

The machines are on the same LAN.

I'm looking for some ideas of how long initial replication of these files
will take. Any rough ideas?

Thanks!

***
Charlie Kaiser
charl...@golden-eagle.org
Kingman, AZ
*** 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

OTish: Web programming, AD, delegation and the double hop issue

[Kurt Buff]

All,

We've hired a new web guy (I am not a programmer/web developer), and
while he's pretty good, it's all been plain web stuff for him before
now - nothing like the AD stuff we're throwing at him.

He's got nice web pages going with queries to AD, like phone lists and
such, where roles and accountability aren't an issue, but we're also
trying to get some pages up that are more workflow-ish, and require
approvals by specific users.

Does anyone have a set of resources on how to work through this kind
of thing? We've got a few books, and I've helped him with a buncha
googling, but if you can point me at some good docs, I'd appreciate
it.

If it matters, we're a Win2k3 shop, running at 2003 FFL/DFL.

Also, I'm not up on all of the backend technicalities, so background
material for this for me wouldn't hurt either

One other thing we're working on is to add Firefox to the mix - any
help there would be useful.


Thanks,

Kurt

PS - here are some of the web resources I've looked at, and fed the
web guy - I don't have the names of the books handy, as the web guy
took them home for the weekend, but I know that Joe Kaplan is
co-author on one of them:

http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx

http://blogs.technet.com/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

http://blogs.technet.com/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx

http://support.microsoft.com/kb/907273

http://grolmsnet.de/kerbtut/firefox.html

https://developer.mozilla.org/en/Integrated_Authentication

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: dell rant

[Phil Brutsche]

Not $300 RAID firmware, but $300 certifying the firmware to guarantee it
will work right with the RAID controller :(

On 3/19/2010 7:03 PM, Erik Goldoff wrote:
> But $300 RAID Firmware : (

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: dell rant [OT reply]

[Free, Bob]

Hey ...I used to make the 80 pound "motors" that drove the head
assembly on those washing machines J 

 

Actually the I made the coils that were part of the bobbins inside the
motors. Less skilled workers made the heavy parts...LOL

 

The engineers called them linear actuators and hated when someone
referred to them as motors so of course that's what we all called them.

 



 

You going to TEC LA this year?

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Friday, March 19, 2010 10:02 AM
To: NT System Admin Issues
Subject: RE: dell rant [OT reply]

 



Shades of the mainframe!

 

WAY BACK when "Winchester" was the new SCSI disk technology, both IBM
and Unisys did this. Their "cheap SCSI" disk controllers were modified
so that you could only attach disk that the mainframe company provided.
Which they charged 10 times the going rate for.

 

Still, it was cheaper and faster than the old "washing machine"
removable disk drives.



 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: Benjamin Zachary - Lists [mailto:li...@levelfive.us] 
Sent: Friday, March 19, 2010 12:57 PM
To: NT System Admin Issues
Subject: dell rant

 

Ive been a solid dell guy for years but this is about as aggravating as
it comes.

 

We have a new server that cannot get the 2.5 15k rpm drives for several
weeks due to manufacturing problems. We went and got drives from hp and
the drive caddys so everything is great right?

 

NOT, if you have a new Dell 700 raid controller you can only use Dell
certified drives, the drives are 'blocked' on the controller

 

>From the manual "troubleshooting"section:

Issue:

One or more physical disks is displayed as Blocked and can not be
configured.

 

Corrective Action

PERC H700 and PERC H800 cards support only Dell-certified SAS and SATA
hard drives and solid-state drives (SSD). If you are using a
Dell-certified drive but are still experiencing this problem, perform
the following actions:

 

1. Check the backplane for damage.

2. Check the SAS cables.

3. Reseat the physical disk.

4. Contact Dell Technical Support if the problem persists

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: dell rant

[Erik Goldoff]

But $300 RAID Firmware : (

 

Erik Goldoff

IT  Consultant

Systems, Networks, & Security 

'  Security is an ongoing process, not a one time event ! '

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Friday, March 19, 2010 6:27 PM
To: NT System Admin Issues
Subject: Re: dell rant

 

Are they realy $150 hard drives?

On Fri, Mar 19, 2010 at 6:25 PM, Phil Brutsche  wrote:

Sadly, Dell is merely the latest in a long line of vendors to do so.

It's getting to the point where you have to go "whitebox" (ie SuperMicro) if
you want to avoid tripling or quadrupling the cost of the machine with a
couple $150 hard drives :(

Benjamin Zachary - Lists  previously uttered: 

 

Ive been a solid dell guy for years but this is about as aggravating as it
comes.

We have a new server that cannot get the 2.5 15k rpm drives for several
weeks due to manufacturing problems. We went and got drives from hp and the
drive caddys so everything is great right?

NOT, if you have a new Dell 700 raid controller you can only use Dell
certified drives, the drives are 'blocked' on the controller

 

-- 

Phil Brutsche
p...@optimumdata.com 




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: dell rant

[Phil Brutsche]

Well, when you consider Dell is charging close to $500 for the
equivalent of a $150 Western Digital RE (Raid Edition) 1TB hard drive...

http://www.newegg.com/Product/Product.aspx?Item=N82E16822136313

On 3/19/2010 5:26 PM, Jonathan Link wrote:
> Are they realy $150 hard drives?

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Computer account creation

[Kurt Buff]

Sorry - did a stupid copy/paste error...

Ignore the extraneous bits (the part that reads: '| findstr /i 5.0').
That should read:

 del yesterday.txt
 ren today.txt yesterday.txt
 adfind -b dc=mycompany,dc=com -f "objectcategory=computer" -csv
-nodn sAMAccountName objectSid | sort > today.txt
 fc today.txt yesterday.txt > diff.txt
 blat diff.txt

You'll also have to put in the proper parameters to blat, but that's easy.

Run that once a day, and you should be golden.

Kurt

On Fri, Mar 19, 2010 at 13:30, Kurt Buff  wrote:
> Something like this?
>
>     ren today.txt yesterday.txt
>     adfind -b dc=mycompany,dc=com -f "objectcategory=computer" -csv
> -nodn sAMAccountName objectSid | findstr /i 5.0 | sort > today.txt
>     fc today.txt yesterday.txt > diff.txt
>     blat diff.txt
>
> Kurt
>
> On Fri, Mar 19, 2010 at 07:42, David Lum  wrote:
>> So…I’m trying to catch when a new user and computer is created. Event ID 645
>> tells me a new computer is created, but invariably it seems to show the
>> default machine name that’s created from fresh Sysprep images (on our case
>> it’s like NWEA-7646552 and similar). So, I decided to capture Event ID 646
>> (Computer account changed), but all I get is (I think) machine password
>> resets since it has SID S-1-5-21 in the description).
>>
>>
>>
>> Is there a way to capture when a domain PC gets renamed?
>>
>> David Lum // SYSTEMS ENGINEER
>> NORTHWEST EVALUATION ASSOCIATION
>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>>
>>
>>
>>
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Determining Password Complexity Requirements (UNCLASSIFIED)

[Free, Bob]

Agreed. In this case, the additional point I was trying to make was that you 
also could have a 3rd party package enforcing _local_ account passwords (which 
John specified) that overrides the domain password policy for _local_ passwords 
only leaving the domain account password policy intact for domain account 
passwords..

That is why I asked the question about the GINA in the first place :-]



-Original Message-
From: Steven Peck [mailto:sep...@gmail.com] 
Sent: Friday, March 19, 2010 3:33 PM
To: NT System Admin Issues
Subject: Re: Determining Password Complexity Requirements (UNCLASSIFIED)

Some of the requirements for contracts that provide services for the
military require a custom ugina.   We have one.  It has it's own
little domain.

On Fri, Mar 19, 2010 at 1:11 PM, Free, Bob  wrote:
>> every time she tries to set a local account's password
>
>
>
> Probably a custom GINA/password filter. (I think there's an echo in here J)
>
>
>
>  Those also come in local versions
>
>
>
> The Army couldn't enforce the settings Larry gave below natively, they have
> to use *something*
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Friday, March 19, 2010 12:47 PM
> To: NT System Admin Issues
> Subject: RE: Determining Password Complexity Requirements (UNCLASSIFIED)
>
>
>
> Yeah, that sounds about like what we had to put in to get the system to
> accept it.
>
>
>
> I just can't figure out how that policy is being enforced...
>
>
>
>
>
>
>
> From: Kent, Larry CTR US USA [mailto:larry.k...@us.army.mil]
> Sent: Friday, March 19, 2010 2:44 PM
> To: NT System Admin Issues
> Subject: RE: Determining Password Complexity Requirements (UNCLASSIFIED)
>
>
>
> Classification: UNCLASSIFIED
> Caveats: FOUO
>
> The Army's password requirements are:  minimum 14 chars, at least 2
> uppercase, 2 lowercase, 2 numeric and 2 special characters
>
>
>
>
>
> Larry Kent
>
> AD/Exchange 2003 OU Administrator
>
> Lockheed Martin
>
> Natick R&D Center
>
> Natick, MA 01760
>
> DSN: 312.256.4981  Comm: 508.233.4981
>
> mailto:larry.k...@us.army.mil
>
>
>
>
>
>
>
> From: Carol Fee [mailto:c...@massbar.org]
> Sent: Friday, March 19, 2010 1:38 PM
> To: NT System Admin Issues
> Subject: RE: Determining Password Complexity Requirements
>
>
>
> How about asking the Army folks who sent you the machine ?
>
>
>
> CFee
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Friday, March 19, 2010 11:26 AM
> To: NT System Admin Issues
> Subject: Determining Password Complexity Requirements
>
>
>
> We have a machine that the Army sent our ROTC folks, and it's giving us a
> hard time. It's not our standard machine, and came pre-configured from the
> Army. We joined it to our domain, and it seems to be picking up group policy
> from the domain-but a couple of things still aren't right.
>
>
>
> The biggest issue is that something on the machine seems to be requiring
> passwords of greater complexity than our domain policy requires. What I
> can't figure out is (A.) why that is and (B.) what those requirements are. I
> had my technician run gpedit.msc on the machine and look under Computer
> Configuration -> Windows Settings -> Security Settings -> Account Policies
> -> Password Policy. All of the settings there match our regular domain
> settings. And yet every time she tries to set a local account's password to
> one that we know meets those requirements (because it's one we use on
> multiple machines with no problems), Windows pops up a dialog saying it
> doesn't meet the requirements. But if we put in a (much) longer and more
> complex password, the system will take it.
>
>
>
> I ran through the fix from MSKB 313222, but to no avail (although that did
> fix several other settings the Army had imposed on the machine).
>
>
>
> So, what the heck? Where is this machine getting its ideas about password
> requirements from? And how can I determine what those requirements are?
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
>
>
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications
> to or from this entity are public records that will be disclosed to the
> public and the media upon request. E-mail communications may be subject to
> public disclosure.
>
>
>
>
>
>
>
>
>
> Classification: UNCLASSIFIED
> Caveats: FOUO
>
>
>
>
>
>
>
>
>
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications
> to or from this entity are public records that will be disclosed to the
> public and the media upon request. E-mail communications may be subject to
> public disclosure.
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Determining Password Complexity Requirements

[Free, Bob]

Local accounts can actually look at the password policy applied to the
container the computer object resides in. 

 

So if you think LDSOU for policy application it is the one time where
the "one password policy per domain" has a caveat.

 

You can apply a password policy on a OU that will affect the LOCAL
account on the computers in the OU.

 

Of course I am talking native stuff here (no customized code) and
pre-FGP policy now in 2K8.

 

From: Jon Harris [mailto:jk.har...@gmail.com] 
Sent: Friday, March 19, 2010 3:19 PM
To: NT System Admin Issues
Subject: Re: Determining Password Complexity Requirements

 

Either Bob is right about a custom GINA or local policies are over
riding domain policies.  Then again local accounts only look at the
local policy I believe.

 

Jon

On Fri, Mar 19, 2010 at 3:08 PM, John Cook  wrote:

Sounds to me like it has some malware (wink) I'd nuke it and rebuild!



From: Free, Bob 

To: NT System Admin Issues 

Sent: Fri Mar 19 15:01:25 2010 


Subject: RE: Determining Password Complexity Requirements 

Does it have a custom GINA?

 



From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 10:46 AM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

Thanks-we'll check this out.

 

The other weird thing is that we can't access the machine via Remote
Desktop or Remote Assistance. We have group policies to enable these,
but either they're not accepting connections on this machine or there's
some other software blocking access. We checked Windows built-in
firewall, and it's configured to allow (our domain policies configure
this). Grrr

 

 

 

 

From: Joe Tinney [mailto:jtin...@lastar.com] 
Sent: Friday, March 19, 2010 1:39 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

 

John,

Try running secpol.msc (Local Security Policy) and
looking at Account Policies > Password Policies and see if that differs
from the information you are seeing in gpedit.msc (Local Group Policy).
I can't recall if they are different or if they operate independently,
but it can't hurt. Also, from my experience, this is one of those
settings that doesn't revert itself once the policy is no longer applied
to the machine. I've had to go in and manually change this when we've
needed to take the machines off the domain and use them for other
purposes.

 

Best of luck,

Joe

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

 

We have a machine that the Army sent our ROTC folks, and it's giving us
a hard time. It's not our standard machine, and came pre-configured from
the Army. We joined it to our domain, and it seems to be picking up
group policy from the domain-but a couple of things still aren't right.

 

The biggest issue is that something on the machine seems to be requiring
passwords of greater complexity than our domain policy requires. What I
can't figure out is (A.) why that is and (B.) what those requirements
are. I had my technician run gpedit.msc on the machine and look under
Computer Configuration -> Windows Settings -> Security Settings ->
Account Policies -> Password Policy. All of the settings there match our
regular domain settings. And yet every time she tries to set a local
account's password to one that we know meets those requirements (because
it's one we use on multiple machines with no problems), Windows pops up
a dialog saying it doesn't meet the requirements. But if we put in a
(much) longer and more complex password, the system will take it.

 

I ran through the fix from MSKB 313222, but to no avail (although that
did fix several other settings the Army had imposed on the machine).

 

So, what the heck? Where is this machine getting its ideas about
password requirements from? And how can I determine what those
requirements are?

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us  

 

 

 

 
 
 
NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.
 
 

 

 

 

 
NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.
 
 

 

 

 



CONFIDENTIALITY STATEMENT: The information transmitted, or contained or
attached to or with this Notice is intended only for the person or
entity to which it is addressed and may contain Protected Health
Information (PHI), confidential and/o

Re: Determining Password Complexity Requirements (UNCLASSIFIED)

[Steven Peck]

Some of the requirements for contracts that provide services for the
military require a custom ugina.   We have one.  It has it's own
little domain.

On Fri, Mar 19, 2010 at 1:11 PM, Free, Bob  wrote:
>> every time she tries to set a local account’s password
>
>
>
> Probably a custom GINA/password filter. (I think there’s an echo in here J)
>
>
>
>  Those also come in local versions….
>
>
>
> The Army couldn’t enforce the settings Larry gave below natively, they have
> to use *something*
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Friday, March 19, 2010 12:47 PM
> To: NT System Admin Issues
> Subject: RE: Determining Password Complexity Requirements (UNCLASSIFIED)
>
>
>
> Yeah, that sounds about like what we had to put in to get the system to
> accept it.
>
>
>
> I just can’t figure out how that policy is being enforced…
>
>
>
>
>
>
>
> From: Kent, Larry CTR US USA [mailto:larry.k...@us.army.mil]
> Sent: Friday, March 19, 2010 2:44 PM
> To: NT System Admin Issues
> Subject: RE: Determining Password Complexity Requirements (UNCLASSIFIED)
>
>
>
> Classification: UNCLASSIFIED
> Caveats: FOUO
>
> The Army’s password requirements are:  minimum 14 chars, at least 2
> uppercase, 2 lowercase, 2 numeric and 2 special characters
>
>
>
>
>
> Larry Kent
>
> AD/Exchange 2003 OU Administrator
>
> Lockheed Martin
>
> Natick R&D Center
>
> Natick, MA 01760
>
> DSN: 312.256.4981  Comm: 508.233.4981
>
> mailto:larry.k...@us.army.mil
>
>
>
>
>
>
>
> From: Carol Fee [mailto:c...@massbar.org]
> Sent: Friday, March 19, 2010 1:38 PM
> To: NT System Admin Issues
> Subject: RE: Determining Password Complexity Requirements
>
>
>
> How about asking the Army folks who sent you the machine ?
>
>
>
> CFee
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Friday, March 19, 2010 11:26 AM
> To: NT System Admin Issues
> Subject: Determining Password Complexity Requirements
>
>
>
> We have a machine that the Army sent our ROTC folks, and it’s giving us a
> hard time. It’s not our standard machine, and came pre-configured from the
> Army. We joined it to our domain, and it seems to be picking up group policy
> from the domain—but a couple of things still aren’t right.
>
>
>
> The biggest issue is that something on the machine seems to be requiring
> passwords of greater complexity than our domain policy requires. What I
> can’t figure out is (A.) why that is and (B.) what those requirements are. I
> had my technician run gpedit.msc on the machine and look under Computer
> Configuration -> Windows Settings -> Security Settings -> Account Policies
> -> Password Policy. All of the settings there match our regular domain
> settings. And yet every time she tries to set a local account’s password to
> one that we know meets those requirements (because it’s one we use on
> multiple machines with no problems), Windows pops up a dialog saying it
> doesn’t meet the requirements. But if we put in a (much) longer and more
> complex password, the system will take it.
>
>
>
> I ran through the fix from MSKB 313222, but to no avail (although that did
> fix several other settings the Army had imposed on the machine).
>
>
>
> So, what the heck? Where is this machine getting its ideas about password
> requirements from? And how can I determine what those requirements are?
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
>
>
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications
> to or from this entity are public records that will be disclosed to the
> public and the media upon request. E-mail communications may be subject to
> public disclosure.
>
>
>
>
>
>
>
>
>
> Classification: UNCLASSIFIED
> Caveats: FOUO
>
>
>
>
>
>
>
>
>
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications
> to or from this entity are public records that will be disclosed to the
> public and the media upon request. E-mail communications may be subject to
> public disclosure.
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: dell rant

[Jonathan Link]

Are they realy $150 hard drives?

On Fri, Mar 19, 2010 at 6:25 PM, Phil Brutsche  wrote:

> Sadly, Dell is merely the latest in a long line of vendors to do so.
>
> It's getting to the point where you have to go "whitebox" (ie SuperMicro)
> if you want to avoid tripling or quadrupling the cost of the machine with a
> couple $150 hard drives :(
>
> Benjamin Zachary - Lists  previously uttered:
>
>
> Ive been a solid dell guy for years but this is about as aggravating as it
>> comes.
>>
>> We have a new server that cannot get the 2.5 15k rpm drives for several
>> weeks due to manufacturing problems. We went and got drives from hp and
>> the
>> drive caddys so everything is great right?
>>
>> NOT, if you have a new Dell 700 raid controller you can only use Dell
>> certified drives, the drives are 'blocked' on the controller
>>
>
> --
>
> Phil Brutsche
> p...@optimumdata.com
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: dell rant

[Phil Brutsche]

Sadly, Dell is merely the latest in a long line of vendors to do so.

It's getting to the point where you have to go "whitebox" (ie  
SuperMicro) if you want to avoid tripling or quadrupling the cost of  
the machine with a couple $150 hard drives :(


Benjamin Zachary - Lists  previously uttered:


Ive been a solid dell guy for years but this is about as aggravating as it
comes.

We have a new server that cannot get the 2.5 15k rpm drives for several
weeks due to manufacturing problems. We went and got drives from hp and the
drive caddys so everything is great right?

NOT, if you have a new Dell 700 raid controller you can only use Dell
certified drives, the drives are 'blocked' on the controller


--

Phil Brutsche
p...@optimumdata.com


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Determining Password Complexity Requirements

[Jon Harris]

Either Bob is right about a custom GINA or local policies are over riding
domain policies.  Then again local accounts only look at the local policy I
believe.

Jon

On Fri, Mar 19, 2010 at 3:08 PM, John Cook  wrote:

>  Sounds to me like it has some malware (wink) I'd nuke it and rebuild!
>
> --
> *From*: Free, Bob
> *To*: NT System Admin Issues
> *Sent*: Fri Mar 19 15:01:25 2010
>
> *Subject*: RE: Determining Password Complexity Requirements
>
> Does it have a custom GINA?
>
>  --
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, March 19, 2010 10:46 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Determining Password Complexity Requirements
>
>  Thanks—we’ll check this out.
>
>
>
> The other weird thing is that we can’t access the machine via Remote
> Desktop or Remote Assistance. We have group policies to enable these, but
> either they’re not accepting connections on this machine or there’s some
> other software blocking access. We checked Windows built-in firewall, and
> it’s configured to allow (our domain policies configure this). Grrr….
>
>
>
>
>
>
>
>
>
> *From:* Joe Tinney [mailto:jtin...@lastar.com]
> *Sent:* Friday, March 19, 2010 1:39 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Determining Password Complexity Requirements
>
>
>
> John,
>
> Try running secpol.msc (Local Security Policy) and looking
> at Account Policies > Password Policies and see if that differs from the
> information you are seeing in gpedit.msc (Local Group Policy). I can’t
> recall if they are different or if they operate independently, but it can’t
> hurt. Also, from my experience, this is one of those settings that doesn’t
> revert itself once the policy is no longer applied to the machine. I’ve had
> to go in and manually change this when we’ve needed to take the machines off
> the domain and use them for other purposes.
>
>
>
> Best of luck,
>
> Joe
>
>
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, March 19, 2010 11:26 AM
> *To:* NT System Admin Issues
> *Subject:* Determining Password Complexity Requirements
>
>
>
> We have a machine that the Army sent our ROTC folks, and it’s giving us a
> hard time. It’s not our standard machine, and came pre-configured from the
> Army. We joined it to our domain, and it seems to be picking up group policy
> from the domain—but a couple of things still aren’t right.
>
>
>
> The biggest issue is that something on the machine seems to be requiring
> passwords of greater complexity than our domain policy requires. What I
> can’t figure out is (A.) why that is and (B.) what those requirements are. I
> had my technician run gpedit.msc on the machine and look under Computer
> Configuration -> Windows Settings -> Security Settings -> Account Policies
> -> Password Policy. All of the settings there match our regular domain
> settings. And yet every time she tries to set a local account’s password to
> one that we know meets those requirements (because it’s one we use on
> multiple machines with no problems), Windows pops up a dialog saying it
> doesn’t meet the requirements. But if we put in a (much) longer and more
> complex password, the system will take it.
>
>
>
> I ran through the fix from MSKB 313222, but to no avail (although that did
> fix several other settings the Army had imposed on the machine).
>
>
>
> So, what the heck? Where is this machine getting its ideas about password
> requirements from? And how can I determine what those requirements are?
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
>
>
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
>
>
>
>
>
>
>
>
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
>
>
>
>
>
>
>
> --
> CONFIDENTIALITY STATEMENT: The information transmitted, or contained or
> attached to or with this Notice is intended only for the person or entity to
> which it is addressed and may contain Protected Health Information (PHI),
> confidential and/or privileged material. Any review, transmission,
> dissemination, or other use of, and taking any action in reliance upon this
> information by persons or entities other than the intended recipient without
> the express written consent of the sender are prohibited. This information
> may be protected by the Health Insurance Portability and Accountability Act
> of 1996 (HIPAA), and other Federal and Florida laws. Improper or
> unaut

RE: Determining Password Complexity Requirements

[hg]

They load the machines from a custom very heavily locked down image they call 
the “gold master”.  So all sorts of restrictions are “baked in”.

