RE: [ActiveDir] DNS Inconsistency
So what if your DHCP is running on a DC? Should I move them into the group or not. If not what problems could this cause. I also use a RIS to do my 2000 and XP installs. This machine is not a DC. Should I put the RIS into the group? Thanks,jb -Original Message- From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 7:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency Agreed. In our case we have separate domain member servers who's only task is to provide DHCP services. They are not domain controllers. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency Warning rgd. the DnsUpdateProxy group: ...by placing the computer objects of the DHCP servers as members in this group, the servers won't become record owners... = that's exactly why you don't simply want to add the DHCP server's computer account to this group, if this happens to be a DC. Otherwise all records registerd by the DC (incl. his own host record and especially all the service records) would be subject to name hijacking. = best practise is still to keep DHCP off of a DC, especially if you want it to register the client's IP addresses in DNS /Guido -Original Message- From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] Sent: Montag, 17. Februar 2003 18:29 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency This is straight out of an excellent book on AD. Inside Active Directory A System Administrators Guide ISBN 0-201-61621-1 [DnsUpdateProxy] ...DHCP servers may dynamically register DNS resource records on behalf of DHCP clients. In this case, the DHCP servers become the owners of those records. This is a problem if the client or some other DHCP server later wants to start maintaining those records. By placing the computer objects of the DHCP servers as members in this group, the servers won't become record owners, so the problem described here is resolved... - Todd -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency Thanks Todd, But why do I need to add my DHCP Server to the DnsUpdateProxy group? -Original Message- From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 5:57 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] DNS Inconsistency I had the very same problem. It was affecting my scripts because I wasn't connecting to the machines I thought I was. * You need to enable DNS scavenging. Don't set anything below 48 hours. * If you are using DHCP, add your DHCP servers to the DnsUpdateProxy group. -Todd -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 05:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Inconsistency Hi Guys, I am having a major problem in my organization over here. I have set up active directory for about 800 users and about 500 workstations. But for some reasons or the other my DNS seems to be misbehaving. When I ping a host I get a reply from a particular IP address, but when I do a ping -a of the same IP address I get an entirely different host. For some reason or the other the record I have in my forward lookup zones and my reverse lookup zones are not synchronized. Is there any way I can resolve this inconsistency because it gets worse and worse everyday. Is there any tool I can use to correct this. Thanks Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Inconsistency
You don't have scavenging set up for your reverse DNS zones. Set the scavenging up (I think its called Delete Stale Records) to match your DHCP lease duration. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 8:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Inconsistency Hi Guys, I am having a major problem in my organization over here. I have set up active directory for about 800 users and about 500 workstations. But for some reasons or the other my DNS seems to be misbehaving. When I ping a host I get a reply from a particular IP address, but when I do a ping -a of the same IP address I get an entirely different host. For some reason or the other the record I have in my forward lookup zones and my reverse lookup zones are not synchronized. Is there any way I can resolve this inconsistency because it gets worse and worse everyday. Is there any tool I can use to correct this. Thanks Seyi -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 5:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Records Bonjour Frederic, The NETLOGON process on each DC republishes the DNS records periodically. You have to set a reg entry on the DC to modify the priority. Set the LdapSrvPriority reg value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters on the DC to the priority value you want. FWIW, I wrote an article for Windows .NET magazine about controlling SRV rec publication that should be out in the April edition. It discusses this and the other twenty or so reg settings you can fiddle with to control the way clients locate DCs. -gil Gil Kirkpatrick CTO, NetPro Author of Active Directory Programming from MacMillan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 6:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Records Bonjour, My AD Domain is managed with 6 domain controllers. For design reasons, I have some sites without DCs attached. When users in these sites are logging on, they are attached to one of the DCs. I would like to attach them, in priority, to one specific DC. So I modified the DNS record and I put a higher priority to it. It worked a time, but recently, all the DNS records were modified and the default priority were restored. It would like to fix the priority for a long time. How can I do that ? Cordialement, F.AGNES [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Inconsistency
