I would suggest the Windows 2003 (and 2000
and XP) SAM is more secure than NT as it is encrypted with a locally stored key
by default. The Syskey process allows you to store that key on a separate floppy
disk, thus adding an extra layer of security. In the NT SAM, the encryption is
not on b
Our Win2k DNS servers are on our internal network. I have a rule allowing
53 tcp and 53 udp outbound to the Internet. I don't have any other rules
for DNS. Why do I need to create an inbound rule? Aren't the DNS servers
doing all the lookups outbound? What would initiate a connection inbound
What settings are recommended for 2003 AD integrated DNS?
Automatic scavenging? If so, how frequently?
Is there a way to automatically clear the cache on the server
every night, or do you just have to add a task to task scheduler to do
it? Would there be anything wrong with clearin
Hi,
Is there a way to (securely) set an AD account password through a web
page on a linux or unix machine running apache? Assume that we can
already verify the user's identity.
Thanks!
- Robbie
--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support
Duke University
List info
Yes, it requires LDAP and a 128 bit SSL connection to the Domain Controller.
http://support.microsoft.com/?kbid=269190
You also might be able to find something in the Samba package which uses the
NT Lan Man functionality. Though many would question just how secure that
really is.
joe
--
For some reason my initial post didn't reach
everyone, I myself didn't get it back and I know several others didn't get it
either. Though I heard from some people who said they saw
it...
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger
SeielstadSent: Wednesday,
Your current employer? That makes it sound like you are ready to jump to
some other employer Rog.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Wednesday, November 17, 2004 12:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [Act
Thanks Joe! Thats exactly what I needed. :-)
- Robbie
joe wrote:
Yes, it requires LDAP and a 128 bit SSL connection to the Domain Controller.
http://support.microsoft.com/?kbid=269190
You also might be able to find something in the Samba package which uses the
NT Lan Man functionality. Though many
...or use ldap_opt_encrypt, but I don't know if your client side LDAP
api supports that.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 17, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password f
That will work for setting a password on AD (2K and K3)? I was under the
impression you needed the 128 bit SSL if doing over straight LDAP.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, November 17, 2004 10:50 AM
Even with SYSKEY enabled on a NT DC the
sam can still be cracked with l0phtcrack or the other tools. Just make a
recovery disk with the /r (I believe) option would export a readable copy of
the sam. We would have to do it for our security folks to test password
strength every so often.
H
Not to conflict with what you're saying, but if you were un-DCPROMOing the
box, it is still a member of the domain - it just isn't a DC anymore.
Unless it was the last DC in the domain?
So when you click the drop-down, it's trying to populate a list. Does it
have access to a DC?
On 11/16/04 11:
Believe Joe is right here...
A little more outside of the box, is the kerberos set password protocols
outlined in RFC 3244 - if i recall MS even had some nice sample code already
written for *nix application.
my .02
-steve
- Original Message -
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAI
Try it and let me know. I thought so, but now you are making me second
guess myself.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 17, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?
Ah hah! Yes it does work. I just tried it. But there is a trick.
Trick: when doing this on XP, you must specify the creds explicitly, not
pass null to use currently logged on user.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick
(should have noted I repro'd this on ADAM, not ADperhaps diff?)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, November 17, 2004 10:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?
Ah
It was the last DC.
Thanks.
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Rick Boza
> Sent: Wednesday, November 17, 2004 10:00
Dear ActiveDir colleagues:
I am connected to the network hosting the org.company.com domain.
org.domain.com is the root of a Windows 2000 forest. There is a
one-way trust from org.domain.com to domain.com.
I have a workstation in the company.com domain and am logged in as a
user in the company.
Joe-
Are you sure data like that is stored in AD? I thought, actually, that
security policy like this was still stored in the security hive of the
registry (i.e. the SAM) for each machine and thus not replicated.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Beh
Just FYI for anyone interested, my other option may be to do password
resets on an IIS 6 box, but authenticate the user to the mit kerberos
realm using Shibboleth. (http://shibboleth.internet2.edu/) - We already
have a Shibboleth infrastructure in place so it wouldn't be that hard to do.
- Rob
Yep,
The domain NC has attributes that correspond to the settings in the password
policy and the account lockout policy (just checked it with ADSIedit).
Regards,
Jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: woensdag 17 nove
We have an empty
root domain that is just a placeholder (and we forward our child DNS domain
queries to) and a child domain that we all log into.
What should the DNS
properties be on the Root domain controllers network adapter properties?
We currently have the Root DCs pointed at our prim
Title: RE: [ActiveDir] DNS Issues
I saw something similar with checkpoint firewalls. In
particular the NG Versions
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kim Kruse
HansenSent: Wednesday, November 17, 2004 1:09 AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS
Does your ISP know how to get back to you?
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, November 17, 2004
2:27 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Empty root
DNS vs Child DNS
We have an empty
This is the only abnormal thing I'm seeing in the eventlogs:
The DNS server has encountered numerous run-time events. To determine the
initial cause of these run-time events, examine the DNS server event log
entries that precede this event. To prevent the DNS server from filling the
event log too
Don't know. Our root DC/DNS servers are on our
internal private network. I guess I'd have to set them up a NATted address
or something?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin
A.Sent: Wednesday, November 17, 2004 2:20 PMTo:
[EMAIL PROTECTED]Subjec
If your ISP doesn’t know where to
find you then that will not work. Why not just stick with the root hints,
wouldn’t that work best for you?