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

 

We have a machine that the Army sent our ROTC folks, and it’s giving us a hard 
time. It’s not our standard machine, and came pre-configured from the Army. We 
joined it to our domain, and it seems to be picking up group policy from the 
domain—but a couple of things still aren’t right.

 

The biggest issue is that something on the machine seems to be requiring 
passwords of greater complexity than our domain policy requires. What I can’t 
figure out is (A.) why that is and (B.) what those requirements are. I had my 
technician run gpedit.msc on the machine and look under Computer Configuration 
-> Windows Settings -> Security Settings -> Account Policies -> Password 
Policy. All of the settings there match our regular domain settings. And yet 
every time she tries to set a local account’s password to one that we know 
meets those requirements (because it’s one we use on multiple machines with no 
problems), Windows pops up a dialog saying it doesn’t meet the requirements. 
But if we put in a (much) longer and more complex password, the system will 
take it.

 

I ran through the fix from MSKB 313222, but to no avail (although that did fix 
several other settings the Army had imposed on the machine).

 

So, what the heck? Where is this machine getting its ideas about password 
requirements from? And how can I determine what those requirements are?

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

 

 
 
 Content & Policy Scan by M+ Guardian 
Millions of safe & clean messages delivered daily
 
 
 
NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.
 
 


---AV & Spam Filtering by M+Guardian - Risk Free Email (TM)---

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Made me chuckle

[Jon Harris]

Would that not depend on what the EULA that each user signs at employment?
I know at one University if you share user ID's and Passwords and a hack
event happens only
the user who owned the user ID is treated to the full effect of brown flying
stuff.

Jon

On Fri, Mar 19, 2010 at 11:40 AM, Wilhelm, Scott wrote:

>  In that case, would it be reasonable to reset everyone’s passwords
> whenever someone leaves the company to prevent something like this from
> happening, or does the coworker get in trouble as well?
>
>
>
> Would definitely be a sticky issue.
>
>
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, March 19, 2010 11:34 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Made me chuckle
>
>
>
> Yeah, we’ve been discussing this one in an IT security class I’m taking in
> grad school. Lots of things went wrong here. Apparently the fired guy had a
> former coworker’s password.
>
>
>
> And in addition to screwing with the cars, he did other things like placing
> thousands of dollars in orders under the company’s name.
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
> *From:* Mike French [mailto:mike.fre...@theequitybank.com]
> *Sent:* Friday, March 19, 2010 11:34 AM
> *To:* NT System Admin Issues
> *Subject:* OT: Made me chuckle
>
>
>
> 46. March 17, Wired – (Texas) Hacker disables more than 100 cars remotely.
> More than 100 drivers in Austin, Texas found their cars disabled or the
> horns honking out of control, after an intruder ran amok in a web-based
> vehicle-immobilization system normally used to get the attention of
> consumers delinquent in their auto payments. Police with Austin’s High Tech
> Crime Unit on March 17 arrested a 20-year-old who was a former Texas Auto
> Center employee who was laid off last month, and allegedly sought revenge by
> bricking the cars sold from the dealership’s four Austin-area lots. The
> dealership used a system called Webtech Plus as an alternative to
> repossessing vehicles that haven’t been paid for. Operated by
> Cleveland-based Pay Technologies, the system lets car dealers install a
> small black box under vehicle dashboards that responds to commands issued
> through a central website, and relayed over a wireless pager network. The
> dealer can disable a car’s ignition system, or trigger the horn to begin
> honking, as a reminder that a payment is due. The system will not stop a
> running vehicle. Texas Auto Center began fielding complaints from baffled
> customers the last week in February, many of whom wound up missing work,
> calling tow trucks or disconnecting their batteries to stop the honking. The
> troubles stopped five days later, when Texas Auto Center reset the Webtech
> Plus passwords for all its employee accounts, says the manager of Texas Auto
> Center. Then police obtained access logs from Pay Technologies, and traced
> the saboteur’s IP address to the suspect’s AT&T internet service, according
> to a police affidavit filed in the case. Source: 
> http://www.wired.com/threatlevel/2010/03/hacker-brickscars/?
> utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index
> +(Wired:+Index+3+(Top+Stories+2))
>
>
>
>
>
>
> *Mike French
> **Network Engineer
> **~**EQUITY BANK *
> Office: 214.231.4565
> mike.fre...@theequitybank.com
>
> *"Evidently excellence in security by some **
> security-centric vendors is defined as being the head of the class in a
> room filled with children without a propensity to learn." - Anonymous*
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: dell rant

[hg]

Had two servers on order that were pretty vanilla and it took a month to get 
both of them.

 

The manufacturing problems are actually pretty interesting. It seems Hon Hai 
Precision Industry Co (commonly known as “Foxconn”) opened a giant plant just 
across the border in Mexico. Anything that was assembled in the US by Dell is 
now assembled in Mexico by the Foxconn.  Foxconn was using walmart tactics 
making people work overtime for free by claiming that the buses used to 
transport workers were held at a roadblock on multiple occasions and that the 
workers just needed to continue to work.  After this happened a number of times 
workers set the plant on fire. Depending on what version you read the damage 
varies from trivial to 1/3 of the facility. 

 

From: Benjamin Zachary - Lists [mailto:li...@levelfive.us] 
Sent: Friday, March 19, 2010 12:57 PM
To: NT System Admin Issues
Subject: dell rant

 

Ive been a solid dell guy for years but this is about as aggravating as it 
comes.

 

We have a new server that cannot get the 2.5 15k rpm drives for several weeks 
due to manufacturing problems. We went and got drives from hp and the drive 
caddys so everything is great right?

 

NOT, if you have a new Dell 700 raid controller you can only use Dell certified 
drives, the drives are ‘blocked’ on the controller

 

>From the manual "troubleshooting"section:

Issue:

One or more physical disks is displayed as Blocked and can not be configured.

 

Corrective Action

PERC H700 and PERC H800 cards support only Dell-certified SAS and SATA hard 
drives and solid-state drives (SSD). If you are using a Dell-certified drive 
but are still experiencing this problem, perform the following actions:

 

1. Check the backplane for damage.

2. Check the SAS cables.

3. Reseat the physical disk.

4. Contact Dell Technical Support if the problem persists

 

 
 
 Content & Policy Scan by M+ Guardian 
Millions of safe & clean messages delivered daily
 


---AV & Spam Filtering by M+Guardian - Risk Free Email (TM)---

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Remote user password expire

[Jon Harris]

LOL Sorry John but that was the first issue I had to fight several years ago
at my former office.  I did not plan/think of it either and lots of fun that
first morning all of them expired at the same time.

Jon

On Fri, Mar 19, 2010 at 10:24 AM, John Hornbuckle <
john.hornbuc...@taylor.k12.fl.us> wrote:

> Oh, crap. I didn't think about that. We just started using password
> expirations this school year. I didn't think about what would happen over
> the summer...
>
>
>
> John Hornbuckle
> MIS Department
> Taylor County School District
> www.taylor.k12.fl.us
>
>
>
>
>
>
> On Fri, Mar 19, 2010 at 9:04 AM, Kennedy, Jim
>  wrote:
> > Looking for advice. How do you handle remote users and passwords
> expiring.
> > Let me give you an example..I am in a school district so the Teachers are
> > gone all summer. They do use their email over the summer via OWA but they
> > don't log into any of our computers.
> >
> > Currently I just mod the policy so they don't expire for those staff
> members
> > over the summer. But that just creates a backlog at the beginning of the
> > school year, and it is not automated and requires effort on my part.
> Looking
> > for a better way.
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications
> to or from this entity are public records that will be disclosed to the
> public and the media upon request. E-mail communications may be subject to
> public disclosure.
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: What are my options, Windows Server 2008 or Windows Server 2008 R2 or...

[Raper, Jonathan - Eagle]

How many servers do you have in your environment?


Jonathan L. Raper, A+, MCSA, MCSE
Technology Coordinator
Eagle Physicians & Associates, PA
jra...@eaglemds.commailto:%20jra...@eaglemds.com>
www.eaglemds.comhttp://www.eaglemds.com/>


From: Reimer, Mark [mailto:mark.rei...@prairie.edu]
Sent: Friday, March 19, 2010 4:44 PM
To: NT System Admin Issues
Subject: What are my options, Windows Server 2008 or Windows Server 2008 R2 
or...

Here's my upcoming problem.

We currently have a Windows 2003 domain. All servers, including DC's are 
Windows 2003 standard.

We will be replacing our Exchange server this summer, jumping from Exchange 
2003 to Exchange 2010. I'm planning on installing Windows 2008 R2 on it.

My current DC's are 32 bit, and almost 5 years old, and don't have 64 bit 
architecture. So ...

Should I upgrade my DC's to Windows 2008 32 bit?
Should I try to get upgraded hardware, and install Windows 2008 R2?
Should I not worry about it, put in the new Exchange server on my Windows 2003 
domain, and upgrade the DC's later?

I'm planning on using the standard version (vs. enterprise or datacenter), 
unless I can get some beefy server, then I'll virtualize one DC and some other 
physical servers on it.

I'm NOT going to put both DC's virtualized on one physical box.

My googling on this hasn't turned up any useful information. Maybe it's Friday 
afternoon...

Thanks for any advice.


Mark Reimer,  A+, MCSA
Windows Servers & Networking
Prairie Bible Institute
Box 4000
Three Hills, AB  T0M-2N0
Canada
Tel: 403-443-5511, Ext. 3476
Fax: 403-443-5540
Email: mark.rei...@prairie.edu
www.prairie.edu








Any medical information contained in this electronic message is CONFIDENTIAL 
and privileged. It is unlawful for unauthorized persons to view, copy, 
disclose, or disseminate CONFIDENTIAL information. This electronic message may 
contain information that is confidential and/or legally privileged. It is 
intended only for the use of the individual(s) and/or entity named as 
recipients in the message. If you are not an intended recipient of this 
message, please notify the sender immediately and delete this material from 
your computer. Do not deliver, distribute or copy this message, and do not 
disclose its contents or take any action in reliance on the information that it 
contains.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: What are my options, Windows Server 2008 or Windows Server 2008 R2 or...

[Raper, Jonathan - Eagle]

Hi Mark!

At 5 years, I would try to replace the hardware if you can, unless you can 
continue to get factory support. I know that Dell doesn't offer warranties past 
5 years. IBM seems to be willing to support hardware longer, as long as you're 
willing to pay the fees (we're a 99.9% IBM shop, with no complaints).

As for OS, I would consider moving to 2008 if you're doing a hardware refresh, 
but it isn't required. With Server 2008 Enterprise, you get up to 4 "free" 
installs in a virtual environment on the same physical host, regardless of 
whether you're using Hyper-V or VMware, and that's for any Microsoft Server OS 
that you can find an install disk for, as long as it will load in a virtual 
environment. With 2008 Data Center Edition, you get UNLIMITED installs, again, 
does not matter what version of OS, as long as it is 2008 or below. So, I would 
look at your environment and see if it make sense to buy a couple of beefy 
systems to run a virtual environment, buy either Enterprise or Data Center 
licensing, and away you go. I prefer VMware, but it may not make sense in your 
environment. Also, don't forget about Citrix - they offer server virtualization 
as well.

We're running one physical DC and one virtual DC, and that is an approach I 
recommend, just to be safe.

As for requirements of E2k10, you do NOT have to upgrade your domain from 2003 
to 2008:

http://technet.microsoft.com/en-us/library/aa996719.aspx

Hope this helps,

Jonathan L. Raper, A+, MCSA, MCSE
Technology Coordinator
Eagle Physicians & Associates, PA
jra...@eaglemds.commailto:%20jra...@eaglemds.com>
www.eaglemds.comhttp://www.eaglemds.com/>


From: Reimer, Mark [mailto:mark.rei...@prairie.edu]
Sent: Friday, March 19, 2010 4:44 PM
To: NT System Admin Issues
Subject: What are my options, Windows Server 2008 or Windows Server 2008 R2 
or...

Here's my upcoming problem.

We currently have a Windows 2003 domain. All servers, including DC's are 
Windows 2003 standard.

We will be replacing our Exchange server this summer, jumping from Exchange 
2003 to Exchange 2010. I'm planning on installing Windows 2008 R2 on it.

My current DC's are 32 bit, and almost 5 years old, and don't have 64 bit 
architecture. So ...

Should I upgrade my DC's to Windows 2008 32 bit?
Should I try to get upgraded hardware, and install Windows 2008 R2?
Should I not worry about it, put in the new Exchange server on my Windows 2003 
domain, and upgrade the DC's later?

I'm planning on using the standard version (vs. enterprise or datacenter), 
unless I can get some beefy server, then I'll virtualize one DC and some other 
physical servers on it.

I'm NOT going to put both DC's virtualized on one physical box.

My googling on this hasn't turned up any useful information. Maybe it's Friday 
afternoon...

Thanks for any advice.


Mark Reimer,  A+, MCSA
Windows Servers & Networking
Prairie Bible Institute
Box 4000
Three Hills, AB  T0M-2N0
Canada
Tel: 403-443-5511, Ext. 3476
Fax: 403-443-5540
Email: mark.rei...@prairie.edu
www.prairie.edu








Any medical information contained in this electronic message is CONFIDENTIAL 
and privileged. It is unlawful for unauthorized persons to view, copy, 
disclose, or disseminate CONFIDENTIAL information. This electronic message may 
contain information that is confidential and/or legally privileged. It is 
intended only for the use of the individual(s) and/or entity named as 
recipients in the message. If you are not an intended recipient of this 
message, please notify the sender immediately and delete this material from 
your computer. Do not deliver, distribute or copy this message, and do not 
disclose its contents or take any action in reliance on the information that it 
contains.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: What are my options, Windows Server 2008 or Windows Server 2008 R2 or...

[Michael B. Smith]

Exchange 2010 requires you to be at a Windows 2003 DFL/FFL, and other than that 
it just doesn't care.

If you CAN upgrade your DCs, I would upgrade to 2008 R2 and never look back. 
But unless your DCs are already overburdened, there is no requirement to do so.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Reimer, Mark [mailto:mark.rei...@prairie.edu]
Sent: Friday, March 19, 2010 4:44 PM
To: NT System Admin Issues
Subject: What are my options, Windows Server 2008 or Windows Server 2008 R2 
or...

Here's my upcoming problem.

We currently have a Windows 2003 domain. All servers, including DC's are 
Windows 2003 standard.

We will be replacing our Exchange server this summer, jumping from Exchange 
2003 to Exchange 2010. I'm planning on installing Windows 2008 R2 on it.

My current DC's are 32 bit, and almost 5 years old, and don't have 64 bit 
architecture. So ...

Should I upgrade my DC's to Windows 2008 32 bit?
Should I try to get upgraded hardware, and install Windows 2008 R2?
Should I not worry about it, put in the new Exchange server on my Windows 2003 
domain, and upgrade the DC's later?

I'm planning on using the standard version (vs. enterprise or datacenter), 
unless I can get some beefy server, then I'll virtualize one DC and some other 
physical servers on it.

I'm NOT going to put both DC's virtualized on one physical box.

My googling on this hasn't turned up any useful information. Maybe it's Friday 
afternoon...

Thanks for any advice.


Mark Reimer,  A+, MCSA
Windows Servers & Networking
Prairie Bible Institute
Box 4000
Three Hills, AB  T0M-2N0
Canada
Tel: 403-443-5511, Ext. 3476
Fax: 403-443-5540
Email: mark.rei...@prairie.edu
www.prairie.edu

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

What are my options, Windows Server 2008 or Windows Server 2008 R2 or...

[Reimer, Mark]

Here's my upcoming problem.

 

We currently have a Windows 2003 domain. All servers, including DC's are
Windows 2003 standard.

 

We will be replacing our Exchange server this summer, jumping from
Exchange 2003 to Exchange 2010. I'm planning on installing Windows 2008
R2 on it.

 

My current DC's are 32 bit, and almost 5 years old, and don't have 64
bit architecture. So ...

 

Should I upgrade my DC's to Windows 2008 32 bit?

Should I try to get upgraded hardware, and install Windows 2008 R2?

Should I not worry about it, put in the new Exchange server on my
Windows 2003 domain, and upgrade the DC's later?

 

I'm planning on using the standard version (vs. enterprise or
datacenter), unless I can get some beefy server, then I'll virtualize
one DC and some other physical servers on it.

 

I'm NOT going to put both DC's virtualized on one physical box.

 

My googling on this hasn't turned up any useful information. Maybe it's
Friday afternoon...

 

Thanks for any advice.

 

 

Mark Reimer,  A+, MCSA

Windows Servers & Networking

Prairie Bible Institute

Box 4000

Three Hills, AB  T0M-2N0

Canada

Tel: 403-443-5511, Ext. 3476

Fax: 403-443-5540

Email: mark.rei...@prairie.edu  

www.prairie.edu  

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: dell rant

[Richard Stovall]

Not entirely bogus, no.  Entirely helpful to the bottom line, yes.

500GB 7.2K RPM Near Line SAS $299
1TB 7.2K RPM Near Line SAS $629
250GB 7.2K RPM SATA $129
500GB 7.2K RPM SATA $259
750GB 7.2K RPM SATA $339
1TB 7.2K RPM SATA $479
2TB 7.2K RPM SATA $929

'Course these are retail prices, but still.

> On Fri, Mar 19, 2010 at 4:20 PM, Andrew S. Baker  wrote:
>> It's not entirely a bogus motive that they have, however.
>> It's all about keeping the hardware compatibility list as short as possible
>> so that everything can be tested and verified and certified.    Different
>> devices have different tolerances and for certain industries, these kinds of
>> nuances are vital.   Not every situation warrants it, of course, but many
>> do, and it cuts down on support calls/costs.
>> -ASB: http://XeeSM.com/AndrewBaker
>>
>>
>> On Fri, Mar 19, 2010 at 12:56 PM, Benjamin Zachary - Lists
>>  wrote:
>>>
>>> Ive been a solid dell guy for years but this is about as aggravating as it
>>> comes.
>>>
>>>
>>>
>>> We have a new server that cannot get the 2.5 15k rpm drives for several
>>> weeks due to manufacturing problems. We went and got drives from hp and the
>>> drive caddys so everything is great right?
>>>
>>>
>>>
>>> NOT, if you have a new Dell 700 raid controller you can only use Dell
>>> certified drives, the drives are ‘blocked’ on the controller
>>>
>>>
>>>
>>> From the manual "troubleshooting"section:
>>>
>>> Issue:
>>>
>>> One or more physical disks is displayed as Blocked and can not be
>>> configured.
>>>
>>>
>>>
>>> Corrective Action
>>>
>>> PERC H700 and PERC H800 cards support only Dell-certified SAS and SATA
>>> hard drives and solid-state drives (SSD). If you are using a Dell-certified
>>> drive but are still experiencing this problem, perform the following
>>> actions:
>>>
>>>
>>>
>>> 1. Check the backplane for damage.
>>>
>>> 2. Check the SAS cables.
>>>
>>> 3. Reseat the physical disk.
>>>
>>> 4. Contact Dell Technical Support if the problem persists
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Computer account creation

[Kurt Buff]

Something like this?

 ren today.txt yesterday.txt
 adfind -b dc=mycompany,dc=com -f "objectcategory=computer" -csv
-nodn sAMAccountName objectSid | findstr /i 5.0 | sort > today.txt
 fc today.txt yesterday.txt > diff.txt
 blat diff.txt

Kurt

On Fri, Mar 19, 2010 at 07:42, David Lum  wrote:
> So…I’m trying to catch when a new user and computer is created. Event ID 645
> tells me a new computer is created, but invariably it seems to show the
> default machine name that’s created from fresh Sysprep images (on our case
> it’s like NWEA-7646552 and similar). So, I decided to capture Event ID 646
> (Computer account changed), but all I get is (I think) machine password
> resets since it has SID S-1-5-21 in the description).
>
>
>
> Is there a way to capture when a domain PC gets renamed?
>
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: dell rant

[Andrew S. Baker]

It's not entirely a bogus motive that they have, however.

It's all about keeping the hardware compatibility list as short as possible
so that everything can be tested and verified and certified.Different
devices have different tolerances and for certain industries, these kinds of
nuances are vital.   Not every situation warrants it, of course, but many
do, and it cuts down on support calls/costs.

-ASB: http://XeeSM.com/AndrewBaker


On Fri, Mar 19, 2010 at 12:56 PM, Benjamin Zachary - Lists <
li...@levelfive.us> wrote:

> Ive been a solid dell guy for years but this is about as aggravating as it
> comes.
>
>
>
> We have a new server that cannot get the 2.5 15k rpm drives for several
> weeks due to manufacturing problems. We went and got drives from hp and the
> drive caddys so everything is great right?
>
>
>
> NOT, if you have a new Dell 700 raid controller you can only use Dell
> certified drives, the drives are ‘blocked’ on the controller
>
>
>
> From the manual "troubleshooting"section:
>
> Issue:
>
> One or more physical disks is displayed as Blocked and can not be
> configured.
>
>
>
> Corrective Action
>
> PERC H700 and PERC H800 cards support only Dell-certified SAS and SATA hard
> drives and solid-state drives (SSD). If you are using a Dell-certified drive
> but are still experiencing this problem, perform the following actions:
>
>
>
> 1. Check the backplane for damage.
>
> 2. Check the SAS cables.
>
> 3. Reseat the physical disk.
>
> 4. Contact Dell Technical Support if the problem persists
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Determining Password Complexity Requirements (UNCLASSIFIED)

[Free, Bob]

> every time she tries to set a local account's password

 

Probably a custom GINA/password filter. (I think there's an echo in here
J)

 

 Those also come in local versions

 

The Army couldn't enforce the settings Larry gave below natively, they
have to use *something*

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 12:47 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements (UNCLASSIFIED)

 

Yeah, that sounds about like what we had to put in to get the system to
accept it.

 

I just can't figure out how that policy is being enforced...

