>>If it's a local account, then the policy doesn't apply regardless;
domain account policies don't apply to local accounts.<<
maybe I misundarstand what you're saying, but this is not my experience.
More than once I've yanked a workstation from the domain and tried to
apply a less restricted passw
which version ?what about the moveuser.exe app ?On 9/7/06, Tony Murray <[EMAIL PROTECTED]> wrote:
ADMT should be used for moving objects between domains.Movetree should now only used for objects that cannot be moved using ADMT (
e.g. Contacts)Tony-- Original Message
Jolly,
I was not sure abt how VPN Box was configured and as i had a word with
Prashant boss, it is not configured for updating records to our DNS.
I will talk to Prashant boss abt ths.
But the thing is i can see 2 DNS records for one host. One is for VPN
and the other one is for Wireless IP Add
ADMT should be used for moving objects between domains.
Movetree should now only used for objects that cannot be moved using ADMT (e.g.
Contacts)
Tony
-- Original Message --
From: HBooGz <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date: Th
I'd like to move an object from the parent domain to the child domain in a pure windows 2003 R2 AD environment.I've done this with the Movetree command back when AD was 2000 - do i still use the same command or is there a different method/possibility ?
For informational purposes, I'd like to know h
Hello Tony, Yes, i saw it and i mailed to Scott Anderson who is the author. He adviced me to check that my CAs are well configured, that was i did. Its pb was exactly the same as mine except that replication from AD -> Exch 5.5 does not work. I set diag logging on my ADC to maximum, added
My favorite was the user I had who stored them all under “P” in
his cardfile.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Darren Mar-Elia
Sent: Thursday, September 07, 2006 5:51 PM
To: Activ
safe location == post-it note on the side of
CPU
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: Thursday, September 07, 2006 10:36 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: admin
account in Vista
"Write down your username and password
Latest hotifixes... does that mean you pay for NT4 patches or
latest hotfixes when that OS was supported?
As that could mean two different things
Tony Murray wrote:
Yann
Did you see this?:
http://www.mcse.ms/message568787.html
Tony
-- Original Message
Yann
Did you see this?:
http://www.mcse.ms/message568787.html
Tony
-- Original Message --
From: Yann <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date: Thu, 7 Sep 2006 20:25:02 +0200 (CEST)
Hello all,
I have 2 sites Exchange 5.5 Environ
Sorry, I was distracted by other stuff here.
We are in a migration state with 2 Forests.
Source forest is win2k native and target forest is win2k3 FFL/DFL.
Both Forests have same password policy
Using Quest AD Migration Manager.
The user was created in the source and then migrated about a m
Print
operators is a protected group in 2k3.
Robert Williams' post included a full list of the protected groups in 2k &
2k3. The AdminSDHolder attribute is set to 1 for members of protected
groups. Another admin thought that several users needed to be in the print
operators group to mana
Hello all, I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes),Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders from both sites. I have Two-way r
No, but the user is part of a group that is part of a group that has Admin-type permissions on an OU for their site.On 9/7/06, Brian Desmond <
[EMAIL PROTECTED]> wrote:
This user isn't a domain admin or enterprise admin is he/she?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 31
You are right! Thanks!On 9/7/06, Williams, Robert <[EMAIL PROTECTED]> wrote:
Maybe AdminSDHolder is biting you?
Here's an article that talks about
the Send-As specifically, but it's more than just that:
http://support.microsoft.com/kb/907434/
If the user in question is a
Using the version of DCDIAG that comes
with the 2003 SP1 support tools:
Type: dcdiag /test:dns /e /v
That will tell you what shape your DNS
system is in.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Monday, August 28, 2006
11:15 AM
To
I would make the manager that wants the DL
maintain it.
First, make sure that there is a written
policy (approved by a higher management level) that specifies that the manager
is responsible for updates. Then after you create each DL, set the “Managed
By” attribute to be the appropriate ma
What would be the difference between those solutions and smart cards as you see it? You make me think I missed something in the previous conversations.
On 9/7/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:
Or use smartcards.Laura> -Original Message-> From:
[EMAIL PROTECTED]> [mailto:[E
"Write down your username and password and store it in a safe location."
That's an interesting departure from the usual recommendations. ;-)
On 9/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
Windows Vista Security : Built-in Administrator Account Disabled:
htt
I saw it this morning. Not sure if it was last night, today, yesterday...
curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value.
Tom, how about some more details?
What clued you into the user having a blank passw
This user isn’t a domain admin or enterprise admin is he/she?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Danny
Sent: Thursday, September 07, 2006 11:49 AM
To: ActiveDir@mail.activedir.org
Subjec
Can
you elaborate? What do you mean by "protected groups", and how did modifying the
membership of the Print Operators group cause you grief?
Thanks!
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek
HarrisSent: Thursday, September 07, 2006 12:36 P
Artistic license on my part.
M.
-Original Message-
From: "Laura A. Robinson" <[EMAIL PROTECTED]>
Date: Thu, 07 Sep 2006 12:32:50
To:
Subject: RE: [ActiveDir] Is a Global Security group being used?
I didn't say you were insane, just that this might not be the best idea. :-) I
won't comme
If the permissions are being reset it is
the result of DSPROP. Google adminSDHolder or look at this:
-- http://www.msresource.net/content/view/38/46/
The reason this is happening is because
these users are members (directly or indirectly) of groups considered protected,
e.g. administrat
Yeah, I think I saw your post last
night. Mail was taking 70 minutes to come through last night.