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, November 17, 2004
3:2
Also, you should have your child domains
forwarding all traffic to your root DNS Servers and then configure your DNS
servers at the root to have delegated zones for those in the child domains.
Point your Root DNS servers to each other and not the child domains. All will
work better.
I have all my zones in the child domain DNS servers and on
those Child DCs I have a foward lookup zone for the root domain
(company.com) with a delegation for the child domain (abc). I also have
another foward lookup zone for the child domain (abc.company.com). Then
the root domain control
Darren - if I understand Joe correctly, he doesn't mean that the policy
values are replicated. It's the fact that DCs may have different
thresholds for acct. lockout (due to the described setup) that the bad
logon count which is passed on from one DC to another would trigger a
lockout at a differen
can the user connect to a non-Samba resource in org.company.com?
if so, I'd focus on analysing the Network traffic between the
Samba-Server and the Client and go from there. Likely something missing
on the Samba side.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTE
that's only valid when the machine is running (and thus the
SAM is decrypted) and you already have admin access to it. In the case of
"only" having physical access but no account, you'd not have this option and
thus you'd reboot the machine to startup another OS or do something similar to
one way of clearing the cache is to restart the DNS service - not sure
if that's really your problem though. Shouldn't really have to remove
records from the cache unless the target ip-address has changed.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Beh
Greetings,
I'm currently having an issue with my Exchange Server (5.5SP4) running on
Win2kSP4.
I can create new user accounts just fine but when I attempt to create their
mailbox, the Exchange information isn't being applied to the AD. Any ideas?
Heck, I don't even know where to start, I've nev
Hi
I presume it worked before?
On what type of server is E55 running? W2K DC or member server. Can you
recall what chaged between the time it worked and the time it didn't work?
What are the errors you receive directly or through the event log?
regards,
Jorge
-Original Message-
From: [EM
Sorry, but except for a backup during a
migration or the like, of what use is a DC if it's not running? ;)
I had an NT4.0 domain with SYSKEY enabled. When our network security
folks needed to test accounts for password strength using l0phtcrack we had to use
rdisk to provide them a copy
Is the W2K DC with E55 also a GC? Do you have other DCs in your
environment? If you answer YES to both then check the following:
http://support.microsoft.com/kb/q275127/
Regards,
Jorge
-Original Message-
From: vex
To: Jorge de Almeida Pinto
Sent: 11/18/2004 1:12 AM
Subject: Re: [ActiveDir
All you need to do is boot up in a disk to reset a password
with admin rights and then boot the machine and dump the hashes out of memory
with pwdump3. If you have configured it so you have to enter the password on
boot then this specific attack is defeated. However it isn't feasible in a
la
I remember there's a way (hotfix and/or reg key) to
make clients use the SYSVOL of the authenticating DC
instead of possibly getting a different SYSVOL due to
the behavior of DFS. I can't find how to do this on
MS's site. Can anyone point me at the information?
This is for 2003.
TTIA
List info
That is the same thing I thought, but I decided to clear the cache before
restarting the DNS server service just for kicks, and it remedied the problem.
Why would a DNS request timeout for cnn.com when it was working on other DNS
servers? I could uderstand if it was just returning the wrong addr
You know, I think you *could* get that job with Microsoft. Until I saw this
response, I doubted it - but you've proven me wrong once again, joe.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, November 16, 2004 11:12 AM
To: [EMAIL PROT
Yeah, it seems that the current cycle that they're on is either 15 minutes
or 6 months. In fact, I'm surprised that you've even heard of Longhorn,
Roger
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Tuesday, November 16,
By default, DNS queries are done over UDP. UDP is stateless - and therefore
there is no automatic reverse allow created by firewalls. So what's
happening is that you're probably failing the UDP request because the
response can't come back in to the DNS server, at which point your DNS
servers fail o
I think they're dependent more on the existance of and the rate of change of
dynamic registrations. In my previous company, we were about 80% laptops, so
I ran short DHCP leases, short DNS TTLs and scavenged daily. In a more
static environment I'd lengthen those significantly.
Roger Seiel
As opposed to my previous employer. I'm done moving for a while. The last 5
months made me feel like I was in the witness protection program, minus the
mob.
Roger Seielstad
E-mail Geek & MS-MVP
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behal
I dunno; one more move and Allison might have put out a contract on
you...
:-)
**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Be
The next corporate relocation requires my employer to include payment for a
divorce attorney.
Roger Seielstad
E-mail Geek & MS-MVP
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Charlie Kaiser
> Sent: Wednesday, November 17, 2004 8:5
The attorney is usually the cheapest part of the deal... Spoken from
experience... :-)
Get them to pay the settlement instead.
**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
> -Original Message-
> From: [EM
fully agree
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J
Contr InDyne/Enterprise ITSent: Thursday, November 18, 2004 1:05
AMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] Syskey and AD
Sorry, but except for
a backup during a migration or the li
49 matches
Mail list logo