 

 

 

From: Kent, Larry CTR US USA [mailto:larry.k...@us.army.mil] 
Sent: Friday, March 19, 2010 2:44 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements (UNCLASSIFIED)

 

Classification: UNCLASSIFIED
Caveats: FOUO

The Army's password requirements are:  minimum 14 chars, at least 2
uppercase, 2 lowercase, 2 numeric and 2 special characters

 

 

Larry Kent

AD/Exchange 2003 OU Administrator

Lockheed Martin

Natick R&D Center

Natick, MA 01760

DSN: 312.256.4981  Comm: 508.233.4981

mailto:larry.k...@us.army.mil

 

 

 

From: Carol Fee [mailto:c...@massbar.org] 
Sent: Friday, March 19, 2010 1:38 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

 

How about asking the Army folks who sent you the machine ?

 

CFee

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

 

We have a machine that the Army sent our ROTC folks, and it's giving us
a hard time. It's not our standard machine, and came pre-configured from
the Army. We joined it to our domain, and it seems to be picking up
group policy from the domain-but a couple of things still aren't right.

 

The biggest issue is that something on the machine seems to be requiring
passwords of greater complexity than our domain policy requires. What I
can't figure out is (A.) why that is and (B.) what those requirements
are. I had my technician run gpedit.msc on the machine and look under
Computer Configuration -> Windows Settings -> Security Settings ->
Account Policies -> Password Policy. All of the settings there match our
regular domain settings. And yet every time she tries to set a local
account's password to one that we know meets those requirements (because
it's one we use on multiple machines with no problems), Windows pops up
a dialog saying it doesn't meet the requirements. But if we put in a
(much) longer and more complex password, the system will take it.

 

I ran through the fix from MSKB 313222, but to no avail (although that
did fix several other settings the Army had imposed on the machine).

 

So, what the heck? Where is this machine getting its ideas about
password requirements from? And how can I determine what those
requirements are?

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

 

 
 
 
NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.
 
 

 

 

Classification: UNCLASSIFIED
Caveats: FOUO

 

 

 

 
 
 
NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Installing Win2K8 Server as DC Issue

[John Bowles]

Not yet, have a PSS call in right now.  This behavior happened before it became 
a DC.  It happened when the server was added to the domain.  As soon as I get 
the fix I will update this thread.  Thanks.

From: Jay Dale [mailto:jay.d...@3-gig.com]
Sent: Friday, March 19, 2010 3:55 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Have you tried demoting it and attempting RDP?

Jay Dale
I.T. Manager, 3GiG
Mobile: 713.299.2541
Email: jay.d...@3-gig.com

Confidentiality Notice: This e-mail, including any attached files, may contain 
confidential and/or privileged information for the sole use of the intended 
recipient. If you are not the intended recipient, you are hereby notified that 
any review, dissemination or copying of this e-mail and attachments, if any, or 
the information contained herein, is strictly prohibited. If you are not the 
intended recipient (or authorized to receive information for the intended 
recipient), please contact the sender by reply e-mail and delete all copies of 
this message.


From: HELP_PC [mailto:g...@enter.it]
Sent: Friday, March 19, 2010 12:19 PM
To: NT System Admin Issues
Subject: R: Installing Win2K8 Server as DC Issue

It is a so weird issue ! I remember ,some years ago , I started to have similar 
issues building an SBS2k3box. (Permission issues when starting creating the 
domain)
Found the RAID card driver was old and the sysvol couldn't be created properly

GuidoElia
HELPPC



Da: John Bowles [mailto:john.bow...@wlkmmas.org]
Inviato: venerdì 19 marzo 2010 17.29
A: NT System Admin Issues
Oggetto: RE: Installing Win2K8 Server as DC Issue
Still no joy!  Won't start!

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 12:23 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

I've added network service and local service to everywhere specified.. 
rebooting now

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 12:10 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

That's good to know, thanks!

Jeff

From: David Lum [mailto:david@nwea.org]
Sent: Friday, March 19, 2010 8:51 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

With Win2K8/Win7 in addition to disabling the firewall  you must also set the 
firewall service to DISABLED (manual might also work), otherwise Windows 
disables the NIC. If it sees firewall as AUTO but the firewall is off (even if 
you turn it off via GUI) it assumes malware has disabled the firewall so it 
nukes the NIC connection altogether.

Setting the service to DISABLED and THEN turning off the firewall will allow 
the NIC to remain active.

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 7:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Hi Michael,

I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 
2008 R2 servers, if I stop the windows firewall service, I can no longer 
connect to them via RDP, or access file shares, or even ping them for that 
matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem 
to have that behavior in common. At least that's my experience...

Of course, the important thing is why is this happening to John and how might 
he resolve it, and on that, I'm currently stumped.

Jeff

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, March 18, 2010 4:59 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Guys, y'all need to realize that y'all are comparing apples and oranges.

Server 2008 is NOT the same as Server 2008 R2.

Server 2008 R2 should've been called Server 2010. It's way different. It's not 
like 2003 R2 which was just a bunch of additional optional functionality.

Disabling or stopping the Windows Firewall service in Server 2008 R2 is not 
supported and will cause indeterminate behavior. If you want to not use the 
firewall, you need to open the Windows Firewall application and disable the 
appropriate profile.

This is a change in behavior between 2008 and 2008 R2.

Now, in 2008 R2, if the Windows Firewall won't start, then it WILL generate an 
error in one event log or another. You need to track that down and fix it! :-P

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 7:30 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

+1

Jeff, that's exactly the issue I'm having.  The Windows Firewall will not even 
start up or allow me to start it up to allow traffic to the DC.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Thursday, March 18, 2010 5:3

RE: Installing Win2K8 Server as DC Issue

[Jay Dale]

Have you tried demoting it and attempting RDP?

Jay Dale
I.T. Manager, 3GiG
Mobile: 713.299.2541
Email: jay.d...@3-gig.com

Confidentiality Notice: This e-mail, including any attached files, may contain 
confidential and/or privileged information for the sole use of the intended 
recipient. If you are not the intended recipient, you are hereby notified that 
any review, dissemination or copying of this e-mail and attachments, if any, or 
the information contained herein, is strictly prohibited. If you are not the 
intended recipient (or authorized to receive information for the intended 
recipient), please contact the sender by reply e-mail and delete all copies of 
this message.


From: HELP_PC [mailto:g...@enter.it]
Sent: Friday, March 19, 2010 12:19 PM
To: NT System Admin Issues
Subject: R: Installing Win2K8 Server as DC Issue

It is a so weird issue ! I remember ,some years ago , I started to have similar 
issues building an SBS2k3box. (Permission issues when starting creating the 
domain)
Found the RAID card driver was old and the sysvol couldn't be created properly

GuidoElia
HELPPC



Da: John Bowles [mailto:john.bow...@wlkmmas.org]
Inviato: venerdì 19 marzo 2010 17.29
A: NT System Admin Issues
Oggetto: RE: Installing Win2K8 Server as DC Issue
Still no joy!  Won't start!

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 12:23 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

I've added network service and local service to everywhere specified.. 
rebooting now

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 12:10 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

That's good to know, thanks!

Jeff

From: David Lum [mailto:david@nwea.org]
Sent: Friday, March 19, 2010 8:51 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

With Win2K8/Win7 in addition to disabling the firewall  you must also set the 
firewall service to DISABLED (manual might also work), otherwise Windows 
disables the NIC. If it sees firewall as AUTO but the firewall is off (even if 
you turn it off via GUI) it assumes malware has disabled the firewall so it 
nukes the NIC connection altogether.

Setting the service to DISABLED and THEN turning off the firewall will allow 
the NIC to remain active.

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 7:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Hi Michael,

I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 
2008 R2 servers, if I stop the windows firewall service, I can no longer 
connect to them via RDP, or access file shares, or even ping them for that 
matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem 
to have that behavior in common. At least that's my experience...

Of course, the important thing is why is this happening to John and how might 
he resolve it, and on that, I'm currently stumped.

Jeff

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, March 18, 2010 4:59 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Guys, y'all need to realize that y'all are comparing apples and oranges.

Server 2008 is NOT the same as Server 2008 R2.

Server 2008 R2 should've been called Server 2010. It's way different. It's not 
like 2003 R2 which was just a bunch of additional optional functionality.

Disabling or stopping the Windows Firewall service in Server 2008 R2 is not 
supported and will cause indeterminate behavior. If you want to not use the 
firewall, you need to open the Windows Firewall application and disable the 
appropriate profile.

This is a change in behavior between 2008 and 2008 R2.

Now, in 2008 R2, if the Windows Firewall won't start, then it WILL generate an 
error in one event log or another. You need to track that down and fix it! :-P

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 7:30 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

+1

Jeff, that's exactly the issue I'm having.  The Windows Firewall will not even 
start up or allow me to start it up to allow traffic to the DC.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Thursday, March 18, 2010 5:35 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

If I stop the Windows Firewall service on my 2008 servers, I can no longer RDP 
to it. So, what I meant by off is, the service is stopped, which is the case 
for John, who's firewall service won't start at all.

From: N Parr [mailto:npar...@mortonind.com]
Sent: Thursday, March 18

RE: Determining Password Complexity Requirements (UNCLASSIFIED)

[Damien Solodow]

Custom password filter most likely. I don't remember offhand how those
are installed/configured but it should be a good place to start
googling..

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 3:47 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements (UNCLASSIFIED)

 

Yeah, that sounds about like what we had to put in to get the system to
accept it.

 

I just can't figure out how that policy is being enforced...

 

 

 

From: Kent, Larry CTR US USA [mailto:larry.k...@us.army.mil] 
Sent: Friday, March 19, 2010 2:44 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements (UNCLASSIFIED)

 

Classification: UNCLASSIFIED
Caveats: FOUO

The Army's password requirements are:  minimum 14 chars, at least 2
uppercase, 2 lowercase, 2 numeric and 2 special characters

 

 

Larry Kent

AD/Exchange 2003 OU Administrator

Lockheed Martin

Natick R&D Center

Natick, MA 01760

DSN: 312.256.4981  Comm: 508.233.4981

mailto:larry.k...@us.army.mil

 

 

 

From: Carol Fee [mailto:c...@massbar.org] 
Sent: Friday, March 19, 2010 1:38 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

 

How about asking the Army folks who sent you the machine ?

 

CFee

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

 

We have a machine that the Army sent our ROTC folks, and it's giving us
a hard time. It's not our standard machine, and came pre-configured from
the Army. We joined it to our domain, and it seems to be picking up
group policy from the domain-but a couple of things still aren't right.

 

The biggest issue is that something on the machine seems to be requiring
passwords of greater complexity than our domain policy requires. What I
can't figure out is (A.) why that is and (B.) what those requirements
are. I had my technician run gpedit.msc on the machine and look under
Computer Configuration -> Windows Settings -> Security Settings ->
Account Policies -> Password Policy. All of the settings there match our
regular domain settings. And yet every time she tries to set a local
account's password to one that we know meets those requirements (because
it's one we use on multiple machines with no problems), Windows pops up
a dialog saying it doesn't meet the requirements. But if we put in a
(much) longer and more complex password, the system will take it.

 

I ran through the fix from MSKB 313222, but to no avail (although that
did fix several other settings the Army had imposed on the machine).

 

So, what the heck? Where is this machine getting its ideas about
password requirements from? And how can I determine what those
requirements are?

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

 

 
 
 
NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.
 
 

 

 

Classification: UNCLASSIFIED
Caveats: FOUO

 

 

 

 
 
 
NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Determining Password Complexity Requirements (UNCLASSIFIED)

[John Hornbuckle]

Yeah, that sounds about like what we had to put in to get the system to accept 
it.

I just can't figure out how that policy is being enforced...



From: Kent, Larry CTR US USA [mailto:larry.k...@us.army.mil]
Sent: Friday, March 19, 2010 2:44 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements (UNCLASSIFIED)

Classification: UNCLASSIFIED
Caveats: FOUO
The Army's password requirements are:  minimum 14 chars, at least 2 uppercase, 
2 lowercase, 2 numeric and 2 special characters


Larry Kent
AD/Exchange 2003 OU Administrator
Lockheed Martin
Natick R&D Center
Natick, MA 01760
DSN: 312.256.4981  Comm: 508.233.4981
mailto:larry.k...@us.army.mil



From: Carol Fee [mailto:c...@massbar.org]
Sent: Friday, March 19, 2010 1:38 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

How about asking the Army folks who sent you the machine ?

CFee
From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

We have a machine that the Army sent our ROTC folks, and it's giving us a hard 
time. It's not our standard machine, and came pre-configured from the Army. We 
joined it to our domain, and it seems to be picking up group policy from the 
domain-but a couple of things still aren't right.

The biggest issue is that something on the machine seems to be requiring 
passwords of greater complexity than our domain policy requires. What I can't 
figure out is (A.) why that is and (B.) what those requirements are. I had my 
technician run gpedit.msc on the machine and look under Computer Configuration 
-> Windows Settings -> Security Settings -> Account Policies -> Password 
Policy. All of the settings there match our regular domain settings. And yet 
every time she tries to set a local account's password to one that we know 
meets those requirements (because it's one we use on multiple machines with no 
problems), Windows pops up a dialog saying it doesn't meet the requirements. 
But if we put in a (much) longer and more complex password, the system will 
take it.

I ran through the fix from MSKB 313222, but to no avail (although that did fix 
several other settings the Army had imposed on the machine).

So, what the heck? Where is this machine getting its ideas about password 
requirements from? And how can I determine what those requirements are?



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us











NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.








Classification: UNCLASSIFIED
Caveats: FOUO







NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Determining Password Complexity Requirements (UNCLASSIFIED)

[Kent, Larry CTR US USA]

Classification: UNCLASSIFIED
Caveats: FOUO

The Army's password requirements are:  minimum 14 chars, at least 2
uppercase, 2 lowercase, 2 numeric and 2 special characters

 

 

Larry Kent

AD/Exchange 2003 OU Administrator

Lockheed Martin

Natick R&D Center

Natick, MA 01760

DSN: 312.256.4981  Comm: 508.233.4981

mailto:larry.k...@us.army.mil

 

 

 

From: Carol Fee [mailto:c...@massbar.org] 
Sent: Friday, March 19, 2010 1:38 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

 

How about asking the Army folks who sent you the machine ?

 

CFee

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

 

We have a machine that the Army sent our ROTC folks, and it's giving us
a hard time. It's not our standard machine, and came pre-configured from
the Army. We joined it to our domain, and it seems to be picking up
group policy from the domain-but a couple of things still aren't right.

 

The biggest issue is that something on the machine seems to be requiring
passwords of greater complexity than our domain policy requires. What I
can't figure out is (A.) why that is and (B.) what those requirements
are. I had my technician run gpedit.msc on the machine and look under
Computer Configuration -> Windows Settings -> Security Settings ->
Account Policies -> Password Policy. All of the settings there match our
regular domain settings. And yet every time she tries to set a local
account's password to one that we know meets those requirements (because
it's one we use on multiple machines with no problems), Windows pops up
a dialog saying it doesn't meet the requirements. But if we put in a
(much) longer and more complex password, the system will take it.

 

I ran through the fix from MSKB 313222, but to no avail (although that
did fix several other settings the Army had imposed on the machine).

 

So, what the heck? Where is this machine getting its ideas about
password requirements from? And how can I determine what those
requirements are?

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

 

 
 
 
NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.
 
 

 

 

Classification: UNCLASSIFIED
Caveats: FOUO


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

TS 2008 and drive redirection

[Richard Stovall]

Got a couple of questions for all-a-y'alls on a Friday afternoon.

Environment is TS 2008 on Server 2008 (not R2) with a single NIC.

Can I disable drive redirection for TS Gateway and traditional TS
(remote desktop) users, but enable it for RemoteApp?  It seems to be a
global on/off setting on the underlying RDP-TCP connection.   Even if
you enable it on the RemoteApps, it doesn't work until you enable it
on the connection.  This opens an avenue to directly transfer data for
other types of clients that I would like to keep closed.

Many thanks,
RS

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Determining Password Complexity Requirements

[John Cook]

Sounds to me like it has some malware (wink) I'd nuke it and rebuild!


From: Free, Bob
To: NT System Admin Issues
Sent: Fri Mar 19 15:01:25 2010
Subject: RE: Determining Password Complexity Requirements

Does it have a custom GINA?


From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, March 19, 2010 10:46 AM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

Thanks—we’ll check this out.

The other weird thing is that we can’t access the machine via Remote Desktop or 
Remote Assistance. We have group policies to enable these, but either they’re 
not accepting connections on this machine or there’s some other software 
blocking access. We checked Windows built-in firewall, and it’s configured to 
allow (our domain policies configure this). Grrr….




From: Joe Tinney [mailto:jtin...@lastar.com]
Sent: Friday, March 19, 2010 1:39 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

John,
Try running secpol.msc (Local Security Policy) and looking at 
Account Policies > Password Policies and see if that differs from the 
information you are seeing in gpedit.msc (Local Group Policy). I can’t recall 
if they are different or if they operate independently, but it can’t hurt. 
Also, from my experience, this is one of those settings that doesn’t revert 
itself once the policy is no longer applied to the machine. I’ve had to go in 
and manually change this when we’ve needed to take the machines off the domain 
and use them for other purposes.

Best of luck,
Joe

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

We have a machine that the Army sent our ROTC folks, and it’s giving us a hard 
time. It’s not our standard machine, and came pre-configured from the Army. We 
joined it to our domain, and it seems to be picking up group policy from the 
domain—but a couple of things still aren’t right.

The biggest issue is that something on the machine seems to be requiring 
passwords of greater complexity than our domain policy requires. What I can’t 
figure out is (A.) why that is and (B.) what those requirements are. I had my 
technician run gpedit.msc on the machine and look under Computer Configuration 
-> Windows Settings -> Security Settings -> Account Policies -> Password 
Policy. All of the settings there match our regular domain settings. And yet 
every time she tries to set a local account’s password to one that we know 
meets those requirements (because it’s one we use on multiple machines with no 
problems), Windows pops up a dialog saying it doesn’t meet the requirements. 
But if we put in a (much) longer and more complex password, the system will 
take it.

I ran through the fix from MSKB 313222, but to no avail (although that did fix 
several other settings the Army had imposed on the machine).

So, what the heck? Where is this machine getting its ideas about password 
requirements from? And how can I determine what those requirements are?



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us











NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.














NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.









CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
Consider the environment. Please don't print this e-mail unless you really need 
to.

This email and any attached files are confidential and intended solely for the 
intended recipient(s). If you are not the named recipient you should not read, 
distribute, copy or alter this email. Any views or opinions expressed in this 
email are those of the author and do not represent those of the c

RE: Determining Password Complexity Requirements

[Free, Bob]

Does it have a custom GINA?



From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 10:46 AM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements



Thanks-we'll check this out.

 

The other weird thing is that we can't access the machine via Remote
Desktop or Remote Assistance. We have group policies to enable these,
but either they're not accepting connections on this machine or there's
some other software blocking access. We checked Windows built-in
firewall, and it's configured to allow (our domain policies configure
this). Grrr

 

 

 

 

From: Joe Tinney [mailto:jtin...@lastar.com] 
Sent: Friday, March 19, 2010 1:39 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

 

John,

Try running secpol.msc (Local Security Policy) and
looking at Account Policies > Password Policies and see if that differs
from the information you are seeing in gpedit.msc (Local Group Policy).
I can't recall if they are different or if they operate independently,
but it can't hurt. Also, from my experience, this is one of those
settings that doesn't revert itself once the policy is no longer applied
to the machine. I've had to go in and manually change this when we've
needed to take the machines off the domain and use them for other
purposes.

 

Best of luck,

Joe

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

 

We have a machine that the Army sent our ROTC folks, and it's giving us
a hard time. It's not our standard machine, and came pre-configured from
the Army. We joined it to our domain, and it seems to be picking up
group policy from the domain-but a couple of things still aren't right.

 

The biggest issue is that something on the machine seems to be requiring
passwords of greater complexity than our domain policy requires. What I
can't figure out is (A.) why that is and (B.) what those requirements
are. I had my technician run gpedit.msc on the machine and look under
Computer Configuration -> Windows Settings -> Security Settings ->
Account Policies -> Password Policy. All of the settings there match our
regular domain settings. And yet every time she tries to set a local
account's password to one that we know meets those requirements (because
it's one we use on multiple machines with no problems), Windows pops up
a dialog saying it doesn't meet the requirements. But if we put in a
(much) longer and more complex password, the system will take it.

 

I ran through the fix from MSKB 313222, but to no avail (although that
did fix several other settings the Army had imposed on the machine).

 

So, what the heck? Where is this machine getting its ideas about
password requirements from? And how can I determine what those
requirements are?

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

 

 
 
 
NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.
 
 

 

 

 

 


NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: NTFS Permissions Questions

[Kurt Buff]

One file/directory resource, two groups. For instance, a share:
\\fileserver\share and a set of directories \\fileserver\share\dir1
and \\fileserver\share\dir2

I'll have 4 groups: FileserverShareDir1-RO, FileserverShareDir1-RW,
FileserverShareDir2-RO and FileserverShareDir2-RW

The share will have full permissions for Domain Users (not Everyone),
and the directory to which the share is applied (\\fileserver\share)
will have Read permissions, "This Folder Only", for Domain Users.

I then apply the permissions for the four groups above, with
appropriate permissions (Read for the RO group, and Modify for the RW
group) to the directories below, with "This Folder, Subfolders and
Files".

This assumes that you won't be applying permissions below the
\\fileserver\share\dir1 level. If that's not the case, then add groups
and adjust permissions as needed.

There's a bit more to it than that, but that's the gist of it.

Kurt

On Fri, Mar 19, 2010 at 06:57, Jason Morris  wrote:
> I’m looking at cleaning up some of our more ornery areas and want to know if
> anybody has some opinions/real world experience they’d be willing to share.
> From my perspective everything is working ok speed-wise but I want to know
> what other people are doing.
>
>
>
> We have a series of folders in one share that not all users with access to
> the share will be utilizing. Some will have “Folder A / Folder B / and
> Folder C” but not “Folder D / Folder E / and Folder F”. And others will be
> mixing and matching.
>
>
>
> I prefer to give groups permissions to the folders and put the users in the
> groups. But this might mean there will be 10 groups on Folder A. This might
> also mean User George will be a member of 20 groups. This is how I have it
> now and it’s working ok speed-wise. (it’s ornery because we’ve had requests
> here and there for individuals to access a folder and we’ve had to tweak
> security for the individual user)
>
>
>
> Is it better/faster to have groups checked in the ACL or have it some other
> way?
>
>
>
> Inquiring minds want to know.
>
> --
>
> Jason Morris
>
> MJMC, Inc.
>
> P: 708-225-2350
>
> F: 708-943-9015
>
>
>
>
>
>
>
> --
> The pages accompanying this email transmission contain information from
> MJMC, Inc., which
> is confidential and/or privileged. The information is to be for the use of
> the individual
> or entity named on this cover sheet. If you are not the intended recipient,
> you are
> hereby notified that any disclosure, dissemination, distribution, or copying
> of this
> communication is strictly prohibited. If you received this transmission in
> error, please
> immediately notify us by telephone so that we can arrange for the retrieval
> of the original
> document.
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Watchguard is full of surprises around every corner.