It's not really academic or obsolete, as
this proves that it couldn't have been 544 and set back to 512. Which
means that it is more than likely the password, or lack of, was set when the
pol
I've had some problems with the NT 4 RK version (1.x), are you using the
2000 RK version(2.0)? It was a fairly significant update IIRC.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, September 07, 2006 8:08 AM
T
Maybe AdminSDHolder is biting you?
Here’s an article that talks about
the Send-As specifically, but it’s more than just that:
http://support.microsoft.com/kb/907434/
If the user in question is a member of any
of the following groups, then you could be seeing this:
The following
Did someone put that account into one of the protected
groups? "Print operators" caused us a lot of grief a while
ago.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
DannySent: Thursday, September 07, 2006 9:49 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD obj
I didn't say you were insane, just that this might not be the best idea. :-) I
won't comment on what we say at TechEd. ;-)
Laura
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: Thursday, September 07, 2006 11:41 AM
> To: Activ
Yep, your e-mail definitely hit the list.
I'm confused as to why the 512 UAC flag is making anybody
think that passwd_notreqd is set. A setting of 512 indicates a normal account.
544 would indicate a normal account with passwd_notreqd set.
Laura
If that is the e-mail you
We met with the Microsoft Identity and Access Management product group recently
and this was mentioned as the method used internally.
Patrick
Patrick Parker . The Dot Net Factory . (877) 996-4276 . [EMAIL PROTECTED]
EmpowerID for Microsoft Active Directory & ADAM – Manage . Collaborate . Empowe
Since
the OP has said that the accounts' UAC flags are 512, not 544, the entire
discussion around this is moot.
BTW,
did anybody notice if my post about the 512/544 value hit the list yesterday? I
don't remember seeing it and am wondering if I actually sent it.
:-)
Thanks,
Laura
Or use smartcards.
Laura
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Thursday, September 07, 2006 6:35 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Separate Administrator password policy
>
> Wh
Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissio
The question was "a way" - not "the best way". This method was actually
suggested by MS at TechED one year, so I am not totally insane.
-Original Message-
From: "Laura A. Robinson" <[EMAIL PROTECTED]>
Date: Wed, 06 Sep 2006 13:44:53
To:
Subject: RE: [ActiveDir] Is a Global Security group
Does it have a hash though? There's
no password. It's null.
I don't know the answer to that. It
could, I suppose, pad it out but...who knows?
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.
1. I Didnt understand what exactly u r asking?2. Yes DHCP Is configured properly.
That's not what I asked. I asked if it's updating the records for the device or is it letting the devices update their own?
Al
On 9/6/06, Ravi Dogra <[EMAIL PROTECTED]> wrote:
1. I Didnt understand what exact
Hi,
I have moved a job that employs uptime.exe (in
a loop using the FOR command) from a Windows 2000/SP4 server to a Windows
2003/SP1 server. Now part way through the job, I get:
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID:
This brings up a very good point, HOW
is it checking the password length? As we pointed out earlier once the
hash is created there should not be a way to easily check the password
length.
Andrew Fidel
"Paul Williams"
<[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
09/07/2006 07:35 AM
Plea
Hi,
When you deploy MS Exchange it also install a bunch of asp scripts in
IIS.
For instance MS iisadmpwd/aexp.asp that allow users to change their
password via browser!!
I was wondering how secure is to have this scripts accessible from
internet?
Any suggestion?
Rezuma
List info : http://www.
Demote the second DC first, just concentrate on getting the first DC
working problem. Then do the D4 on the first DC. Wait a while to verify
it worked. Re-promote the second DC.
Thanks,
Anthony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron B
Ok... Can someone tell me what happens if I do the D2 and it doesn't work? Am I
where I am right now, or will the current sysvol share be removed? What about
the D4?
How long do these take in a very small domain?
Will a system state/AD restore get me back to where I am now?
I am trying to giv
Hello - I know Microsoft ADAM supports LDAP referrals but I wanted to know if it's possible to create them and if so how. I'd like to create a container in the directory that returns contents based on a referral to another part of the directory. Thanks Jim
Do you Yahoo!? Everyone is
Yes, there is.
The password policy is checked as soon as the password entered (using
characters) is written into the directory, whether it is a new password or a
changed password.
If a password hash is written into the directory the system cannot check if the
password that generated the hash m
But you cannot set UAC to 512 if the
password is blank, as it doesn't comply with the password policy. Try
it. The other half of my post shows the error. I also tried it
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although
less specific) and it said it wasn't compl
Hi Ravi,
Are you talking about your own company or is is for someone else's scenario ?
If it for your own company then :
1) VPN box is CISCO PIX 515e
2) Your VPN box forwards all DNS queries to your DC/ Primary DNS server.
3) As far as i remember It does register machines (As the moment your machi
If you only have a single DC then you
should utilize D4 for an authoritative restore as it’s own contents are
the valid contents and there is no where else to pull from. You may need
to restart FRS or possibly run a D2 on the new DC to get FRS replicating on
that server as well. Check out
UAC bitmask is 32. A normal user then gets UAC = 544.
Try doing a ldap query for
(&(objectClas=user)(useraccountcontrol=544))
You could then modify the attribute to 512 on these
users either with adsiedit or in a nice tool such as
ADModify.net.
Note: if the option password not required i
Why not use certificates or rsa for admin accounts?
IF you have a pki environment that would be my suggestion. Then only
then default administrator account would be insecure. But that can be
mitigated with very long password.
An other option is to put admin accounts in a separate child or top
doma
49 matches
Mail list logo
