See FAQ 15 at http://www.activedir.org/FAQ.htm
See also Table 8 at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp
Microsoft lists the following possible reasons for an empty forest root.
Fewer administrators
Graham, Diane
The PES is required if you want to migrate passwords from NT4 to W2K. It can be
installed on NT4 BDCs or PDCs, although the PDC is generally preferable as ADMT talks
to it anyway. The controller running the PES must have the high encryption pack
installed.
Tony
--
You should also not think too much of the security benefits you get with a
dedicated root - they slightly enhance operational security (i.e. not
letting other domain admins easily fool around with forest-config and schema
changes etc.), but do not enhance system security (i.e. they don't hinder a
Graham,
Microsoft is working on an updated version of the migration cookbook
you're
referring too. It contains very usefull information about using ADMT v2
(probably everything you're looking for).
I'm unable to send it to you while we received a beta of the
documentation
under NDA. Maybe you
And in the meantime, some useful generic information about AMDT 2 can be found here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/WindowsNetServer/Evaluate/CPP/Reskit/ADSec/Part1/rkpdsbfo.asp
Tony
-- Original Message --
I am trying to delegate the permission of "Account
Unlock" to a related group.
I can under the ACL find "Reset Password" and
all the other finer stuff.
But can't seem to find the one mentioned above.
I have used ADSI Edit to locate "lockoutDuration"
but also not sure what I should
Title: Message
Hi
Yusuf,
You
need to make the property visible first.
Open
the file c:\winnt\system32\dssec.dat, search for [User], then scroll down til
you find the line lockoutTime=7, and change this to lockoutTime=0. This makes
lockoutTime visible in ACLs.
You
should then be able to
See FAQ # 20 at http://www.activedir.org/FAQ.htm
Tony
-- Original Message --
From: Thornley, Dave H [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Wed, 19 Feb 2003 11:42:32 -
Hi Yusuf,
You need to make the property visible first.
Open the
Here we go check these out:
'---
' Usr_CheckAccountDisabled.vbs
'
' Developer: Charles
' Developed: 2000-08-23
' Modified: 2000-08-23
' Version: 1.0
'
' Description: Checks if the user account is disabled
I'm not sure about others, but at our location3rd party vendors often
will request rights "beyond what theyrequire" to install their
applications withinour domain.The most they usually
mayneed is alocal adminaccount onthe member server(s), -
but many times we'vebeen asked byvendorsfor use
It has become common practice, from what I've seen. In fact, I'm currently
administering the second forest that I've built in that exact configuration.
The main rational has always been to protect the keys to the kingdom -
specifically the schema (via the schema admins group) and the forest
I'd have to disagree on two of your four points.
-Enhanced Security: it is indeed more secure to keep the schema and
enterprise admins group in a different domain. The cross-domain security
hole is relatively difficult to exploit, and does require physical (or at
least interactive) access to a
The point about the domain security issue is that, while it would be very difficult to
exploit the first time, it would be much easier for others to do subsequently were the
details to be made public.
Tony
-- Original Message --
From: Roger Seielstad
Hmm... We just did a test and migrated accounts w/ passwords without
configuring the PES servers for the source NT 4.0 domain. We verified that
the accounts were migrated w/ passwords intact.
Diane
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tony
Diane
I'm surprised. I thought the whole point of the PES was that it necessary to allow
passwords to be migrated?
Anyone else with experience of this?
Tony
-- Original Message --
From: Ayers, Diane [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:
Even knowing the skeleton process for it, its not an easy exploit, and
certainly not something that a script kiddie is going to pull off - it takes
more knowledge than that to perform.
Still, it is an additional layer of security, one which IMO is still a
benefit to all but the smallest shops.
I can't find the 'user cannot change password' box. Where is that
located in the policy?
-Original Message-
From: Charles Carerros [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 18, 2003 11:17 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Policy on password
Do you have a
Are there any known issues installing a Windows .net rc2 member server into
a windows 2000 sp3 domain?
I know it's a vague question, but I would like to experiment with TS
features in a complex environment.
Thanks,
Ken
List info : http://www.activedir.org/mail_list.htm
List FAQ:
Hi Roger, Tony
Its all an issue of how high can you raise the bar... Having an empty root
raises it above the heads of script kiddies, which I agree is better than
nothing.
The question then is from where do you perceive the greater threat? Most IT
attacks are engineered from people in the IT
I'll interject but one point here - there is belief in some camps that
the knowledge, technology, and perhaps the code already exists to
implement such an attack.
As it was put to me, How else could a given vendor offer a migration
tool that allows migrations without Native Mode requirement?
None that I've experienced to date. I have a few RC@ servers installed
with no problems.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-Original Message-
From: [EMAIL PROTECTED]
Hi Gil,
I work with a company called CPS Systems - and we offer an Enterprise
Directory Synchronization product called SimpleSync. We developed
SimpleSync after selling and supporting Zoomit VIA MetaDirectory, the
precursor to Microsofts MMS. Our current installed base is over 130
customers,
22 matches
Mail list logo