[James Kerr]

Saw your other post. We are using the IPSEC client with XP. This concerns 
me, we are going to start adding some Win 7 machines soon.



- Original Message - 
From: "James Kerr" 

To: "NT System Admin Issues" 
Sent: Friday, March 19, 2010 2:31 PM
Subject: Re: Watchguard is full of surprises around every corner.


I been using the mobile user VPN client from watchguard for years for our 
notebooks in the field and it has never required admin rights to use it. 
You only need admin rights to install the software.


James

- Original Message - 
From: "Phillip Partipilo" 

To: "NT System Admin Issues" 
Sent: Friday, March 19, 2010 1:48 PM
Subject: Watchguard is full of surprises around every corner.


Let's put aside that our Firebox has not exactly been a walk in the park, 
nor has their support been very helpful.  Another company we do business 
with also has a Watchguard appliance, and some users need to VPN into 
their system.  Their VPN client software requires local admin privileges 
to work. A vendor... of a Security Product... requiring local admin... 
Requiring the entire system to be wide open to a regular user.  Are 
they trying to be a vendor of a security product?



Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107




THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL
AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS
INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,
COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY
NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT
FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~ 



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Watchguard is full of surprises around every corner.

[James Kerr]

I been using the mobile user VPN client from watchguard for years for our 
notebooks in the field and it has never required admin rights to use it. You 
only need admin rights to install the software.


James

- Original Message - 
From: "Phillip Partipilo" 

To: "NT System Admin Issues" 
Sent: Friday, March 19, 2010 1:48 PM
Subject: Watchguard is full of surprises around every corner.


Let's put aside that our Firebox has not exactly been a walk in the park, 
nor has their support been very helpful.  Another company we do business 
with also has a Watchguard appliance, and some users need to VPN into their 
system.  Their VPN client software requires local admin privileges to work. 
A vendor... of a Security Product... requiring local admin...  Requiring the 
entire system to be wide open to a regular user.  Are they trying to be 
a vendor of a security product?



Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107




THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL
AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS
INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,
COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY
NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT
FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Watchguard is full of surprises around every corner.

[Jonathan Link]

Nice!

On Fri, Mar 19, 2010 at 2:02 PM, Phillip Partipilo  wrote:

>  This particular company that we access via VPN uses their SSL Access
> Client.  The vendor even admits requiring admin rights... :
>
>
> http://watchguard.custhelp.com/cgi-bin/watchguard.cfg/php/enduser/std_adp.php?p_faqid=2404&p_created=1248804534
>
>
>
>
>
> /me facepalms
>
>
>
>
>
> Phillip Partipilo
>
> Parametric Solutions Inc.
>
> Jupiter, Florida
>
> (561) 747-6107
>
>
>
>
>
>
>
> -Original Message-
> From: greg.swe...@actsconsulting.net [mailto:
> greg.swe...@actsconsulting.net]
> Sent: Friday, March 19, 2010 1:51 PM
> To: NT System Admin Issues
>  Subject: RE: Watchguard is full of surprises around every corner.
>
>
>
>
>
>
>
> Really..what version are they on?  We don't use the MUVPN very often,
>
> but on their latest version I don't remember having to grant admin
>
> rights after the install to make the software work.
>
>
>
> -Original Message-
>
> From: Phillip Partipilo [mailto:p...@psnet.com]
>
> Sent: Friday, March 19, 2010 1:49 PM
>
> To: NT System Admin Issues
>
> Subject: Watchguard is full of surprises around every corner.
>
>
>
> Let's put aside that our Firebox has not exactly been a walk in the
>
> park, nor has their support been very helpful.  Another company we do
>
> business with also has a Watchguard appliance, and some users need to
>
> VPN into their system.  Their VPN client software requires local admin
>
> privileges to work.  A vendor... of a Security Product... requiring
>
> local admin...  Requiring the entire system to be wide open to a regular
>
> user.  Are they trying to be a vendor of a security product?
>
>
>
>
>
> Phillip Partipilo
>
> Parametric Solutions Inc.
>
> Jupiter, Florida
>
> (561) 747-6107
>
>
>
>
>
>
>
>
>
> THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL
>
> AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS
>
> INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,
>
> COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.
>
> IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY
>
> NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT
>
> FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER.
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>
> ~   ~
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>
> ~   ~
>
>
>
>
>
>
>
>
>
> --
>
> If this email is spam, report it here:
>
>
> http://www.onlymyemail.com/view/?action=reportSpam&Id=ODEzNjQ6MTA2MDcxNzg5NjpwanBAcHNuZXQuY29tOmRlbGl2ZXJlZA%3D%3D
>
>
>
> THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL AND
> PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS INTENDED FOR USE BY
> THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION, COPYING, ACCESSING, OR
> DISCLOSURE OF THIS MESSAGE IS PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE
> IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL
> ATTACHMENTS. DO NOT FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER.
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Made me chuckle

[Michael Leone]

On Fri, Mar 19, 2010 at 1:06 PM, Jacob  wrote:
> “The troubles stopped five days later, when Texas Auto Center reset the
> Webtech Plus passwords for all its employee accounts…”
>
>
>
> An employee is let go and he or she still has access???

I think the point was that the fired employee knew *another*
employee's password, hence he was able to wreak havoc, until they went
to the draconian step of changing *all* employee passwords.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: NTFS Permissions Questions

[Steven Peck]

What Charlie said.  We will create a group for every share.  Even if
it's one user.  In general, we will not drill down and create custom
file level permissions below the top level.  It has prevented ever so
many problems.  Also we can offload add/removes to the accounts admin
group.  Managers fill out a form requesting access, they grant it.

On Fri, Mar 19, 2010 at 9:39 AM, Charlie Kaiser
 wrote:
> Users into domain groups, folders permissioned with local groups, local
> groups have the domain groups added. Having a user be a member of 10-20
> groups is no big deal.
>
> So folder A will have a two local groups permissioned on it; foldernameRW
> and foldernameRO. The required domain security groups are then added to one
> of those two local groups. That way you also only have two local groups
> permed on the folder.
>
> Doing it this way means you never have to reapply permissions to the file
> structure, just change group memberships.
>
> I've also used ABE (access-based enumeration) to limit what people can see
> in that folder structure.
>
> ***
> Charlie Kaiser
> charl...@golden-eagle.org
> Kingman, AZ
> ***
>
>> -Original Message-
>> From: Jason Morris [mailto:jmor...@mjmc.com]
>> Sent: Friday, March 19, 2010 6:57 AM
>> To: NT System Admin Issues
>> Subject: NTFS Permissions Questions
>>
>> I'm looking at cleaning up some of our more ornery areas and
>> want to know if anybody has some opinions/real world
>> experience they'd be willing to share. From my perspective
>> everything is working ok speed-wise but I want to know what
>> other people are doing.
>>
>>
>>
>> We have a series of folders in one share that not all users
>> with access to the share will be utilizing. Some will have
>> "Folder A / Folder B / and Folder C" but not "Folder D /
>> Folder E / and Folder F". And others will be mixing and matching.
>>
>>
>>
>> I prefer to give groups permissions to the folders and put
>> the users in the groups. But this might mean there will be 10
>> groups on Folder A. This might also mean User George will be
>> a member of 20 groups. This is how I have it now and it's
>> working ok speed-wise. (it's ornery because we've had
>> requests here and there for individuals to access a folder
>> and we've had to tweak security for the individual user)
>>
>>
>>
>> Is it better/faster to have groups checked in the ACL or have
>> it some other way?
>>
>>
>>
>> Inquiring minds want to know.
>>
>> --
>>
>> Jason Morris
>>
>> MJMC, Inc.
>>
>> P: 708-225-2350
>>
>> F: 708-943-9015
>>
>>
>>
>>
>>
>>
>>
>> --
>> 
>> The pages accompanying this email transmission contain
>> information from MJMC, Inc., which is confidential and/or
>> privileged. The information is to be for the use of the
>> individual or entity named on this cover sheet. If you are
>> not the intended recipient, you are hereby notified that any
>> disclosure, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you received this
>> transmission in error, please immediately notify us by
>> telephone so that we can arrange for the retrieval of the
>> original document.
>>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Watchguard is full of surprises around every corner.

[Phillip Partipilo]

This particular company that we access via VPN uses their SSL Access Client.  
The vendor even admits requiring admin rights... :

http://watchguard.custhelp.com/cgi-bin/watchguard.cfg/php/enduser/std_adp.php?p_faqid=2404&p_created=1248804534





/me facepalms





Phillip Partipilo

Parametric Solutions Inc.

Jupiter, Florida

(561) 747-6107







-Original Message-
From: greg.swe...@actsconsulting.net [mailto:greg.swe...@actsconsulting.net]
Sent: Friday, March 19, 2010 1:51 PM
To: NT System Admin Issues
Subject: RE: Watchguard is full of surprises around every corner.







Really..what version are they on?  We don't use the MUVPN very often,

but on their latest version I don't remember having to grant admin

rights after the install to make the software work.



-Original Message-

From: Phillip Partipilo [mailto:p...@psnet.com]

Sent: Friday, March 19, 2010 1:49 PM

To: NT System Admin Issues

Subject: Watchguard is full of surprises around every corner.



Let's put aside that our Firebox has not exactly been a walk in the

park, nor has their support been very helpful.  Another company we do

business with also has a Watchguard appliance, and some users need to

VPN into their system.  Their VPN client software requires local admin

privileges to work.  A vendor... of a Security Product... requiring

local admin...  Requiring the entire system to be wide open to a regular

user.  Are they trying to be a vendor of a security product?





Phillip Partipilo

Parametric Solutions Inc.

Jupiter, Florida

(561) 747-6107









THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL

AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS

INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,

COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.

IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY

NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT

FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER.





~ Finally, powerful endpoint security that ISN'T a resource hog! ~

~   ~





~ Finally, powerful endpoint security that ISN'T a resource hog! ~

~   ~









--

If this email is spam, report it here:

http://www.onlymyemail.com/view/?action=reportSpam&Id=ODEzNjQ6MTA2MDcxNzg5NjpwanBAcHNuZXQuY29tOmRlbGl2ZXJlZA%3D%3D




THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL
AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS 
INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,
COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY
NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT
FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER. 




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Watchguard is full of surprises around every corner.

[greg.sweers]

Really..what version are they on?  We don't use the MUVPN very often,
but on their latest version I don't remember having to grant admin
rights after the install to make the software work.

-Original Message-
From: Phillip Partipilo [mailto:p...@psnet.com] 
Sent: Friday, March 19, 2010 1:49 PM
To: NT System Admin Issues
Subject: Watchguard is full of surprises around every corner.

Let's put aside that our Firebox has not exactly been a walk in the
park, nor has their support been very helpful.  Another company we do
business with also has a Watchguard appliance, and some users need to
VPN into their system.  Their VPN client software requires local admin
privileges to work.  A vendor... of a Security Product... requiring
local admin...  Requiring the entire system to be wide open to a regular
user.  Are they trying to be a vendor of a security product?


Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107




THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL
AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS 
INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,
COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY
NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT
FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER. 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Watchguard is full of surprises around every corner.

[Phillip Partipilo]

Let's put aside that our Firebox has not exactly been a walk in the park, nor 
has their support been very helpful.  Another company we do business with also 
has a Watchguard appliance, and some users need to VPN into their system.  
Their VPN client software requires local admin privileges to work.  A vendor... 
of a Security Product... requiring local admin...  Requiring the entire system 
to be wide open to a regular user.  Are they trying to be a vendor of a 
security product?


Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107




THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL
AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS 
INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,
COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY
NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT
FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER. 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Determining Password Complexity Requirements

[John Hornbuckle]

Thanks—we’ll check this out.

The other weird thing is that we can’t access the machine via Remote Desktop or 
Remote Assistance. We have group policies to enable these, but either they’re 
not accepting connections on this machine or there’s some other software 
blocking access. We checked Windows built-in firewall, and it’s configured to 
allow (our domain policies configure this). Grrr….




From: Joe Tinney [mailto:jtin...@lastar.com]
Sent: Friday, March 19, 2010 1:39 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

John,
Try running secpol.msc (Local Security Policy) and looking at 
Account Policies > Password Policies and see if that differs from the 
information you are seeing in gpedit.msc (Local Group Policy). I can’t recall 
if they are different or if they operate independently, but it can’t hurt. 
Also, from my experience, this is one of those settings that doesn’t revert 
itself once the policy is no longer applied to the machine. I’ve had to go in 
and manually change this when we’ve needed to take the machines off the domain 
and use them for other purposes.

Best of luck,
Joe

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

We have a machine that the Army sent our ROTC folks, and it’s giving us a hard 
time. It’s not our standard machine, and came pre-configured from the Army. We 
joined it to our domain, and it seems to be picking up group policy from the 
domain—but a couple of things still aren’t right.

The biggest issue is that something on the machine seems to be requiring 
passwords of greater complexity than our domain policy requires. What I can’t 
figure out is (A.) why that is and (B.) what those requirements are. I had my 
technician run gpedit.msc on the machine and look under Computer Configuration 
-> Windows Settings -> Security Settings -> Account Policies -> Password 
Policy. All of the settings there match our regular domain settings. And yet 
every time she tries to set a local account’s password to one that we know 
meets those requirements (because it’s one we use on multiple machines with no 
problems), Windows pops up a dialog saying it doesn’t meet the requirements. 
But if we put in a (much) longer and more complex password, the system will 
take it.

I ran through the fix from MSKB 313222, but to no avail (although that did fix 
several other settings the Army had imposed on the machine).

So, what the heck? Where is this machine getting its ideas about password 
requirements from? And how can I determine what those requirements are?



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us











NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.











NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Determining Password Complexity Requirements

[John Hornbuckle]

We’ve tried working with Army’s tech support folks before. Not an easy task.




From: Carol Fee [mailto:c...@massbar.org]
Sent: Friday, March 19, 2010 1:38 PM
To: NT System Admin Issues
Subject: RE: Determining Password Complexity Requirements

How about asking the Army folks who sent you the machine ?

CFee
From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

We have a machine that the Army sent our ROTC folks, and it’s giving us a hard 
time. It’s not our standard machine, and came pre-configured from the Army. We 
joined it to our domain, and it seems to be picking up group policy from the 
domain—but a couple of things still aren’t right.

The biggest issue is that something on the machine seems to be requiring 
passwords of greater complexity than our domain policy requires. What I can’t 
figure out is (A.) why that is and (B.) what those requirements are. I had my 
technician run gpedit.msc on the machine and look under Computer Configuration 
-> Windows Settings -> Security Settings -> Account Policies -> Password 
Policy. All of the settings there match our regular domain settings. And yet 
every time she tries to set a local account’s password to one that we know 
meets those requirements (because it’s one we use on multiple machines with no 
problems), Windows pops up a dialog saying it doesn’t meet the requirements. 
But if we put in a (much) longer and more complex password, the system will 
take it.

I ran through the fix from MSKB 313222, but to no avail (although that did fix 
several other settings the Army had imposed on the machine).

So, what the heck? Where is this machine getting its ideas about password 
requirements from? And how can I determine what those requirements are?



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us











NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.











NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Determining Password Complexity Requirements

[Joe Tinney]

John,

Try running secpol.msc (Local Security Policy) and looking at 
Account Policies > Password Policies and see if that differs from the 
information you are seeing in gpedit.msc (Local Group Policy). I can’t recall 
if they are different or if they operate independently, but it can’t hurt. 
Also, from my experience, this is one of those settings that doesn’t revert 
itself once the policy is no longer applied to the machine. I’ve had to go in 
and manually change this when we’ve needed to take the machines off the domain 
and use them for other purposes.

 

Best of luck,

Joe

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

 

We have a machine that the Army sent our ROTC folks, and it’s giving us a hard 
time. It’s not our standard machine, and came pre-configured from the Army. We 
joined it to our domain, and it seems to be picking up group policy from the 
domain—but a couple of things still aren’t right.

 

The biggest issue is that something on the machine seems to be requiring 
passwords of greater complexity than our domain policy requires. What I can’t 
figure out is (A.) why that is and (B.) what those requirements are. I had my 
technician run gpedit.msc on the machine and look under Computer Configuration 
-> Windows Settings -> Security Settings -> Account Policies -> Password 
Policy. All of the settings there match our regular domain settings. And yet 
every time she tries to set a local account’s password to one that we know 
meets those requirements (because it’s one we use on multiple machines with no 
problems), Windows pops up a dialog saying it doesn’t meet the requirements. 
But if we put in a (much) longer and more complex password, the system will 
take it.

 

I ran through the fix from MSKB 313222, but to no avail (although that did fix 
several other settings the Army had imposed on the machine).

 

So, what the heck? Where is this machine getting its ideas about password 
requirements from? And how can I determine what those requirements are?

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

 

 
 
 
NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.
 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Determining Password Complexity Requirements

[Carol Fee]

How about asking the Army folks who sent you the machine ?

CFee
From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, March 19, 2010 11:26 AM
To: NT System Admin Issues
Subject: Determining Password Complexity Requirements

We have a machine that the Army sent our ROTC folks, and it’s giving us a hard 
time. It’s not our standard machine, and came pre-configured from the Army. We 
joined it to our domain, and it seems to be picking up group policy from the 
domain—but a couple of things still aren’t right.

The biggest issue is that something on the machine seems to be requiring 
passwords of greater complexity than our domain policy requires. What I can’t 
figure out is (A.) why that is and (B.) what those requirements are. I had my 
technician run gpedit.msc on the machine and look under Computer Configuration 
-> Windows Settings -> Security Settings -> Account Policies -> Password 
Policy. All of the settings there match our regular domain settings. And yet 
every time she tries to set a local account’s password to one that we know 
meets those requirements (because it’s one we use on multiple machines with no 
problems), Windows pops up a dialog saying it doesn’t meet the requirements. 
But if we put in a (much) longer and more complex password, the system will 
take it.

I ran through the fix from MSKB 313222, but to no avail (although that did fix 
several other settings the Army had imposed on the machine).

So, what the heck? Where is this machine getting its ideas about password 
requirements from? And how can I determine what those requirements are?



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us











NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Made me chuckle

[David Mazzaccaro]

How do you buys handle online (website) username/passwords for the
various websites an employee uses?
 
 



From: Jacob [mailto:ja...@excaliburfilms.com] 
Sent: Friday, March 19, 2010 1:07 PM
To: NT System Admin Issues
Subject: RE: Made me chuckle



"The troubles stopped five days later, when Texas Auto Center reset the
Webtech Plus passwords for all its employee accounts..."

 

An employee is let go and he or she still has access???

 

From: Mike French [mailto:mike.fre...@theequitybank.com] 
Sent: Friday, March 19, 2010 8:34 AM
To: NT System Admin Issues
Subject: OT: Made me chuckle

 

46. March 17, Wired - (Texas) Hacker disables more than 100 cars
remotely. More than 100 drivers in Austin, Texas found their cars
disabled or the horns honking out of control, after an intruder ran amok
in a web-based vehicle-immobilization system normally used to get the
attention of consumers delinquent in their auto payments. Police with
Austin's High Tech Crime Unit on March 17 arrested a 20-year-old who was
a former Texas Auto Center employee who was laid off last month, and
allegedly sought revenge by bricking the cars sold from the dealership's
four Austin-area lots. The dealership used a system called Webtech Plus
as an alternative to repossessing vehicles that haven't been paid for.
Operated by Cleveland-based Pay Technologies, the system lets car
dealers install a small black box under vehicle dashboards that responds
to commands issued through a central website, and relayed over a
wireless pager network. The dealer can disable a car's ignition system,
or trigger the horn to begin honking, as a reminder that a payment is
due. The system will not stop a running vehicle. Texas Auto Center began
fielding complaints from baffled customers the last week in February,
many of whom wound up missing work, calling tow trucks or disconnecting
their batteries to stop the honking. The troubles stopped five days
later, when Texas Auto Center reset the Webtech Plus passwords for all
its employee accounts, says the manager of Texas Auto Center. Then
police obtained access logs from Pay Technologies, and traced the
saboteur's IP address to the suspect's AT&T internet service, according
to a police affidavit filed in the case. Source:
http://www.wired.com/threatlevel/2010/03/hacker-brickscars/?
utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index
+(Wired:+Index+3+(Top+Stories+2)) 

 

 

Mike French
Network Engineer
~EQUITY BANK  
Office: 214.231.4565
mike.fre...@theequitybank.com

"Evidently excellence in security by some 
security-centric vendors is defined as being the head of the class in a 
room filled with children without a propensity to learn." - Anonymous

 

 

 

 

 


.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: dell rant

[Erik Goldoff]

The major players’ RAID cards are looking for certified matching drive
firmware … I know the the Compaq/HP SMART array controller was unsupported
for anything but their  drives.  That one, although frustrating, has been an
industry standard for a while now.

 

The shipping constraint that Dell has been going through the last half year
*is* a problem

 

Erik Goldoff

IT  Consultant

Systems, Networks, & Security 

'  Security is an ongoing process, not a one time event ! '

From: Benjamin Zachary - Lists [mailto:li...@levelfive.us] 
Sent: Friday, March 19, 2010 12:57 PM
To: NT System Admin Issues
Subject: dell rant

 

Ive been a solid dell guy for years but this is about as aggravating as it
comes.

 

We have a new server that cannot get the 2.5 15k rpm drives for several
weeks due to manufacturing problems. We went and got drives from hp and the
drive caddys so everything is great right?

 

NOT, if you have a new Dell 700 raid controller you can only use Dell
certified drives, the drives are ‘blocked’ on the controller

 

>From the manual "troubleshooting"section:

Issue:

One or more physical disks is displayed as Blocked and can not be
configured.

 

Corrective Action

PERC H700 and PERC H800 cards support only Dell-certified SAS and SATA hard
drives and solid-state drives (SSD). If you are using a Dell-certified drive
but are still experiencing this problem, perform the following actions:

 

1. Check the backplane for damage.

2. Check the SAS cables.

3. Reseat the physical disk.

4. Contact Dell Technical Support if the problem persists

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

R: Installing Win2K8 Server as DC Issue

[HELP_PC]

It is a so weird issue ! I remember ,some years ago , I started to have similar 
issues building an SBS2k3box. (Permission issues when starting creating the 
domain)
Found the RAID card driver was old and the sysvol couldn't be created properly
 
GuidoElia
HELPPC
 

  _  

Da: John Bowles [mailto:john.bow...@wlkmmas.org] 
Inviato: venerdì 19 marzo 2010 17.29
A: NT System Admin Issues
Oggetto: RE: Installing Win2K8 Server as DC Issue



Still no joy!  Won't start! 

 

From: John Bowles [mailto:john.bow...@wlkmmas.org] 
Sent: Friday, March 19, 2010 12:23 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

 

I've added network service and local service to everywhere specified.. 
rebooting now

 

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com] 
Sent: Friday, March 19, 2010 12:10 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

 

That's good to know, thanks!

 

Jeff

 

From: David Lum [mailto:david@nwea.org] 
Sent: Friday, March 19, 2010 8:51 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

 

With Win2K8/Win7 in addition to disabling the firewall  you must also set the 
firewall service to DISABLED (manual might also work), otherwise Windows 
disables the NIC. If it sees firewall as AUTO but the firewall is off (even if 
you turn it off via GUI) it assumes malware has disabled the firewall so it 
nukes the NIC connection altogether. 

 

Setting the service to DISABLED and THEN turning off the firewall will allow 
the NIC to remain active.

 

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com] 
Sent: Friday, March 19, 2010 7:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

 

Hi Michael,

 

I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 
2008 R2 servers, if I stop the windows firewall service, I can no longer 
connect to them via RDP, or access file shares, or even ping them for that 
matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem 
to have that behavior in common. At least that's my experience...

 

Of course, the important thing is why is this happening to John and how might 
he resolve it, and on that, I'm currently stumped.

 

Jeff

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Thursday, March 18, 2010 4:59 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

 

Guys, y'all need to realize that y'all are comparing apples and oranges.

 

Server 2008 is NOT the same as Server 2008 R2.

 

Server 2008 R2 should've been called Server 2010. It's way different. It's not 
like 2003 R2 which was just a bunch of additional optional functionality.

 

Disabling or stopping the Windows Firewall service in Server 2008 R2 is not 
supported and will cause indeterminate behavior. If you want to not use the 
firewall, you need to open the Windows Firewall application and disable the 
appropriate profile.

 

This is a change in behavior between 2008 and 2008 R2.

 

Now, in 2008 R2, if the Windows Firewall won't start, then it WILL generate an 
error in one event log or another. You need to track that down and fix it! :-P

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: John Bowles [mailto:john.bow...@wlkmmas.org] 
Sent: Thursday, March 18, 2010 7:30 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

 

+1 

 

Jeff, that's exactly the issue I'm having.  The Windows Firewall will not even 
start up or allow me to start it up to allow traffic to the DC.

 

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com] 
Sent: Thursday, March 18, 2010 5:35 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

 

If I stop the Windows Firewall service on my 2008 servers, I can no longer RDP 
to it. So, what I meant by off is, the service is stopped, which is the case 
for John, who's firewall service won't start at all.

 

From: N Parr [mailto:npar...@mortonind.com] 
Sent: Thursday, March 18, 2010 2:22 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

 

What?  Firewall Off = Traffic Allowed

I have the firewall's off on my 2008 server and RDP to them just fine.

 

  _  

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com] 
Sent: Thursday, March 18, 2010 4:17 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

The 2008 firewall is conservative. In my experience, if it's turned off, no 
traffic is allowed inbound. So, you can't RDP into because your firewall won't 
start up to allow traffic in.

 

Jeff

 

From: John Bowles [mailto:john.bow...@wlkmmas.org] 
Sent: Thursday, March 18, 2010 1:29 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

 

Outside of enabling RDP o

Re: dell rant

[Richard Stovall]

Sorry you're having trouble, but thanks for the tip.  I've been
considering a machine with that controller and that puts a severe
damper on it for me.

On Fri, Mar 19, 2010 at 12:56 PM, Benjamin Zachary - Lists
 wrote:
> Ive been a solid dell guy for years but this is about as aggravating as it
> comes.
>
>
>
> We have a new server that cannot get the 2.5 15k rpm drives for several
> weeks due to manufacturing problems. We went and got drives from hp and the
> drive caddys so everything is great right?
>
>
>
> NOT, if you have a new Dell 700 raid controller you can only use Dell
> certified drives, the drives are ‘blocked’ on the controller
>
>
>
> From the manual "troubleshooting"section:
>
> Issue:
>
> One or more physical disks is displayed as Blocked and can not be
> configured.
>
>
>
> Corrective Action
>
> PERC H700 and PERC H800 cards support only Dell-certified SAS and SATA hard
> drives and solid-state drives (SSD). If you are using a Dell-certified drive
> but are still experiencing this problem, perform the following actions:
>
>
>
> 1. Check the backplane for damage.
>
> 2. Check the SAS cables.
>
> 3. Reseat the physical disk.
>
> 4. Contact Dell Technical Support if the problem persists
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Made me chuckle

[Jacob]

"The troubles stopped five days later, when Texas Auto Center reset the
Webtech Plus passwords for all its employee accounts."

 

An employee is let go and he or she still has access???

 

From: Mike French [mailto:mike.fre...@theequitybank.com] 
Sent: Friday, March 19, 2010 8:34 AM
To: NT System Admin Issues
Subject: OT: Made me chuckle

 

46. March 17, Wired - (Texas) Hacker disables more than 100 cars remotely.
More than 100 drivers in Austin, Texas found their cars disabled or the
horns honking out of control, after an intruder ran amok in a web-based
vehicle-immobilization system normally used to get the attention of
consumers delinquent in their auto payments. Police with Austin's High Tech
Crime Unit on March 17 arrested a 20-year-old who was a former Texas Auto
Center employee who was laid off last month, and allegedly sought revenge by
bricking the cars sold from the dealership's four Austin-area lots. The
dealership used a system called Webtech Plus as an alternative to
repossessing vehicles that haven't been paid for. Operated by
Cleveland-based Pay Technologies, the system lets car dealers install a
small black box under vehicle dashboards that responds to commands issued
through a central website, and relayed over a wireless pager network. The
dealer can disable a car's ignition system, or trigger the horn to begin
honking, as a reminder that a payment is due. The system will not stop a
running vehicle. Texas Auto Center began fielding complaints from baffled
customers the last week in February, many of whom wound up missing work,
calling tow trucks or disconnecting their batteries to stop the honking. The
troubles stopped five days later, when Texas Auto Center reset the Webtech
Plus passwords for all its employee accounts, says the manager of Texas Auto
Center. Then police obtained access logs from Pay Technologies, and traced
the saboteur's IP address to the suspect's AT&T internet service, according
to a police affidavit filed in the case. Source:
http://www.wired.com/threatlevel/2010/03/hacker-brickscars/?
utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index
+(Wired:+Index+3+(Top+Stories+2)) 

 

 

Mike French
Network Engineer
~EQUITY BANK  
Office: 214.231.4565
mike.fre...@theequitybank.com

"Evidently excellence in security by some 
security-centric vendors is defined as being the head of the class in a 
room filled with children without a propensity to learn." - Anonymous

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Installing Win2K8 Server as DC Issue

[Charlie Kaiser]

Look at the dependencies for the firewall service. Are they all running?

Also, I assume you've seen these two?
http://support.microsoft.com/kb/943996/en-us

http://social.technet.microsoft.com/Forums/en-US/itprovistadeployment/thread
/23351e06-dcbd-40ff-95da-368d0af5868c

***
Charlie Kaiser
charl...@golden-eagle.org
Kingman, AZ
***  

> -Original Message-
> From: John Bowles [mailto:john.bow...@wlkmmas.org] 
> Sent: Friday, March 19, 2010 9:29 AM
> To: NT System Admin Issues
> Subject: RE: Installing Win2K8 Server as DC Issue
> 
> Still no joy!  Won't start! 
> 
>  
> 
> From: John Bowles [mailto:john.bow...@wlkmmas.org]
> Sent: Friday, March 19, 2010 12:23 PM
> To: NT System Admin Issues
> Subject: RE: Installing Win2K8 Server as DC Issue
> 
>  
> 
> I've added network service and local service to everywhere 
> specified.. rebooting now
> 
>  
> 
> From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
> Sent: Friday, March 19, 2010 12:10 PM
> To: NT System Admin Issues
> Subject: RE: Installing Win2K8 Server as DC Issue
> 
>  
> 
> That's good to know, thanks!
> 
>  
> 
> Jeff
> 
>  
> 
> From: David Lum [mailto:david@nwea.org]
> Sent: Friday, March 19, 2010 8:51 AM
> To: NT System Admin Issues
> Subject: RE: Installing Win2K8 Server as DC Issue
> 
>  
> 
> With Win2K8/Win7 in addition to disabling the firewall  you 
> must also set the firewall service to DISABLED (manual might 
> also work), otherwise Windows disables the NIC. If it sees 
> firewall as AUTO but the firewall is off (even if you turn it 
> off via GUI) it assumes malware has disabled the firewall so 
> it nukes the NIC connection altogether. 
> 
>  
> 
> Setting the service to DISABLED and THEN turning off the 
> firewall will allow the NIC to remain active.
> 
>  
> 
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
> 
>  
> 
>  
> 
> From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
> Sent: Friday, March 19, 2010 7:54 AM
> To: NT System Admin Issues
> Subject: RE: Installing Win2K8 Server as DC Issue
> 
>  
> 
> Hi Michael,
> 
>  
> 
> I'm probably beating a dead horse and shouldn't. But, on both 
> my 2008 and 2008 R2 servers, if I stop the windows firewall 
> service, I can no longer connect to them via RDP, or access 
> file shares, or even ping them for that matter. I agree, 2008 
> and 2008 R2 are very different beasts, but they do seem to 
> have that behavior in common. At least that's my experience.
> 
>  
> 
> Of course, the important thing is why is this happening to 
> John and how might he resolve it, and on that, I'm currently stumped.
> 
>  
> 
> Jeff
> 
>  
> 
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Thursday, March 18, 2010 4:59 PM
> To: NT System Admin Issues
> Subject: RE: Installing Win2K8 Server as DC Issue
> 
>  
> 
> Guys, y'all need to realize that y'all are comparing apples 
> and oranges.
> 
>  
> 
> Server 2008 is NOT the same as Server 2008 R2.
> 
>  
> 
> Server 2008 R2 should've been called Server 2010. It's way 
> different. It's not like 2003 R2 which was just a bunch of 
> additional optional functionality.
> 
>  
> 
> Disabling or stopping the Windows Firewall service in Server 
> 2008 R2 is not supported and will cause indeterminate 
> behavior. If you want to not use the firewall, you need to 
> open the Windows Firewall application and disable the 
> appropriate profile.
> 
>  
> 
> This is a change in behavior between 2008 and 2008 R2.
> 
>  
> 
> Now, in 2008 R2, if the Windows Firewall won't start, then it 
> WILL generate an error in one event log or another. You need 
> to track that down and fix it! :-P
> 
>  
> 
> Regards,
> 
>  
> 
> Michael B. Smith
> 
> Consultant and Exchange MVP
> 
> http://TheEssentialExchange.com
> 
>  
> 
> From: John Bowles [mailto:john.bow...@wlkmmas.org]
> Sent: Thursday, March 18, 2010 7:30 PM
> To: NT System Admin Issues
> Subject: RE: Installing Win2K8 Server as DC Issue
> 
>  
> 
> +1
> 
>  
> 
> Jeff, that's exactly the issue I'm having.  The Windows 
> Firewall will not even start up or allow me to start it up to 
> allow traffic to the DC.
> 
>  
> 
> From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
> Sent: Thursday, March 18, 2010 5:35 PM
> To: NT System Admin Issues
> Subject: RE: Installing Win2K8 Server as DC Issue
> 
>  
> 
> If I stop the Windows Firewall service on my 2008 servers, I 
> can no longer RDP to it. So, what I meant by off is, the 
> service is stopped, which is the case for John, who's 
> firewall service won't start at all.
> 
>  
> 
> From: N Parr [mailto:npar...@mortonind.com]
> Sent: Thursday, March 18, 2010 2:22 PM
> To: NT System Admin Issues
> Subject: RE: Installing Win2K8 Server as DC Issue
> 
>  
> 
> What?  Firewall Off = Traffic Allowed
> 
> I have the firewall's off on my 2008 server and RDP to them just fine.
> 
>  
> 
> 
> 
> From: Jackson, Jeff [mailto:jeff.

RE: dell rant [OT reply]

[Michael B. Smith]

Shades of the mainframe!

WAY BACK when "Winchester" was the new SCSI disk technology, both IBM and 
Unisys did this. Their "cheap SCSI" disk controllers were modified so that you 
could only attach disk that the mainframe company provided. Which they charged 
10 times the going rate for.

Still, it was cheaper and faster than the old "washing machine" removable disk 
drives.


Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Benjamin Zachary - Lists [mailto:li...@levelfive.us]
Sent: Friday, March 19, 2010 12:57 PM
To: NT System Admin Issues
Subject: dell rant

Ive been a solid dell guy for years but this is about as aggravating as it 
comes.

We have a new server that cannot get the 2.5 15k rpm drives for several weeks 
due to manufacturing problems. We went and got drives from hp and the drive 
caddys so everything is great right?

NOT, if you have a new Dell 700 raid controller you can only use Dell certified 
drives, the drives are 'blocked' on the controller

>From the manual "troubleshooting"section:
Issue:
One or more physical disks is displayed as Blocked and can not be configured.

Corrective Action
PERC H700 and PERC H800 cards support only Dell-certified SAS and SATA hard 
drives and solid-state drives (SSD). If you are using a Dell-certified drive 
but are still experiencing this problem, perform the following actions:

1. Check the backplane for damage.
2. Check the SAS cables.
3. Reseat the physical disk.
4. Contact Dell Technical Support if the problem persists





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

dell rant

[Benjamin Zachary - Lists]

Ive been a solid dell guy for years but this is about as aggravating as it
comes.

 

We have a new server that cannot get the 2.5 15k rpm drives for several
weeks due to manufacturing problems. We went and got drives from hp and the
drive caddys so everything is great right?

 

NOT, if you have a new Dell 700 raid controller you can only use Dell
certified drives, the drives are 'blocked' on the controller

 

>From the manual "troubleshooting"section:

Issue:

One or more physical disks is displayed as Blocked and can not be
configured.

 

Corrective Action

PERC H700 and PERC H800 cards support only Dell-certified SAS and SATA hard
drives and solid-state drives (SSD). If you are using a Dell-certified drive
but are still experiencing this problem, perform the following actions:

 

1. Check the backplane for damage.

2. Check the SAS cables.

3. Reseat the physical disk.

4. Contact Dell Technical Support if the problem persists


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: NTFS Permissions Questions

[Charlie Kaiser]

Users into domain groups, folders permissioned with local groups, local
groups have the domain groups added. Having a user be a member of 10-20
groups is no big deal.

So folder A will have a two local groups permissioned on it; foldernameRW
and foldernameRO. The required domain security groups are then added to one
of those two local groups. That way you also only have two local groups
permed on the folder.

Doing it this way means you never have to reapply permissions to the file
structure, just change group memberships.

I've also used ABE (access-based enumeration) to limit what people can see
in that folder structure.

***
Charlie Kaiser
charl...@golden-eagle.org
Kingman, AZ
***  

> -Original Message-
> From: Jason Morris [mailto:jmor...@mjmc.com] 
> Sent: Friday, March 19, 2010 6:57 AM
> To: NT System Admin Issues
> Subject: NTFS Permissions Questions
> 
> I'm looking at cleaning up some of our more ornery areas and 
> want to know if anybody has some opinions/real world 
> experience they'd be willing to share. From my perspective 
> everything is working ok speed-wise but I want to know what 
> other people are doing.
> 
>  
> 
> We have a series of folders in one share that not all users 
> with access to the share will be utilizing. Some will have 
> "Folder A / Folder B / and Folder C" but not "Folder D / 
> Folder E / and Folder F". And others will be mixing and matching.
> 
>  
> 
> I prefer to give groups permissions to the folders and put 
> the users in the groups. But this might mean there will be 10 
> groups on Folder A. This might also mean User George will be 
> a member of 20 groups. This is how I have it now and it's 
> working ok speed-wise. (it's ornery because we've had 
> requests here and there for individuals to access a folder 
> and we've had to tweak security for the individual user)
> 
>  
> 
> Is it better/faster to have groups checked in the ACL or have 
> it some other way?
> 
>  
> 
> Inquiring minds want to know.
> 
> --
> 
> Jason Morris
> 
> MJMC, Inc.
> 
> P: 708-225-2350
> 
> F: 708-943-9015
> 
>  
> 
>  
> 
>  
> 
> --
> 
> The pages accompanying this email transmission contain 
> information from MJMC, Inc., which is confidential and/or 
> privileged. The information is to be for the use of the 
> individual or entity named on this cover sheet. If you are 
> not the intended recipient, you are hereby notified that any 
> disclosure, dissemination, distribution, or copying of this 
> communication is strictly prohibited. If you received this 
> transmission in error, please immediately notify us by 
> telephone so that we can arrange for the retrieval of the 
> original document.
> 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DPM help

[Brian Desmond]

It's been OK on the box I have. I did use diskpart to do all the carving though 
as it would have taken forever just by virtue of countless clicks to do it by 
hand.

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132

From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Friday, March 19, 2010 11:01 AM
To: NT System Admin Issues
Subject: RE: DPM help

One other questions for DPM folks.
Do you find that the disk management console is horribly slow.
I see three disks, 0, 1 and 2.
O is the C drive.
2 is the DVD rom drive.
1 is the iscsi drive, and it has all the DPM volumes.   So many, in the 
partition map, it looks like a bar code.
Any action takes over a minute to complete.
Just curious if others see the same thing.


From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Friday, March 19, 2010 11:01 AM
To: NT System Admin Issues
Subject: RE: DPM help

Ok, new error.
When I try to cd to First Storage Group from Microsoft Exchange Writer, I get 
error, "The device is not ready".
I'm guessing my only recourse here is to disable protection of the exchange 
store and remove the on disk dpm images, and then re-enable.
That is, unless you have any suggestions for this error.
Thanks again.
Glen.


From: Tobie Fysh [mailto:tobie.f...@freebridge.org.uk]
Sent: Friday, March 19, 2010 10:47 AM
To: NT System Admin Issues
Subject: RE: DPM help

The mount point is in the Replica folder so go into the Command Prompt
CD to
"DPMINSTALLLOCATION\Volumes\Replica\exchange.vhcc.edu\Microsoft Exchange 
Writer\First Storage Group"
And then run chkdsk.exe, does it complete successfully?

You WILL have to do a full consistency check after this to fix the DPM error.

Tobie



From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: 19 March 2010 12:48
To: NT System Admin Issues
Subject: RE: DPM help

Tobie.
Thanks for the link.
I tried that, but no matter where I run chkdsk from, it always runs against the 
C drive, which is the only drive letter assigned on this system.
I CD'd as far into the Junctions as possible, but when I run chkdsk, the info 
it returns is the same info I get if I run chkdsk c:.

Here it the path I went to.
C:\Program Files\Microsoft DPM\Volumes\DiffArea\exchange.vhcc.edu\Microsoft 
Exchange Writer\First Storage Group
Can't go any deeper.
>From the directory Microsoft Exchange Writer, dir lists
First Storage Group {\??\Volume\{87e268c-... which matches the volume name 
listed in the DPM error, so I think I'm in the correct location.
Any other suggestions appreciated.
Glen.


From: Tobie Fysh [mailto:tobie.f...@freebridge.org.uk]
Sent: Friday, March 19, 2010 4:36 AM
To: NT System Admin Issues
Subject: RE: DPM help

Have a look at this:

http://blogs.technet.com/askcore/archive/2008/05/29/data-protection-manager-what-is-a-consistency-check-and-what-could-cause-it-to-fail.aspx

It's how to get into the mountpoint and run a checkdisk.

Tobie

From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: 18 March 2010 13:27
To: NT System Admin Issues
Subject: DPM help

Running DPM 2007 here backing up to a Drobo PRO iscsi box.
So far it has worked well.
Last weekend we had a power outage and things didn't shutdown properly.
I've got a DC and Exchange backups that wont run now.
I get VSS error on the DPM server that says to clear the VSS error and run 
chkdsk.
When I try to clear the VSS error or re-run the job, I get the same error.
Chkdsk /x  
\\?\Volume{89e268c7-..}
Gives error, cannot open volume for direct access.  Does this mean my syntax 
for the volume name is incorrect or what?
Chkdsk /x is supposed to dismount the volume and run, but it doesn't.
I've stopped all DPM services and still can't get chkdsk to run.

Also, disk management MMC, find volume in the sea of volumes, tools, chkdsk 
doesn't do anything.
Any suggestions?






This message has been scanned by MimeCast on behalf of Freebridge Community 
Housing and found to be free of viruses and not SPAM. If you have any concerns 
about the message contents please contact the ICT ServiceDesk.

[Freebridge Community Housing Logo]


[twitter.com/Freebridge]


[Freebridge on 
Facebook]



This e-mail (including any attachments), is confidential and intended only for 
the use of the addressee(s). It may contain information covered by legal, 
professional or other privilege. If you are not an addressee, please inform the 
sender immediately and destroy this e-mail. Do not copy, use or disclose this 
e-mail.

E-mail transmission cannot be guaranteed to be secure or error free. The sender 
does not accept liability for any errors or omissions in the contents of this 
message which arise as a result of e-mail transmission. If verification is 
required please request a hard copy version.

Freebridge Community Housing Ltd is a Charitable 

RE: Office updates

[Sean Rector]

With WSUS, you select the Office products you have installed and it does
it for you.

Sean Rector, MCSE


-Original Message-
From: Angus Scott-Fleming [mailto:angu...@geoapps.com] 
Sent: Friday, March 19, 2010 12:16 PM
To: NT System Admin Issues
Subject: Re: Office updates

On 17 Mar 2010 at 12:19, Damien Solodow  wrote:  

> Are you using the WindowsUpdate site or the MicrosoftUpdate site? 
> The latter is the one that will show Office updates..

+1 ... you must "upgrade" from Windows Update to Microsoft Update 
+manually
first.  Once you do that, Automagic Updates will start to grab Office
updates.

Not sure how to do this with WSUS, if that's what you're using

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~
Virginia Opera's 35th Anniversary Season  ends with America's favorite, The 
Gershwins' Porgy and BessSM

2010-2011 subscriptions are on sale now!   Featuring: 
Rigoletto   |   Cos? Fan Tutte   |   The Valkyrie   |   Madama Butterfly

Visit us online at www.VaOpera.org or call 1-866-OPERA-VA

The vision of Virginia Opera is to enrich lives through the powerful 
integration of music, voice and human drama.




This e-mail and any attached files are confidential and intended solely for the 
intended recipient(s). Unless otherwise specified, persons unnamed as 
recipients may not read, distribute, copy or alter this e-mail. Any views or 
opinions expressed in this e-mail belong to the author and may not necessarily 
represent those of Virginia Opera. Although precautions have been taken to 
ensure no viruses are present, Virginia Opera cannot accept responsibility for 
any loss or damage that may arise from the use of this e-mail or attachments.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: CMD line way to change CD Rom drive letter

[Steven M. Caesare]

Perzactly.

Not to mention the drive-letter juggling that happens on the low end
when you add drives, mount .ISO's, insert USB keys, etc...

-sc

> -Original Message-
> From: Angus Scott-Fleming [mailto:angu...@geoapps.com]
> Sent: Friday, March 19, 2010 12:16 PM
> To: NT System Admin Issues
> Subject: Re: CMD line way to change CD Rom drive letter
> 
> On 18 Mar 2010 at 8:59, Steven M. Caesare  wrote:
> 
> > +1.
> >
> > Mine goes to "R:"
> 
> for cd-Rom ... that's what I use, too.  Too much history with Netware
> grabbing drive letters starting backwards from Z: here ;-)
> 
> 
> --
> Angus Scott-Fleming
> GeoApps, Tucson, Arizona
> 1-520-290-5038
> Security Blog: http://geoapps.com/
> 
> 
> 
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Computer account creation

[Brian Desmond]

What version of Windows are your DCs

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132

From: David Lum [mailto:david@nwea.org]
Sent: Friday, March 19, 2010 9:43 AM
To: NT System Admin Issues
Subject: Computer account creation

So...I'm trying to catch when a new user and computer is created. Event ID 645 
tells me a new computer is created, but invariably it seems to show the default 
machine name that's created from fresh Sysprep images (on our case it's like 
NWEA-7646552 and similar). So, I decided to capture Event ID 646 (Computer 
account changed), but all I get is (I think) machine password resets since it 
has SID S-1-5-21 in the description).

Is there a way to capture when a domain PC gets renamed?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Installing Win2K8 Server as DC Issue

[John Bowles]

Still no joy!  Won't start!

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 12:23 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

I've added network service and local service to everywhere specified.. 
rebooting now

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 12:10 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

That's good to know, thanks!

Jeff

From: David Lum [mailto:david@nwea.org]
Sent: Friday, March 19, 2010 8:51 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

With Win2K8/Win7 in addition to disabling the firewall  you must also set the 
firewall service to DISABLED (manual might also work), otherwise Windows 
disables the NIC. If it sees firewall as AUTO but the firewall is off (even if 
you turn it off via GUI) it assumes malware has disabled the firewall so it 
nukes the NIC connection altogether.

Setting the service to DISABLED and THEN turning off the firewall will allow 
the NIC to remain active.

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 7:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Hi Michael,

I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 
2008 R2 servers, if I stop the windows firewall service, I can no longer 
connect to them via RDP, or access file shares, or even ping them for that 
matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem 
to have that behavior in common. At least that's my experience...

Of course, the important thing is why is this happening to John and how might 
he resolve it, and on that, I'm currently stumped.

Jeff

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, March 18, 2010 4:59 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Guys, y'all need to realize that y'all are comparing apples and oranges.

Server 2008 is NOT the same as Server 2008 R2.

Server 2008 R2 should've been called Server 2010. It's way different. It's not 
like 2003 R2 which was just a bunch of additional optional functionality.

Disabling or stopping the Windows Firewall service in Server 2008 R2 is not 
supported and will cause indeterminate behavior. If you want to not use the 
firewall, you need to open the Windows Firewall application and disable the 
appropriate profile.

This is a change in behavior between 2008 and 2008 R2.

Now, in 2008 R2, if the Windows Firewall won't start, then it WILL generate an 
error in one event log or another. You need to track that down and fix it! :-P

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 7:30 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

+1

Jeff, that's exactly the issue I'm having.  The Windows Firewall will not even 
start up or allow me to start it up to allow traffic to the DC.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Thursday, March 18, 2010 5:35 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

If I stop the Windows Firewall service on my 2008 servers, I can no longer RDP 
to it. So, what I meant by off is, the service is stopped, which is the case 
for John, who's firewall service won't start at all.

From: N Parr [mailto:npar...@mortonind.com]
Sent: Thursday, March 18, 2010 2:22 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

What?  Firewall Off = Traffic Allowed
I have the firewall's off on my 2008 server and RDP to them just fine.


From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Thursday, March 18, 2010 4:17 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue
The 2008 firewall is conservative. In my experience, if it's turned off, no 
traffic is allowed inbound. So, you can't RDP into because your firewall won't 
start up to allow traffic in.

Jeff

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 1:29 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Outside of enabling RDP on the DC, what can be preventing me from RDP'ing into 
the server?  I have this issue with my Exchange 2K7 server as well as DC.   I 
keep getting access is denied when trying to turn on Windows Firewall on the DC.


From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 2:46 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue



From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Thursday, March 18, 2010 2:43 PM
To: NT System Admin Issues
Subject: Re: Installing Win2K8 Server as D

RE: Installing Win2K8 Server as DC Issue

[John Bowles]

I've added network service and local service to everywhere specified.. 
rebooting now

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 12:10 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

That's good to know, thanks!

Jeff

From: David Lum [mailto:david@nwea.org]
Sent: Friday, March 19, 2010 8:51 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

With Win2K8/Win7 in addition to disabling the firewall  you must also set the 
firewall service to DISABLED (manual might also work), otherwise Windows 
disables the NIC. If it sees firewall as AUTO but the firewall is off (even if 
you turn it off via GUI) it assumes malware has disabled the firewall so it 
nukes the NIC connection altogether.

Setting the service to DISABLED and THEN turning off the firewall will allow 
the NIC to remain active.

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 7:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Hi Michael,

I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 
2008 R2 servers, if I stop the windows firewall service, I can no longer 
connect to them via RDP, or access file shares, or even ping them for that 
matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem 
to have that behavior in common. At least that's my experience...

Of course, the important thing is why is this happening to John and how might 
he resolve it, and on that, I'm currently stumped.

Jeff

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, March 18, 2010 4:59 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Guys, y'all need to realize that y'all are comparing apples and oranges.

Server 2008 is NOT the same as Server 2008 R2.

Server 2008 R2 should've been called Server 2010. It's way different. It's not 
like 2003 R2 which was just a bunch of additional optional functionality.

Disabling or stopping the Windows Firewall service in Server 2008 R2 is not 
supported and will cause indeterminate behavior. If you want to not use the 
firewall, you need to open the Windows Firewall application and disable the 
appropriate profile.

This is a change in behavior between 2008 and 2008 R2.

Now, in 2008 R2, if the Windows Firewall won't start, then it WILL generate an 
error in one event log or another. You need to track that down and fix it! :-P

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 7:30 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

+1

Jeff, that's exactly the issue I'm having.  The Windows Firewall will not even 
start up or allow me to start it up to allow traffic to the DC.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Thursday, March 18, 2010 5:35 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

If I stop the Windows Firewall service on my 2008 servers, I can no longer RDP 
to it. So, what I meant by off is, the service is stopped, which is the case 
for John, who's firewall service won't start at all.

From: N Parr [mailto:npar...@mortonind.com]
Sent: Thursday, March 18, 2010 2:22 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

What?  Firewall Off = Traffic Allowed
I have the firewall's off on my 2008 server and RDP to them just fine.


From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Thursday, March 18, 2010 4:17 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue
The 2008 firewall is conservative. In my experience, if it's turned off, no 
traffic is allowed inbound. So, you can't RDP into because your firewall won't 
start up to allow traffic in.

Jeff

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 1:29 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Outside of enabling RDP on the DC, what can be preventing me from RDP'ing into 
the server?  I have this issue with my Exchange 2K7 server as well as DC.   I 
keep getting access is denied when trying to turn on Windows Firewall on the DC.


From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 2:46 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue



From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Thursday, March 18, 2010 2:43 PM
To: NT System Admin Issues
Subject: Re: Installing Win2K8 Server as DC Issue

>>I cannot access the server remotely

Error message? No error message, after running DS role I am no longer able to 
connect to server via RDP



>> the windows firewall service won't st

Re: Powershell Book

[Richard Stovall]

>From a thread long ago...

Just a heads up that the powershell book MBS referenced here a while
back is now available for free download from the publisher.  It
doesn't cover Powershell 2.0, but the updated edition is supposed to
be available soon (in print) from what I can gather.

Registration required.

http://www.primaltools.com/downloads/communitytools/signup.asp?tool=poshv1

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: CMD line way to change CD Rom drive letter

[John Cook]

I like to set the one on my Exchange server to M...

- Original Message -
From: Angus Scott-Fleming 
To: NT System Admin Issues 
Sent: Fri Mar 19 12:15:51 2010
Subject: Re: CMD line way to change CD Rom drive letter

On 18 Mar 2010 at 8:59, Steven M. Caesare  wrote:

> +1.
>
> Mine goes to "R:"

for cd-Rom ... that's what I use, too.  Too much history with Netware grabbing
drive letters starting backwards from Z: here ;-)


--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
 Consider the environment. Please don't print this e-mail unless you really 
need to.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Icon to show process running

[Angus Scott-Fleming]

On 18 Mar 2010 at 13:17, Oliver Marshall  wrote:

> Does anyone know of a small util that will show an icon in the systray if
> a process is running? We have a process running on our end user machines and
> we want the user to have some visible indication. The app itself doesnt show
> an icon so we need some little util that will check to see if it's running
> and then show an icon in the systray if it is. Olly 

A little googling turned up this:

   traymon.pl - Easily add a System Tray icon to an existing program
   Category:Win32 Stuff

"Monitors another process, showing an icon in the system tray while the 
other process is running. This process can be an already active process 
(specified by PID), or can be a command to be launched by this program. 
Programs launched by traymon.pl do not have a console window, so it can be 
used to monitor them as background processes."

   http://www.perlmonks.org/?node_id=342422

No idea if this will work.  You'll need to load a perl interpreter on the 
system, so it's not that lightweight.

Here are some more, don't know if you could adapt it to your needs.  Most are 
pretty old but claim to run on NT/2k/XP:

   Trayconizer 1.1.1 - WhitSoft Development
"Trayconizer allows you to minimize virtually any application to the 
system tray rather than having it take up valuable space in your taskbar. 
The screen shot to the left shows Trayconizer minimizing Notepad to the 
system tray."
   http://www.whitsoftdev.com/trayconizer/

   sw4you - SwSystemTray
"A utility that create a Icon from any program in the SystemTray. "
   http://www.sw4you.com/swsystemtray.php3

And yet another:
   freewarehits.de - ToolsPackage
"TrayMan: Adds the icon of any file into the system tray"
   http://www.freewarehits.de/ToolsPackage.htm

HTH

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Interesting article on Microsoft anti-virus free not being free..

[Angus Scott-Fleming]

On 17 Mar 2010 at 12:50, David Lum  wrote:

> Sunbelt will be interested in this, and maybe you too:

Something else interesting about MS AV products: the free-for-home-and-small-
business version of MSE was just used to roll out a new-and-improved version of 
WGA/WAT.  

--- Included Stuff Follows --- 
MSE Users: Check for Updates, Piracy - Krebs on Security
http://www.krebsonsecurity.com/2010/03/mse-users-check-for-updates/

   It took a little digging, but here´s Microsoft´s account of 
   what´s new in this updated version of MSE:

The latest version of Microsoft Security Essentials includes improved 
messaging on the Update tab, improved scan reports on the Home tab, 
performance improvements, and enforcement of runtime Windows Activation 
Technology (WAT) in Microsoft Security Essentials.

   More here. 

- Included Stuff Ends -

I was very upset to see this, as I have been recommending MSE to my home and 
very-small-business clients.

I have been keeping WGA/WAT off all the machines I could because when it has 
problems, the users have a problem.  MSE is no longer on my list of recommended 
applications for anyone.

IMHO, YMMV, of course.

Angus

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Office updates

[Angus Scott-Fleming]

On 17 Mar 2010 at 12:19, Damien Solodow  wrote:  

> Are you using the WindowsUpdate site or the MicrosoftUpdate site? The
> latter is the one that will show Office updates.. 

+1 ... you must "upgrade" from Windows Update to Microsoft Update manually 
first.  Once you do that, Automagic Updates will start to grab Office updates.

Not sure how to do this with WSUS, if that's what you're using

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: CMD line way to change CD Rom drive letter

[Angus Scott-Fleming]

On 18 Mar 2010 at 8:59, Steven M. Caesare  wrote:

> +1.
> 
> Mine goes to "R:"

for cd-Rom ... that's what I use, too.  Too much history with Netware grabbing 
drive letters starting backwards from Z: here ;-)


--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: National broadband

[Angus Scott-Fleming]

On 16 Mar 2010 at 11:39, David Lum  wrote:

> Thoughts, comments?

Is this really system-admin related, or is this a troll for political rants 
about the "proper role of government"?

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Made me chuckle

[John Hornbuckle]

We may be a small Podunk school district, but we stress to every member of our 
organization-at EVERY level of the hierarchy-that passwords aren't to be shared 
under any circumstances. Not no way, not no how.

Any my adamance about the importance of this has only grown stronger as a 
result of my coursework in security this semester.



John



From: Kim Longenbaugh [mailto:k...@colonialsavings.com]
Sent: Friday, March 19, 2010 11:53 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

Based on those criteria, we would have to fire our board of directors


From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, March 19, 2010 10:42 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

The coworker gets in trouble. He either voluntarily gave out his password, or 
left it written down somewhere that the guy who left could find, or picked one 
that was easy to guess.



John

From: Wilhelm, Scott [mailto:swilh...@mcs.k12.ny.us]
Sent: Friday, March 19, 2010 11:41 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

In that case, would it be reasonable to reset everyone's passwords whenever 
someone leaves the company to prevent something like this from happening, or 
does the coworker get in trouble as well?

Would definitely be a sticky issue.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, March 19, 2010 11:34 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

Yeah, we've been discussing this one in an IT security class I'm taking in grad 
school. Lots of things went wrong here. Apparently the fired guy had a former 
coworker's password.

And in addition to screwing with the cars, he did other things like placing 
thousands of dollars in orders under the company's name.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us



From: Mike French [mailto:mike.fre...@theequitybank.com]
Sent: Friday, March 19, 2010 11:34 AM
To: NT System Admin Issues
Subject: OT: Made me chuckle

46. March 17, Wired - (Texas) Hacker disables more than 100 cars remotely. More 
than 100 drivers in Austin, Texas found their cars disabled or the horns 
honking out of control, after an intruder ran amok in a web-based 
vehicle-immobilization system normally used to get the attention of consumers 
delinquent in their auto payments. Police with Austin's High Tech Crime Unit on 
March 17 arrested a 20-year-old who was a former Texas Auto Center employee who 
was laid off last month, and allegedly sought revenge by bricking the cars sold 
from the dealership's four Austin-area lots. The dealership used a system 
called Webtech Plus as an alternative to repossessing vehicles that haven't 
been paid for. Operated by Cleveland-based Pay Technologies, the system lets 
car dealers install a small black box under vehicle dashboards that responds to 
commands issued through a central website, and relayed over a wireless pager 
network. The dealer can disable a car's ignition system, or trigger the horn to 
begin honking, as a reminder that a payment is due. The system will not stop a 
running vehicle. Texas Auto Center began fielding complaints from baffled 
customers the last week in February, many of whom wound up missing work, 
calling tow trucks or disconnecting their batteries to stop the honking. The 
troubles stopped five days later, when Texas Auto Center reset the Webtech Plus 
passwords for all its employee accounts, says the manager of Texas Auto Center. 
Then police obtained access logs from Pay Technologies, and traced the 
saboteur's IP address to the suspect's AT&T internet service, according to a 
police affidavit filed in the case. Source: 
http://www.wired.com/threatlevel/2010/03/hacker-brickscars/? 
utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index 
+(Wired:+Index+3+(Top+Stories+2))


Mike French
Network Engineer
~EQUITY BANK
Office: 214.231.4565
mike.fre...@theequitybank.com
"Evidently excellence in security by some
security-centric vendors is defined as being the head of the class in a
room filled with children without a propensity to learn." - Anonymous














NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.

















NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.



NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to pu

RE: Installing Win2K8 Server as DC Issue

[Jackson, Jeff]

That's good to know, thanks!

Jeff

From: David Lum [mailto:david@nwea.org]
Sent: Friday, March 19, 2010 8:51 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

With Win2K8/Win7 in addition to disabling the firewall  you must also set the 
firewall service to DISABLED (manual might also work), otherwise Windows 
disables the NIC. If it sees firewall as AUTO but the firewall is off (even if 
you turn it off via GUI) it assumes malware has disabled the firewall so it 
nukes the NIC connection altogether.

Setting the service to DISABLED and THEN turning off the firewall will allow 
the NIC to remain active.

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 7:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Hi Michael,

I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 
2008 R2 servers, if I stop the windows firewall service, I can no longer 
connect to them via RDP, or access file shares, or even ping them for that 
matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem 
to have that behavior in common. At least that's my experience...

Of course, the important thing is why is this happening to John and how might 
he resolve it, and on that, I'm currently stumped.

Jeff

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, March 18, 2010 4:59 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Guys, y'all need to realize that y'all are comparing apples and oranges.

Server 2008 is NOT the same as Server 2008 R2.

Server 2008 R2 should've been called Server 2010. It's way different. It's not 
like 2003 R2 which was just a bunch of additional optional functionality.

Disabling or stopping the Windows Firewall service in Server 2008 R2 is not 
supported and will cause indeterminate behavior. If you want to not use the 
firewall, you need to open the Windows Firewall application and disable the 
appropriate profile.

This is a change in behavior between 2008 and 2008 R2.

Now, in 2008 R2, if the Windows Firewall won't start, then it WILL generate an 
error in one event log or another. You need to track that down and fix it! :-P

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 7:30 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

+1

Jeff, that's exactly the issue I'm having.  The Windows Firewall will not even 
start up or allow me to start it up to allow traffic to the DC.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Thursday, March 18, 2010 5:35 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

If I stop the Windows Firewall service on my 2008 servers, I can no longer RDP 
to it. So, what I meant by off is, the service is stopped, which is the case 
for John, who's firewall service won't start at all.

From: N Parr [mailto:npar...@mortonind.com]
Sent: Thursday, March 18, 2010 2:22 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

What?  Firewall Off = Traffic Allowed
I have the firewall's off on my 2008 server and RDP to them just fine.


From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Thursday, March 18, 2010 4:17 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue
The 2008 firewall is conservative. In my experience, if it's turned off, no 
traffic is allowed inbound. So, you can't RDP into because your firewall won't 
start up to allow traffic in.

Jeff

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 1:29 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Outside of enabling RDP on the DC, what can be preventing me from RDP'ing into 
the server?  I have this issue with my Exchange 2K7 server as well as DC.   I 
keep getting access is denied when trying to turn on Windows Firewall on the DC.


From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 2:46 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue



From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Thursday, March 18, 2010 2:43 PM
To: NT System Admin Issues
Subject: Re: Installing Win2K8 Server as DC Issue

>>I cannot access the server remotely

Error message? No error message, after running DS role I am no longer able to 
connect to server via RDP



>> the windows firewall service won't start

How are you determining this? This is determined by the service on the server 
set to automatic but doesn't show's not started

What does the eventlog say?   Etc and so on.  Event log is throwing MS DTC 
errors saying service cannot start.


>>The W

RE: Installing Win2K8 Server as DC Issue

[Jackson, Jeff]

Does adding them in allow you to start the windows firewall service? Well, 
actually, I think you'll have to add LOCAL SERVICE to the server's local group 
policy since I don't think it's going to be able to update the GP without 
network connectivity...

But, I do think that's your problem...

Jeff

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 8:40 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Jeff-  the local and network service wasn't in the list.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 11:36 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

John,

On your "Default Domain Controllers Policy", can you take a look at Computer 
Configuration -> Policies -> Windows Settings -> Local Policies -> User Rights 
Assignments and take a look at the two keys I mentioned before: "Adjust Memory 
quotas for a process" and "Replace a process Level token". Since you said you 
were at 2000 on the forest level, I'm really thinking LOCAL SERVICE isn't in 
the list for at least one of those two policies...

Jeff



From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 8:28 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

That is something that is in the process of being purchased.  I'm assuming 
you're wanting to import a cert to all Windows 2008 DC's correct?

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:24 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Do you have a CA on the same side of the firewall as this new DC?

I think I'd demote this server, remove it from the domain, re-add it, and then 
repromote. Assuming you do have an available CA. Otherwise - you are going to 
need access to a CA!

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 11:13 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Here are some of the Event Log errors i'm receiving. As you can see I'm not 
getting a whole lot of anything in the Event Viewer..just access denied.

Log Name:  Application
Source:VSS
Date:  3/18/2010 1:23:47 PM
Event ID:  8193
Task Category: None
Level: Error
Keywords:  Classic
User:  N/A
Computer:  computer.domain.com
Description:
Volume Shadow Copy Service error: Unexpected error calling routine 
RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr 
= 0x80070005, Access is denied.
.

Log Name:  Application
Source:Microsoft-Windows-MSDTC
Date:  3/18/2010 1:25:48 PM
Event ID:  4112
Task Category: SVC
Level: Error
Keywords:  Classic
User:  N/A
Computer:  computer.domain.com
Description:
Could not start the MS DTC Transaction Manager.


Volume Shadow Copy Service error: Unexpected error calling routine 
RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 
0x80070005, Access is denied.

.

Certificate enrollment for Local system failed to enroll for a DomainController 
certificate with request ID N/A from exchsrv01.teambi.com\mail.evolvent.com 
(The RPC server is unavailable. 0x800706ba (WIN32: 1722)).


John Bowles | 301.473.2260


From: Michael B. Smith [mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:03 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue
No, shouldn't be a consideration.

Have you verified your event log is clean? I truly expect you should be getting 
information about a service startup failure.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 10:58 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Just to throw this out there.. The client's domain functional level shouldn't 
have a bearing on this type of behavior correct?  The forest level is Windows 
2000 and the domain is Windows 2003.

Thank you.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 10:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Hi Michael,

I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 
2008 R2 servers, if I stop the windows firewall service, I can no longer 
connect to them via RDP, or access file shares, or even ping them for that 
matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem 
to have that behavior in common. At least that's my experience...

Of course, the important thing is why is this happening to John and how might 
he resolve it, and on that, I'm currently stumped.

Jeff

From: Michael B. Smith [mailto:mich...@smithcons.com]

Re: OT: Made me chuckle

[Eric Wittersheim]

I read that he used credentials from an ex-coworker who still worked there.

On Fri, Mar 19, 2010 at 10:38 AM, Sherry Abercrombie wrote:

> What I find amazing is that the fired employee's account wasn't disabled
> immediately upon termination.  Sheesh, talk about asking for trouble.
>
>
> On Fri, Mar 19, 2010 at 10:33 AM, Mike French <
> mike.fre...@theequitybank.com> wrote:
>
>>  46. March 17, Wired – (Texas) Hacker disables more than 100 cars
>> remotely. More than 100 drivers in Austin, Texas found their cars disabled
>> or the horns honking out of control, after an intruder ran amok in a
>> web-based vehicle-immobilization system normally used to get the attention
>> of consumers delinquent in their auto payments. Police with Austin’s High
>> Tech Crime Unit on March 17 arrested a 20-year-old who was a former Texas
>> Auto Center employee who was laid off last month, and allegedly sought
>> revenge by bricking the cars sold from the dealership’s four Austin-area
>> lots. The dealership used a system called Webtech Plus as an alternative to
>> repossessing vehicles that haven’t been paid for. Operated by
>> Cleveland-based Pay Technologies, the system lets car dealers install a
>> small black box under vehicle dashboards that responds to commands issued
>> through a central website, and relayed over a wireless pager network. The
>> dealer can disable a car’s ignition system, or trigger the horn to begin
>> honking, as a reminder that a payment is due. The system will not stop a
>> running vehicle. Texas Auto Center began fielding complaints from baffled
>> customers the last week in February, many of whom wound up missing work,
>> calling tow trucks or disconnecting their batteries to stop the honking. The
>> troubles stopped five days later, when Texas Auto Center reset the Webtech
>> Plus passwords for all its employee accounts, says the manager of Texas Auto
>> Center. Then police obtained access logs from Pay Technologies, and traced
>> the saboteur’s IP address to the suspect’s AT&T internet service, according
>> to a police affidavit filed in the case. Source: 
>> http://www.wired.com/threatlevel/2010/03/hacker-brickscars/?
>> utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index
>> +(Wired:+Index+3+(Top+Stories+2))
>>
>>
>>
>>
>>
>>
>> *Mike French
>> **Network Engineer
>> **~**EQUITY BANK *
>> Office: 214.231.4565
>> mike.fre...@theequitybank.com
>>
>> *"Evidently excellence in security by some **
>> security-centric vendors is defined as being the head of the class in a
>> room filled with children without a propensity to learn." - Anonymous*
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Sherry Abercrombie
>
> "Any sufficiently advanced technology is indistinguishable from magic."
> Arthur C. Clarke
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: RANT: ISP on-line orders

[John Aldrich]

Bummer. L

 

John-AldrichTile-Tools

 

From: Steven Peck [mailto:sep...@gmail.com] 
Sent: Friday, March 19, 2010 11:52 AM
To: NT System Admin Issues
Subject: Re: RANT: ISP on-line orders

 

http://www.surewest.com/



On Fri, Mar 19, 2010 at 5:49 AM, John Aldrich 
wrote:

Ok, I gotta know, who's  your ISP? Doubt they're anywhere in my area. L

 

John-AldrichTile-Tools

 

From: Steven Peck [mailto:sep...@gmail.com] 
Sent: Thursday, March 18, 2010 6:30 PM


To: NT System Admin Issues

Subject: Re: RANT: ISP on-line orders

 

My provider gave me fiber to the house and a network port (it was 10mb, but
they raised it to 20mb just cause).  They said after verifying it worked I
had to give them a MAC address and it was my problem.  Servers on the
network?  Sure.  Static IP Address?  $3 provisioning cost and then $3/month
(recently raised to $5/month).  When my firewall system finally died, it was
a 15 minute call to get them to change the MAC address.

I love my ISP.  If I ever move, it will be to an area with the same ISP and
power company.

Steven

On Thu, Mar 18, 2010 at 2:29 PM, Steve Ens  wrote:

I was supplied with a 3Wire unit.  Works quite well, decent GUI as well.  

 

On Thu, Mar 18, 2010 at 4:16 PM, John Aldrich 
wrote:

ISP is Windstream. They were offering a combo DSL Modem/Router (3Wire.) I
prefer Linksys as I know how to set them up and can flash the WRT-54GL with
an aftermarket ROM. I wasn't sure what brand/model router they were
offering, but I was pretty sure it wasn't a WRT54GL.

 

Windstream is our only real option for phone service other than Charter, and
Charter's internet sucks where I live. I ordered their service on a trial
before I cancelled Windstream's DSL awhile back and decided to abort the
Charter trial instead and give 'em back their modem. It was supposed to be
like 5 Mbit/sec, and it just didn't match up with the Windstream, so I kept
Windstream.

 

Overall, Windstream is pretty decent as far as service goes - they don't do
port 25 blocking and they don't seem to care that I'm running an SSH server,
and accessing my machine at home. J

 

Error! Filename not specified.Error! Filename not specified.

 

From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Thursday, March 18, 2010 4:48 PM 


To: NT System Admin Issues

Subject: RE: RANT: ISP on-line orders 

 

How is $50 - $50 rebate = $0 not way better than $55 to Newegg?  Afraid of
rebates?  I've hardly ever lost one.  Companies who renege on rebates get
dragged through the mud online and they know it, so it rarely happens.

 

And what is the name of this exceedingly brilliant ISP?   Always drop names,
it gets their attention (sometimes).

 

Carl

 

  _  

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Thursday, March 18, 2010 4:02 PM
To: NT System Admin Issues
Subject: RANT: ISP on-line orders

Ok, so this morning I ordered an upgrade to my DSL to 6 Mbit and I logged in
as an existing user, but it still required me to select either a DSL modem
or a wireless router and I had to call customer service to ask that they NOT
send me a "free" (after $50 rebate) modem. I wouldn't have minded a wireless
router as I would like wireless at home, but I'm not prepared to pay $50 to
my ISP when for $5 more I can buy it direct from NewEgg and get free
shipping. J

 

Still.what idiot makes you order a new modem when you already have
service??? Someone needs to fix the website so that when you log in as an
existing DSL customer they don't make you choose like that!

 

Error! Filename not specified.Error! Filename not specified.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

Re: Made me chuckle

[Sean Martin]

Several years ago, we had a young man working in our Network Operations
Center. He had previously been employed by one of our local ISPs. Apparently
he had spent months accessing the ISPs online application which provided him
the ability to clear billing and adjust bandwidth for cable modem customers.
He had been clearing billing statements and increasing cable modem speeds
for his friends and family for months. It was kind of an embarrassing
situation when they traced the access back to our company, especially since
we're one of the ISPs largest business customers.

On Fri, Mar 19, 2010 at 7:53 AM, Kim Longenbaugh
wrote:

>  Based on those criteria, we would have to fire our board of directors….
>
>
>  --
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, March 19, 2010 10:42 AM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Made me chuckle
>
>
>
> The coworker gets in trouble. He either voluntarily gave out his password,
> or left it written down somewhere that the guy who left could find, or
> picked one that was easy to guess.
>
>
>
>
>
>
>
> John
>
>
>
> *From:* Wilhelm, Scott [mailto:swilh...@mcs.k12.ny.us]
> *Sent:* Friday, March 19, 2010 11:41 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Made me chuckle
>
>
>
> In that case, would it be reasonable to reset everyone’s passwords whenever
> someone leaves the company to prevent something like this from happening, or
> does the coworker get in trouble as well?
>
>
>
> Would definitely be a sticky issue.
>
>
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, March 19, 2010 11:34 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Made me chuckle
>
>
>
> Yeah, we’ve been discussing this one in an IT security class I’m taking in
> grad school. Lots of things went wrong here. Apparently the fired guy had a
> former coworker’s password.
>
>
>
> And in addition to screwing with the cars, he did other things like placing
> thousands of dollars in orders under the company’s name.
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
> *From:* Mike French [mailto:mike.fre...@theequitybank.com]
> *Sent:* Friday, March 19, 2010 11:34 AM
> *To:* NT System Admin Issues
> *Subject:* OT: Made me chuckle
>
>
>
> 46. March 17, Wired – (Texas) Hacker disables more than 100 cars remotely.
> More than 100 drivers in Austin, Texas found their cars disabled or the
> horns honking out of control, after an intruder ran amok in a web-based
> vehicle-immobilization system normally used to get the attention of
> consumers delinquent in their auto payments. Police with Austin’s High Tech
> Crime Unit on March 17 arrested a 20-year-old who was a former Texas Auto
> Center employee who was laid off last month, and allegedly sought revenge by
> bricking the cars sold from the dealership’s four Austin-area lots. The
> dealership used a system called Webtech Plus as an alternative to
> repossessing vehicles that haven’t been paid for. Operated by
> Cleveland-based Pay Technologies, the system lets car dealers install a
> small black box under vehicle dashboards that responds to commands issued
> through a central website, and relayed over a wireless pager network. The
> dealer can disable a car’s ignition system, or trigger the horn to begin
> honking, as a reminder that a payment is due. The system will not stop a
> running vehicle. Texas Auto Center began fielding complaints from baffled
> customers the last week in February, many of whom wound up missing work,
> calling tow trucks or disconnecting their batteries to stop the honking. The
> troubles stopped five days later, when Texas Auto Center reset the Webtech
> Plus passwords for all its employee accounts, says the manager of Texas Auto
> Center. Then police obtained access logs from Pay Technologies, and traced
> the saboteur’s IP address to the suspect’s AT&T internet service, according
> to a police affidavit filed in the case. Source:
> http://www.wired.com/threatlevel/2010/03/hacker-brickscars/?
> utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index
> +(Wired:+Index+3+(Top+Stories+2))
>
>
>
>
>
> *Mike French
> **Network Engineer
> **~**EQUITY BANK *
> Office: 214.231.4565
> mike.fre...@theequitybank.com
>
> *"Evidently excellence in security by some **
> security-centric vendors is defined as being the head of the class in a
> room filled with children without a propensity to learn." - Anonymous*
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
>
>
>
>
>
>
>
>
>
>
>
>
>   NOTICE: Florida has a broad public records law. Most written communications 
> to or from this en

RE: DPM help

[Glen Johnson]

One other questions for DPM folks.

Do you find that the disk management console is horribly slow.

I see three disks, 0, 1 and 2.

O is the C drive.

2 is the DVD rom drive.

1 is the iscsi drive, and it has all the DPM volumes.   So many, in the
partition map, it looks like a bar code.

Any action takes over a minute to complete.

Just curious if others see the same thing.

 

 

From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Friday, March 19, 2010 11:01 AM
To: NT System Admin Issues
Subject: RE: DPM help

 

Ok, new error.

When I try to cd to First Storage Group from Microsoft Exchange Writer,
I get error, "The device is not ready".

I'm guessing my only recourse here is to disable protection of the
exchange store and remove the on disk dpm images, and then re-enable.

That is, unless you have any suggestions for this error.

Thanks again.

Glen.

 

 

From: Tobie Fysh [mailto:tobie.f...@freebridge.org.uk] 
Sent: Friday, March 19, 2010 10:47 AM
To: NT System Admin Issues
Subject: RE: DPM help

 

The mount point is in the Replica folder so go into the Command Prompt

CD to 

"DPMINSTALLLOCATION\Volumes\Replica\exchange.vhcc.edu\Microsoft Exchange
Writer\First Storage Group"

And then run chkdsk.exe, does it complete successfully? 

 

You WILL have to do a full consistency check after this to fix the DPM
error.

 

Tobie

 

 

 

From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: 19 March 2010 12:48
To: NT System Admin Issues
Subject: RE: DPM help

 

Tobie.

Thanks for the link.

I tried that, but no matter where I run chkdsk from, it always runs
against the C drive, which is the only drive letter assigned on this
system.

I CD'd as far into the Junctions as possible, but when I run chkdsk, the
info it returns is the same info I get if I run chkdsk c:.

 

Here it the path I went to.

C:\Program Files\Microsoft
DPM\Volumes\DiffArea\exchange.vhcc.edu\Microsoft Exchange Writer\First
Storage Group

Can't go any deeper.

>From the directory Microsoft Exchange Writer, dir lists

First Storage Group {\??\Volume\{87e268c-... which matches the volume
name listed in the DPM error, so I think I'm in the correct location.

Any other suggestions appreciated.

Glen.

 

 

From: Tobie Fysh [mailto:tobie.f...@freebridge.org.uk] 
Sent: Friday, March 19, 2010 4:36 AM
To: NT System Admin Issues
Subject: RE: DPM help

 

Have a look at this:

 

http://blogs.technet.com/askcore/archive/2008/05/29/data-protection-mana
ger-what-is-a-consistency-check-and-what-could-cause-it-to-fail.aspx

 

It's how to get into the mountpoint and run a checkdisk.

 

Tobie

 

From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: 18 March 2010 13:27
To: NT System Admin Issues
Subject: DPM help

 

Running DPM 2007 here backing up to a Drobo PRO iscsi box.

So far it has worked well.

Last weekend we had a power outage and things didn't shutdown properly.

I've got a DC and Exchange backups that wont run now.

I get VSS error on the DPM server that says to clear the VSS error and
run chkdsk.

When I try to clear the VSS error or re-run the job, I get the same
error.

Chkdsk /x  \\?\Volume{89e268c7-..}
 

Gives error, cannot open volume for direct access.  Does this mean my
syntax for the volume name is incorrect or what?

Chkdsk /x is supposed to dismount the volume and run, but it doesn't.

I've stopped all DPM services and still can't get chkdsk to run.

 

Also, disk management MMC, find volume in the sea of volumes, tools,
chkdsk doesn't do anything.

Any suggestions?

 

 

 



This message has been scanned by MimeCast on behalf of Freebridge
Community Housing and found to be free of viruses and not SPAM. If you
have any concerns about the message contents please contact the ICT
ServiceDesk. 



   

   

 
 


This e-mail (including any attachments), is confidential and intended
only for the use of the addressee(s). It may contain information covered
by legal, professional or other privilege. If you are not an addressee,
please inform the sender immediately and destroy this e-mail. Do not
copy, use or disclose this e-mail.

E-mail transmission cannot be guaranteed to be secure or error free. The
sender does not accept liability for any errors or omissions in the
contents of this message which arise as a result of e-mail transmission.
If verification is required please request a hard copy version.

Freebridge Community Housing Ltd is a Charitable Industrial and
Provident Society - Reg No IP29744R Registered with the Housing
Corporation - No L4463. VAT Registration Number 860762121

Freebridge Community Housing, Juniper House, Austin Street, Kings Lynn,
Norfolk PE30 1DZ



This email message has been scanned for viruses by Mimecast.
Mimecast delivers a complete

Re: OT: Made me chuckle

[Sean Martin]

It's possible they just failed to reset service account or other
administrative account passwords, rather than leaving his account active
(which if he had access to, should've been part of their procedures). What I
found funny is the fact they labeled him a "hacker" when he was so easily
tracked down.

- Sean

On Fri, Mar 19, 2010 at 7:38 AM, Sherry Abercrombie wrote:

> What I find amazing is that the fired employee's account wasn't disabled
> immediately upon termination.  Sheesh, talk about asking for trouble.
>
>
> On Fri, Mar 19, 2010 at 10:33 AM, Mike French <
> mike.fre...@theequitybank.com> wrote:
>
>>  46. March 17, Wired – (Texas) Hacker disables more than 100 cars
>> remotely. More than 100 drivers in Austin, Texas found their cars disabled
>> or the horns honking out of control, after an intruder ran amok in a
>> web-based vehicle-immobilization system normally used to get the attention
>> of consumers delinquent in their auto payments. Police with Austin’s High
>> Tech Crime Unit on March 17 arrested a 20-year-old who was a former Texas
>> Auto Center employee who was laid off last month, and allegedly sought
>> revenge by bricking the cars sold from the dealership’s four Austin-area
>> lots. The dealership used a system called Webtech Plus as an alternative to
>> repossessing vehicles that haven’t been paid for. Operated by
>> Cleveland-based Pay Technologies, the system lets car dealers install a
>> small black box under vehicle dashboards that responds to commands issued
>> through a central website, and relayed over a wireless pager network. The
>> dealer can disable a car’s ignition system, or trigger the horn to begin
>> honking, as a reminder that a payment is due. The system will not stop a
>> running vehicle. Texas Auto Center began fielding complaints from baffled
>> customers the last week in February, many of whom wound up missing work,
>> calling tow trucks or disconnecting their batteries to stop the honking. The
>> troubles stopped five days later, when Texas Auto Center reset the Webtech
>> Plus passwords for all its employee accounts, says the manager of Texas Auto
>> Center. Then police obtained access logs from Pay Technologies, and traced
>> the saboteur’s IP address to the suspect’s AT&T internet service, according
>> to a police affidavit filed in the case. Source: 
>> http://www.wired.com/threatlevel/2010/03/hacker-brickscars/?
>> utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index
>> +(Wired:+Index+3+(Top+Stories+2))
>>
>>
>>
>>
>>
>>
>> *Mike French
>> **Network Engineer
>> **~**EQUITY BANK *
>> Office: 214.231.4565
>> mike.fre...@theequitybank.com
>>
>> *"Evidently excellence in security by some **
>> security-centric vendors is defined as being the head of the class in a
>> room filled with children without a propensity to learn." - Anonymous*
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Sherry Abercrombie
>
> "Any sufficiently advanced technology is indistinguishable from magic."
> Arthur C. Clarke
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Made me chuckle

[Kim Longenbaugh]

Based on those criteria, we would have to fire our board of
directors

 



From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 10:42 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

 

The coworker gets in trouble. He either voluntarily gave out his
password, or left it written down somewhere that the guy who left could
find, or picked one that was easy to guess.

 

 

 

John

 

From: Wilhelm, Scott [mailto:swilh...@mcs.k12.ny.us] 
Sent: Friday, March 19, 2010 11:41 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

 

In that case, would it be reasonable to reset everyone's passwords
whenever someone leaves the company to prevent something like this from
happening, or does the coworker get in trouble as well?

 

Would definitely be a sticky issue.

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 11:34 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

 

Yeah, we've been discussing this one in an IT security class I'm taking
in grad school. Lots of things went wrong here. Apparently the fired guy
had a former coworker's password.

 

And in addition to screwing with the cars, he did other things like
placing thousands of dollars in orders under the company's name.

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

 

From: Mike French [mailto:mike.fre...@theequitybank.com] 
Sent: Friday, March 19, 2010 11:34 AM
To: NT System Admin Issues
Subject: OT: Made me chuckle

 

46. March 17, Wired - (Texas) Hacker disables more than 100 cars
remotely. More than 100 drivers in Austin, Texas found their cars
disabled or the horns honking out of control, after an intruder ran amok
in a web-based vehicle-immobilization system normally used to get the
attention of consumers delinquent in their auto payments. Police with
Austin's High Tech Crime Unit on March 17 arrested a 20-year-old who was
a former Texas Auto Center employee who was laid off last month, and
allegedly sought revenge by bricking the cars sold from the dealership's
four Austin-area lots. The dealership used a system called Webtech Plus
as an alternative to repossessing vehicles that haven't been paid for.
Operated by Cleveland-based Pay Technologies, the system lets car
dealers install a small black box under vehicle dashboards that responds
to commands issued through a central website, and relayed over a
wireless pager network. The dealer can disable a car's ignition system,
or trigger the horn to begin honking, as a reminder that a payment is
due. The system will not stop a running vehicle. Texas Auto Center began
fielding complaints from baffled customers the last week in February,
many of whom wound up missing work, calling tow trucks or disconnecting
their batteries to stop the honking. The troubles stopped five days
later, when Texas Auto Center reset the Webtech Plus passwords for all
its employee accounts, says the manager of Texas Auto Center. Then
police obtained access logs from Pay Technologies, and traced the
saboteur's IP address to the suspect's AT&T internet service, according
to a police affidavit filed in the case. Source:
http://www.wired.com/threatlevel/2010/03/hacker-brickscars/?
utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index
+(Wired:+Index+3+(Top+Stories+2)) 

 

 

Mike French
Network Engineer
~EQUITY BANK  
Office: 214.231.4565
mike.fre...@theequitybank.com

"Evidently excellence in security by some 
security-centric vendors is defined as being the head of the class in a 
room filled with children without a propensity to learn." - Anonymous

 

 

 

 

 
 
 
NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.

 

 

 

 


NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Made me chuckle

[Erik Goldoff]

 

1)  NEVER share individual user password/credentials

2)  Immediately disable accounts for employees terminating employment (
voluntary or otherwise )

3)  Immediately change shared administration credential passwords upon
participating employees terminating employment

4)  DUH !

 

Erik Goldoff

IT  Consultant

Systems, Networks, & Security 

'  Security is an ongoing process, not a one time event ! '

From: Wilhelm, Scott [mailto:swilh...@mcs.k12.ny.us] 
Sent: Friday, March 19, 2010 11:41 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

 

In that case, would it be reasonable to reset everyone’s passwords whenever
someone leaves the company to prevent something like this from happening, or
does the coworker get in trouble as well?

 

Would definitely be a sticky issue.

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, March 19, 2010 11:34 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

 

Yeah, we’ve been discussing this one in an IT security class I’m taking in
grad school. Lots of things went wrong here. Apparently the fired guy had a
former coworker’s password.

 

And in addition to screwing with the cars, he did other things like placing
thousands of dollars in orders under the company’s name.

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Installing Win2K8 Server as DC Issue

[David Lum]

With Win2K8/Win7 in addition to disabling the firewall  you must also set the 
firewall service to DISABLED (manual might also work), otherwise Windows 
disables the NIC. If it sees firewall as AUTO but the firewall is off (even if 
you turn it off via GUI) it assumes malware has disabled the firewall so it 
nukes the NIC connection altogether.

Setting the service to DISABLED and THEN turning off the firewall will allow 
the NIC to remain active.

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 7:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Hi Michael,

I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 
2008 R2 servers, if I stop the windows firewall service, I can no longer 
connect to them via RDP, or access file shares, or even ping them for that 
matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem 
to have that behavior in common. At least that's my experience...

Of course, the important thing is why is this happening to John and how might 
he resolve it, and on that, I'm currently stumped.

Jeff

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, March 18, 2010 4:59 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Guys, y'all need to realize that y'all are comparing apples and oranges.

Server 2008 is NOT the same as Server 2008 R2.

Server 2008 R2 should've been called Server 2010. It's way different. It's not 
like 2003 R2 which was just a bunch of additional optional functionality.

Disabling or stopping the Windows Firewall service in Server 2008 R2 is not 
supported and will cause indeterminate behavior. If you want to not use the 
firewall, you need to open the Windows Firewall application and disable the 
appropriate profile.

This is a change in behavior between 2008 and 2008 R2.

Now, in 2008 R2, if the Windows Firewall won't start, then it WILL generate an 
error in one event log or another. You need to track that down and fix it! :-P

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 7:30 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

+1

Jeff, that's exactly the issue I'm having.  The Windows Firewall will not even 
start up or allow me to start it up to allow traffic to the DC.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Thursday, March 18, 2010 5:35 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

If I stop the Windows Firewall service on my 2008 servers, I can no longer RDP 
to it. So, what I meant by off is, the service is stopped, which is the case 
for John, who's firewall service won't start at all.

From: N Parr [mailto:npar...@mortonind.com]
Sent: Thursday, March 18, 2010 2:22 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

What?  Firewall Off = Traffic Allowed
I have the firewall's off on my 2008 server and RDP to them just fine.


From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Thursday, March 18, 2010 4:17 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue
The 2008 firewall is conservative. In my experience, if it's turned off, no 
traffic is allowed inbound. So, you can't RDP into because your firewall won't 
start up to allow traffic in.

Jeff

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 1:29 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Outside of enabling RDP on the DC, what can be preventing me from RDP'ing into 
the server?  I have this issue with my Exchange 2K7 server as well as DC.   I 
keep getting access is denied when trying to turn on Windows Firewall on the DC.


From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, March 18, 2010 2:46 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue



From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Thursday, March 18, 2010 2:43 PM
To: NT System Admin Issues
Subject: Re: Installing Win2K8 Server as DC Issue

>>I cannot access the server remotely

Error message? No error message, after running DS role I am no longer able to 
connect to server via RDP



>> the windows firewall service won't start

How are you determining this? This is determined by the service on the server 
set to automatic but doesn't show's not started

What does the eventlog say?   Etc and so on.  Event log is throwing MS DTC 
errors saying service cannot start.


>>The Windows Firewall is a pain in the arse if you ask me.

Because? Because it's always been a pain in the arss.  :)


-ASB: http://XeeSM.com/AndrewBaker
On Thu, Mar 18, 2010 at 2:29 PM, John Bowles 

Re: RANT: ISP on-line orders

[Steven Peck]

http://www.surewest.com/


On Fri, Mar 19, 2010 at 5:49 AM, John Aldrich
wrote:

>  Ok, I gotta know, who’s  your ISP? Doubt they’re anywhere in my area. L
>
>
>
> [image: John-Aldrich][image: Tile-Tools]
>
>
>
> *From:* Steven Peck [mailto:sep...@gmail.com]
> *Sent:* Thursday, March 18, 2010 6:30 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: RANT: ISP on-line orders
>
>
>
> My provider gave me fiber to the house and a network port (it was 10mb, but
> they raised it to 20mb just cause).  They said after verifying it worked I
> had to give them a MAC address and it was my problem.  Servers on the
> network?  Sure.  Static IP Address?  $3 provisioning cost and then $3/month
> (recently raised to $5/month).  When my firewall system finally died, it was
> a 15 minute call to get them to change the MAC address.
>
> I love my ISP.  If I ever move, it will be to an area with the same ISP and
> power company.
>
> Steven
>
> On Thu, Mar 18, 2010 at 2:29 PM, Steve Ens  wrote:
>
> I was supplied with a 3Wire unit.  Works quite well, decent GUI as well.
>
>
>
> On Thu, Mar 18, 2010 at 4:16 PM, John Aldrich <
> jaldr...@blueridgecarpet.com> wrote:
>
> ISP is Windstream. They were offering a combo DSL Modem/Router (3Wire.) I
> prefer Linksys as I know how to set them up and can flash the WRT-54GL with
> an aftermarket ROM. I wasn’t sure what brand/model router they were
> offering, but I was pretty sure it wasn’t a WRT54GL.
>
>
>
> Windstream is our only real option for phone service other than Charter,
> and Charter’s internet sucks where I live. I ordered their service on a
> trial before I cancelled Windstream’s DSL awhile back and decided to abort
> the Charter trial instead and give ‘em back their modem. It was supposed to
> be like 5 Mbit/sec, and it just didn’t match up with the Windstream, so I
> kept Windstream.
>
>
>
> Overall, Windstream is pretty decent as far as service goes – they don’t do
> port 25 blocking and they don’t seem to care that I’m running an SSH server,
> and accessing my machine at home. J
>
>
>
> [image: John-Aldrich][image: Tile-Tools]
>
>
>
> *From:* Carl Houseman [mailto:c.house...@gmail.com]
> *Sent:* Thursday, March 18, 2010 4:48 PM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* RE: RANT: ISP on-line orders
>
>
>
> How is $50 - $50 rebate = $0 not way better than $55 to Newegg?  Afraid of
> rebates?  I've hardly ever lost one.  Companies who renege on rebates get
> dragged through the mud online and they know it, so it rarely happens.
>
>
>
> And what is the name of this exceedingly brilliant ISP?   Always drop
> names, it gets their attention (sometimes).
>
>
>
> Carl
>
>
>  --
>
> *From:* John Aldrich [mailto:jaldr...@blueridgecarpet.com]
> *Sent:* Thursday, March 18, 2010 4:02 PM
> *To:* NT System Admin Issues
> *Subject:* RANT: ISP on-line orders
>
> Ok, so this morning I ordered an upgrade to my DSL to 6 Mbit and I logged
> in as an existing user, but it *still* required me to select either a DSL
> modem or a wireless router and I had to call customer service to ask that
> they NOT send me a “free” (after $50 rebate) modem. I wouldn’t have minded a
> wireless router as I would like wireless at home, but I’m not prepared to
> pay $50 to my ISP when for $5 more I can buy it direct from NewEgg and get
> free shipping. J
>
>
>
> Still…what idiot makes you order a new modem when you already have
> service??? Someone needs to fix the website so that when you log in as an
> existing DSL customer they don’t make you choose like that!
>
>
>
> [image: John-Aldrich][image: Tile-Tools]
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

RE: Installing Win2K8 Server as DC Issue

[John Bowles]

LOL that thought has crossed my mind several times.  But the box was operating 
just fine before we joined it to the domain.. and all this behavior started 
taking place.  As soon as it came off a reboot from joining the domain, the 
Windows Firewall stopped, couldn't ping the server etc.

This client also installed a Windows 2K8 standalone server with E2K7 ready to 
deploy and they were running across the same issues.  Cannot RDP, can't ping, 
etc.  I'm not sold it's a build issue just yet.

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:44 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

I think you should rebuild this box. IMHO.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 11:42 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Oh I'm sorry Michael, I'm assuming it cannot get out because RPC is blocked 
incoming/outgoing on the server.

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:31 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

NoThis error "Certificate enrollment for Local system failed to enroll for 
a DomainController certificate with request ID N/A from 
exchsrv01.teambi.com\mail.evolvent.com (The RPC server is unavailable. 
0x800706ba (WIN32: 1722)) " means that you have  a policy requiring the DC to 
get a certificate and it couldn't access the CA when it tried to get it.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 11:28 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

That is something that is in the process of being purchased.  I'm assuming 
you're wanting to import a cert to all Windows 2008 DC's correct?

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:24 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Do you have a CA on the same side of the firewall as this new DC?

I think I'd demote this server, remove it from the domain, re-add it, and then 
repromote. Assuming you do have an available CA. Otherwise - you are going to 
need access to a CA!

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 11:13 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Here are some of the Event Log errors i'm receiving. As you can see I'm not 
getting a whole lot of anything in the Event Viewer..just access denied.

Log Name:  Application
Source:VSS
Date:  3/18/2010 1:23:47 PM
Event ID:  8193
Task Category: None
Level: Error
Keywords:  Classic
User:  N/A
Computer:  computer.domain.com
Description:
Volume Shadow Copy Service error: Unexpected error calling routine 
RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr 
= 0x80070005, Access is denied.
.

Log Name:  Application
Source:Microsoft-Windows-MSDTC
Date:  3/18/2010 1:25:48 PM
Event ID:  4112
Task Category: SVC
Level: Error
Keywords:  Classic
User:  N/A
Computer:  computer.domain.com
Description:
Could not start the MS DTC Transaction Manager.


Volume Shadow Copy Service error: Unexpected error calling routine 
RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 
0x80070005, Access is denied.

.

Certificate enrollment for Local system failed to enroll for a DomainController 
certificate with request ID N/A from exchsrv01.teambi.com\mail.evolvent.com 
(The RPC server is unavailable. 0x800706ba (WIN32: 1722)).


John Bowles | 301.473.2260


From: Michael B. Smith [mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:03 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue
No, shouldn't be a consideration.

Have you verified your event log is clean? I truly expect you should be getting 
information about a service startup failure.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 10:58 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Just to throw this out there.. The client's domain functional level shouldn't 
have a bearing on this type of behavior correct?  The forest level is Windows 
2000 and the domain is Windows 2003.

Thank you.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 10:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Hi Michael,

I'm probably beatin

RE: Made me chuckle

[John Hornbuckle]

The coworker gets in trouble. He either voluntarily gave out his password, or 
left it written down somewhere that the guy who left could find, or picked one 
that was easy to guess.



John

From: Wilhelm, Scott [mailto:swilh...@mcs.k12.ny.us]
Sent: Friday, March 19, 2010 11:41 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

In that case, would it be reasonable to reset everyone's passwords whenever 
someone leaves the company to prevent something like this from happening, or 
does the coworker get in trouble as well?

Would definitely be a sticky issue.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, March 19, 2010 11:34 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

Yeah, we've been discussing this one in an IT security class I'm taking in grad 
school. Lots of things went wrong here. Apparently the fired guy had a former 
coworker's password.

And in addition to screwing with the cars, he did other things like placing 
thousands of dollars in orders under the company's name.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us



From: Mike French [mailto:mike.fre...@theequitybank.com]
Sent: Friday, March 19, 2010 11:34 AM
To: NT System Admin Issues
Subject: OT: Made me chuckle

46. March 17, Wired - (Texas) Hacker disables more than 100 cars remotely. More 
than 100 drivers in Austin, Texas found their cars disabled or the horns 
honking out of control, after an intruder ran amok in a web-based 
vehicle-immobilization system normally used to get the attention of consumers 
delinquent in their auto payments. Police with Austin's High Tech Crime Unit on 
March 17 arrested a 20-year-old who was a former Texas Auto Center employee who 
was laid off last month, and allegedly sought revenge by bricking the cars sold 
from the dealership's four Austin-area lots. The dealership used a system 
called Webtech Plus as an alternative to repossessing vehicles that haven't 
been paid for. Operated by Cleveland-based Pay Technologies, the system lets 
car dealers install a small black box under vehicle dashboards that responds to 
commands issued through a central website, and relayed over a wireless pager 
network. The dealer can disable a car's ignition system, or trigger the horn to 
begin honking, as a reminder that a payment is due. The system will not stop a 
running vehicle. Texas Auto Center began fielding complaints from baffled 
customers the last week in February, many of whom wound up missing work, 
calling tow trucks or disconnecting their batteries to stop the honking. The 
troubles stopped five days later, when Texas Auto Center reset the Webtech Plus 
passwords for all its employee accounts, says the manager of Texas Auto Center. 
Then police obtained access logs from Pay Technologies, and traced the 
saboteur's IP address to the suspect's AT&T internet service, according to a 
police affidavit filed in the case. Source: 
http://www.wired.com/threatlevel/2010/03/hacker-brickscars/? 
utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index 
+(Wired:+Index+3+(Top+Stories+2))


Mike French
Network Engineer
~EQUITY BANK
Office: 214.231.4565
mike.fre...@theequitybank.com
"Evidently excellence in security by some
security-centric vendors is defined as being the head of the class in a
room filled with children without a propensity to learn." - Anonymous














NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.







NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Installing Win2K8 Server as DC Issue

[John Bowles]

Oh I'm sorry Michael, I'm assuming it cannot get out because RPC is blocked 
incoming/outgoing on the server.

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:31 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

NoThis error "Certificate enrollment for Local system failed to enroll for 
a DomainController certificate with request ID N/A from 
exchsrv01.teambi.com\mail.evolvent.com (The RPC server is unavailable. 
0x800706ba (WIN32: 1722)) " means that you have  a policy requiring the DC to 
get a certificate and it couldn't access the CA when it tried to get it.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 11:28 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

That is something that is in the process of being purchased.  I'm assuming 
you're wanting to import a cert to all Windows 2008 DC's correct?

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:24 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Do you have a CA on the same side of the firewall as this new DC?

I think I'd demote this server, remove it from the domain, re-add it, and then 
repromote. Assuming you do have an available CA. Otherwise - you are going to 
need access to a CA!

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 11:13 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Here are some of the Event Log errors i'm receiving. As you can see I'm not 
getting a whole lot of anything in the Event Viewer..just access denied.

Log Name:  Application
Source:VSS
Date:  3/18/2010 1:23:47 PM
Event ID:  8193
Task Category: None
Level: Error
Keywords:  Classic
User:  N/A
Computer:  computer.domain.com
Description:
Volume Shadow Copy Service error: Unexpected error calling routine 
RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr 
= 0x80070005, Access is denied.
.

Log Name:  Application
Source:Microsoft-Windows-MSDTC
Date:  3/18/2010 1:25:48 PM
Event ID:  4112
Task Category: SVC
Level: Error
Keywords:  Classic
User:  N/A
Computer:  computer.domain.com
Description:
Could not start the MS DTC Transaction Manager.


Volume Shadow Copy Service error: Unexpected error calling routine 
RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 
0x80070005, Access is denied.

.

Certificate enrollment for Local system failed to enroll for a DomainController 
certificate with request ID N/A from exchsrv01.teambi.com\mail.evolvent.com 
(The RPC server is unavailable. 0x800706ba (WIN32: 1722)).


John Bowles | 301.473.2260


From: Michael B. Smith [mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:03 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue
No, shouldn't be a consideration.

Have you verified your event log is clean? I truly expect you should be getting 
information about a service startup failure.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 10:58 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Just to throw this out there.. The client's domain functional level shouldn't 
have a bearing on this type of behavior correct?  The forest level is Windows 
2000 and the domain is Windows 2003.

Thank you.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 10:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Hi Michael,

I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 
2008 R2 servers, if I stop the windows firewall service, I can no longer 
connect to them via RDP, or access file shares, or even ping them for that 
matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem 
to have that behavior in common. At least that's my experience...

Of course, the important thing is why is this happening to John and how might 
he resolve it, and on that, I'm currently stumped.

Jeff

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, March 18, 2010 4:59 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Guys, y'all need to realize that y'all are comparing apples and oranges.

Server 2008 is NOT the same as Server 2008 R2.

Server 2008 R2 should've been called Server 2010. It's way different. It's not 
like 2003 R2 which was just a bunch of additional optional functionality.

Disabling or stopping the Wi

RE: Installing Win2K8 Server as DC Issue

[John Bowles]

Jeff-  the local and network service wasn't in the list.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 11:36 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

John,

On your "Default Domain Controllers Policy", can you take a look at Computer 
Configuration -> Policies -> Windows Settings -> Local Policies -> User Rights 
Assignments and take a look at the two keys I mentioned before: "Adjust Memory 
quotas for a process" and "Replace a process Level token". Since you said you 
were at 2000 on the forest level, I'm really thinking LOCAL SERVICE isn't in 
the list for at least one of those two policies...

Jeff



From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 8:28 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

That is something that is in the process of being purchased.  I'm assuming 
you're wanting to import a cert to all Windows 2008 DC's correct?

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:24 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Do you have a CA on the same side of the firewall as this new DC?

I think I'd demote this server, remove it from the domain, re-add it, and then 
repromote. Assuming you do have an available CA. Otherwise - you are going to 
need access to a CA!

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 11:13 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Here are some of the Event Log errors i'm receiving. As you can see I'm not 
getting a whole lot of anything in the Event Viewer..just access denied.

Log Name:  Application
Source:VSS
Date:  3/18/2010 1:23:47 PM
Event ID:  8193
Task Category: None
Level: Error
Keywords:  Classic
User:  N/A
Computer:  computer.domain.com
Description:
Volume Shadow Copy Service error: Unexpected error calling routine 
RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr 
= 0x80070005, Access is denied.
.

Log Name:  Application
Source:Microsoft-Windows-MSDTC
Date:  3/18/2010 1:25:48 PM
Event ID:  4112
Task Category: SVC
Level: Error
Keywords:  Classic
User:  N/A
Computer:  computer.domain.com
Description:
Could not start the MS DTC Transaction Manager.


Volume Shadow Copy Service error: Unexpected error calling routine 
RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 
0x80070005, Access is denied.

.

Certificate enrollment for Local system failed to enroll for a DomainController 
certificate with request ID N/A from exchsrv01.teambi.com\mail.evolvent.com 
(The RPC server is unavailable. 0x800706ba (WIN32: 1722)).


John Bowles | 301.473.2260


From: Michael B. Smith [mich...@smithcons.com]
Sent: Friday, March 19, 2010 11:03 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue
No, shouldn't be a consideration.

Have you verified your event log is clean? I truly expect you should be getting 
information about a service startup failure.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Friday, March 19, 2010 10:58 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Just to throw this out there.. The client's domain functional level shouldn't 
have a bearing on this type of behavior correct?  The forest level is Windows 
2000 and the domain is Windows 2003.

Thank you.

From: Jackson, Jeff [mailto:jeff.jack...@rbza.com]
Sent: Friday, March 19, 2010 10:54 AM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Hi Michael,

I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 
2008 R2 servers, if I stop the windows firewall service, I can no longer 
connect to them via RDP, or access file shares, or even ping them for that 
matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem 
to have that behavior in common. At least that's my experience...

Of course, the important thing is why is this happening to John and how might 
he resolve it, and on that, I'm currently stumped.

Jeff

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, March 18, 2010 4:59 PM
To: NT System Admin Issues
Subject: RE: Installing Win2K8 Server as DC Issue

Guys, y'all need to realize that y'all are comparing apples and oranges.

Server 2008 is NOT the same as Server 2008 R2.

Server 2008 R2 should've been called Server 2010. It's way different. It's not 
like 2003 R2 which was just a bunch of additional optional functionality.

Disabling or stopping the Windows Firewall service in Server 2008 R2 is n

RE: Made me chuckle

[Wilhelm, Scott]

In that case, would it be reasonable to reset everyone's passwords whenever 
someone leaves the company to prevent something like this from happening, or 
does the coworker get in trouble as well?

Would definitely be a sticky issue.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, March 19, 2010 11:34 AM
To: NT System Admin Issues
Subject: RE: Made me chuckle

Yeah, we've been discussing this one in an IT security class I'm taking in grad 
school. Lots of things went wrong here. Apparently the fired guy had a former 
coworker's password.

And in addition to screwing with the cars, he did other things like placing 
thousands of dollars in orders under the company's name.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us



From: Mike French [mailto:mike.fre...@theequitybank.com]
Sent: Friday, March 19, 2010 11:34 AM
To: NT System Admin Issues
Subject: OT: Made me chuckle

46. March 17, Wired - (Texas) Hacker disables more than 100 cars remotely. More 
than 100 drivers in Austin, Texas found their cars disabled or the horns 
honking out of control, after an intruder ran amok in a web-based 
vehicle-immobilization system normally used to get the attention of consumers 
delinquent in their auto payments. Police with Austin's High Tech Crime Unit on 
March 17 arrested a 20-year-old who was a former Texas Auto Center employee who 
was laid off last month, and allegedly sought revenge by bricking the cars sold 
from the dealership's four Austin-area lots. The dealership used a system 
called Webtech Plus as an alternative to repossessing vehicles that haven't 
been paid for. Operated by Cleveland-based Pay Technologies, the system lets 
car dealers install a small black box under vehicle dashboards that responds to 
commands issued through a central website, and relayed over a wireless pager 
network. The dealer can disable a car's ignition system, or trigger the horn to 
begin honking, as a reminder that a payment is due. The system will not stop a 
running vehicle. Texas Auto Center began fielding complaints from baffled 
customers the last week in February, many of whom wound up missing work, 
calling tow trucks or disconnecting their batteries to stop the honking. The 
troubles stopped five days later, when Texas Auto Center reset the Webtech Plus 
passwords for all its employee accounts, says the manager of Texas Auto Center. 
Then police obtained access logs from Pay Technologies, and traced the 
saboteur's IP address to the suspect's AT&T internet service, according to a 
police affidavit filed in the case. Source: 
http://www.wired.com/threatlevel/2010/03/hacker-brickscars/? 
utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index 
+(Wired:+Index+3+(Top+Stories+2))


Mike French
Network Engineer
~EQUITY BANK
Office: 214.231.4565
mike.fre...@theequitybank.com
"Evidently excellence in security by some
security-centric vendors is defined as being the head of the class in a
room filled with children without a propensity to learn." - Anonymous














NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OT: Made me chuckle

[Sherry Abercrombie]

What I find amazing is that the fired employee's account wasn't disabled
immediately upon termination.  Sheesh, talk about asking for trouble.

On Fri, Mar 19, 2010 at 10:33 AM, Mike French  wrote:

>  46. March 17, Wired – (Texas) Hacker disables more than 100 cars
> remotely. More than 100 drivers in Austin, Texas found their cars disabled
> or the horns honking out of control, after an intruder ran amok in a
> web-based vehicle-immobilization system normally used to get the attention
> of consumers delinquent in their auto payments. Police with Austin’s High
> Tech Crime Unit on March 17 arrested a 20-year-old who was a former Texas
> Auto Center employee who was laid off last month, and allegedly sought
> revenge by bricking the cars sold from the dealership’s four Austin-area
> lots. The dealership used a system called Webtech Plus as an alternative to
> repossessing vehicles that haven’t been paid for. Operated by
> Cleveland-based Pay Technologies, the system lets car dealers install a
> small black box under vehicle dashboards that responds to commands issued
> through a central website, and relayed over a wireless pager network. The
> dealer can disable a car’s ignition system, or trigger the horn to begin
> honking, as a reminder that a payment is due. The system will not stop a
> running vehicle. Texas Auto Center began fielding complaints from baffled
> customers the last week in February, many of whom wound up missing work,
> calling tow trucks or disconnecting their batteries to stop the honking. The
> troubles stopped five days later, when Texas Auto Center reset the Webtech
> Plus passwords for all its employee accounts, says the manager of Texas Auto
> Center. Then police obtained access logs from Pay Technologies, and traced
> the saboteur’s IP address to the suspect’s AT&T internet service, according
> to a police affidavit filed in the case. Source: 
> http://www.wired.com/threatlevel/2010/03/hacker-brickscars/?
> utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index
> +(Wired:+Index+3+(Top+Stories+2))
>
>
>
>
>
>
> *Mike French
> **Network Engineer
> **~**EQUITY BANK *
> Office: 214.231.4565
>  mike.fre...@theequitybank.com
>
> *"Evidently excellence in security by some **
> security-centric vendors is defined as being the head of the class in a
> room filled with children without a propensity to learn." - Anonymous*
>
>
>
>
>
>
>
>


-- 
Sherry Abercrombie

"Any sufficiently advanced technology is indistinguishable from magic."
Arthur C. Clarke

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~