And it conveniently leaves out the part about how the DHCP client on Win2k and later machines automagically handles it without that setting. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency This is straight out of an excellent book on AD. Inside Active Directory A System Administrators Guide ISBN 0-201-61621-1 [DnsUpdateProxy] ...DHCP servers may dynamically register DNS resource records on behalf of DHCP clients. In this case, the DHCP servers become the owners of those records. This is a problem if the client or some other DHCP server later wants to start maintaining those records. By placing the computer objects of the DHCP servers as members in this group, the servers won't become record owners, so the problem described here is resolved... - Todd -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency Thanks Todd, But why do I need to add my DHCP Server to the DnsUpdateProxy group? -Original Message- From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 5:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency I had the very same problem. It was affecting my scripts because I wasn't connecting to the machines I thought I was. * You need to enable DNS scavenging. Don't set anything below 48 hours. * If you are using DHCP, add your DHCP servers to the DnsUpdateProxy group. -Todd -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 05:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Inconsistency Hi Guys, I am having a major problem in my organization over here. I have set up active directory for about 800 users and about 500 workstations. But for some reasons or the other my DNS seems to be misbehaving. When I ping a host I get a reply from a particular IP address, but when I do a ping -a of the same IP address I get an entirely different host. For some reason or the other the record I have in my forward lookup zones and my reverse lookup zones are not synchronized. Is there any way I can resolve this inconsistency because it gets worse and worse everyday. Is there any tool I can use to correct this. Thanks Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Inconsistency
Your second statement, about the DNS proxy group, is only true for supporting downlevel clients. In addition, it opens up some new and interesting security issues, because now your DHCP servers can injecy ANY record they want into DNS, including bogus DC and GC records. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 11:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency I had the very same problem. It was affecting my scripts because I wasn't connecting to the machines I thought I was. * You need to enable DNS scavenging. Don't set anything below 48 hours. * If you are using DHCP, add your DHCP servers to the DnsUpdateProxy group. -Todd -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 05:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Inconsistency Hi Guys, I am having a major problem in my organization over here. I have set up active directory for about 800 users and about 500 workstations. But for some reasons or the other my DNS seems to be misbehaving. When I ping a host I get a reply from a particular IP address, but when I do a ping -a of the same IP address I get an entirely different host. For some reason or the other the record I have in my forward lookup zones and my reverse lookup zones are not synchronized. Is there any way I can resolve this inconsistency because it gets worse and worse everyday. Is there any tool I can use to correct this. Thanks Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Inconsistency
Which isn't strictly necessary, unless you plan on disabling all client based updates. Personally, we don't use that setting here, with a mix of Win9x on through XP and have no issues with the DNS updates happening correctly. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 6:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency The reason for adding the server to the group is so that the DHCP Server has the appropriate permission to update DNS. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Oluwaseyi Owoeye Sent: Monday, February 17, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency Thanks Todd, But why do I need to add my DHCP Server to the DnsUpdateProxy group? -Original Message- From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 5:57 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] DNS Inconsistency I had the very same problem. It was affecting my scripts because I wasn't connecting to the machines I thought I was. * You need to enable DNS scavenging. Don't set anything below 48 hours. * If you are using DHCP, add your DHCP servers to the DnsUpdateProxy group. -Todd -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 05:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Inconsistency Hi Guys, I am having a major problem in my organization over here. I have set up active directory for about 800 users and about 500 workstations. But for some reasons or the other my DNS seems to be misbehaving. When I ping a host I get a reply from a particular IP address, but when I do a ping -a of the same IP address I get an entirely different host. For some reason or the other the record I have in my forward lookup zones and my reverse lookup zones are not synchronized. Is there any way I can resolve this inconsistency because it gets worse and worse everyday. Is there any tool I can use to correct this. Thanks Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Computers OU
Then you have zero reason to have any members of that group, and a few security reasons not to. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 7:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computers OU We only allow secure updates. No down-level clients here. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 12:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computers OU If you really want to see them in the same list in AD - simply for a reference - you could create bogus computer accounts for the 95/98/me machines manually (or via script). This won't buy you much other than using AD a little bit as an inventory DB for these machines, but it seams like this is what you want - at least you can use the description of the bogus-accounts to add other infos such as who is using this computer etc. You can even leverage the Managed By attribute to link the account to the responsible person for this machine, so as to know who to call if there's some trouble with the machine. I'm not really recommending this, but maybe you're happy with this solution. If you do do this, you should not forget to change the PW on the newly created pseude-computer accounts so that you don't open up a potential security hole (another nt/2000/xp machine could build a secure channel to these accounts, if you leave the default PW). /Guido -Original Message- From: Víctor Hugo Naranjo Borja [mailto:[EMAIL PROTECTED]] Sent: Montag, 17. Februar 2003 17:42 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computers OU In Computers OU I could see only Windows nt/2000/xp computers but not windows 95/98/me. How can I list the windows 95/98/me computers in this OU? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rod Trent Sent: Thursday, February 13, 2003 19:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computers OU Win9x computers don't actively participate in AD. You can load the AD client for Win9x computers, which gives you access to resources like printers, shares, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Cerino Sent: Thursday, February 13, 2003 4:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computers OU Victor - maybe I am not understanding your question completely - but if the boxes are part of the domain -- they should be all set buddy. -Original Message- From: Víctor Hugo Naranjo Borja [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 5:33 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Computers OU Hi, How could I do add windows 95/98 computers to my Computers OU y my Active Directory Users and Computers? Víctor Hugo Naranjo Consultor SYNERGY Telf: 593-42280303 / 2290341 / 2290469 ext. 104 Fax: 593-42280412 Cel: 593-9-9284041 Correo Corporativo: [EMAIL PROTECTED] Correo Personal: [EMAIL PROTECTED] Visite nuestra página web: www.it-synergy.net -- -- Mail enviado desde PortalMail 1.4.2 Web based email system. PaloSanto Solutions, Sunnyvale CA. http://www.palosanto.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Inconsistency
Is this also true where only secure updates are allowed for the server or zone? One of the immediate effects of allowing only secure updates (in addition to scavenging) was the removal of all non-member (9x, NT) machine's A records from the zone. This is what we wanted. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 10:07 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Inconsistency Your second statement, about the DNS proxy group, is only true for supporting downlevel clients. In addition, it opens up some new and interesting security issues, because now your DHCP servers can injecy ANY record they want into DNS, including bogus DC and GC records. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 11:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Inconsistency I had the very same problem. It was affecting my scripts because I wasn't connecting to the machines I thought I was. * You need to enable DNS scavenging. Don't set anything below 48 hours. * If you are using DHCP, add your DHCP servers to the DnsUpdateProxy group. -Todd -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 05:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Inconsistency Hi Guys, I am having a major problem in my organization over here. I have set up active directory for about 800 users and about 500 workstations. But for some reasons or the other my DNS seems to be misbehaving. When I ping a host I get a reply from a particular IP address, but when I do a ping -a of the same IP address I get an entirely different host. For some reason or the other the record I have in my forward lookup zones and my reverse lookup zones are not synchronized. Is there any way I can resolve this inconsistency because it gets worse and worse everyday. Is there any tool I can use to correct this. Thanks Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Policy on password
I have a policy set for passwords; the passwords are set to expire every 90 days. When the passwords are about to expire, users are told that Your password will expire in 5 days. Do you want to change your password now? (The number changes, it does a countdown). However, if the user says yes to try and change the password, they get a message that tells them, you do not have permission to change your password. Does anyone have any idea what could be causing this? Thank you, John List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy on password
Do you have a minimum password age set? Or do you check the User cannot change password box checked? -Original Message- From: John Balos [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 12:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Policy on password I have a policy set for passwords; the passwords are set to expire every 90 days. When the passwords are about to expire, users are told that Your password will expire in 5 days. Do you want to change your password now? (The number changes, it does a countdown). However, if the user says yes to try and change the password, they get a message that tells them, you do not have permission to change your password. Does anyone have any idea what could be causing this? Thank you, John List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy on password
Answer: The NT Domain had the 'user must log in to change password' policy set. Since the user wasn't really logging in to access the web page, it was being denied. Best thing to do is impersonate the user , is annon acces for that folder switched off? Are you using a asp.net page if so check this link out on how to impersonate a user! http://support.microsoft.com/default.aspx?scid=kb;[LN];Q306158 Regards, Carlos Magalhaes Best ADSI and DirectoryServices advice : http://groups.yahoo.com/group/ADSIANDDirectoryServices Best WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 10:02 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Policy on password Open the default DC policy, and view the right for access this computer from the network. Verify that authenticated users has this right. If authenticated users does not have that right, you will experience that error. Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory If you catch a man a fish, he eats for a day. If you teach a man to fish he eats for a lifetime - Original Message - From: John Balos [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 1:42 PM Subject: [ActiveDir] Policy on password I have a policy set for passwords; the passwords are set to expire every 90 days. When the passwords are about to expire, users are told that Your password will expire in 5 days. Do you want to change your password now? (The number changes, it does a countdown). However, if the user says yes to try and change the password, they get a message that tells them, you do not have permission to change your password. Does anyone have any idea what could be causing this? Thank you, John List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed, whose privacy should be respected. Any views or opinions are solely those of the author and do not necessarily represent those of the Trencor Group, or any of its representatives, unless specifically stated. Email transmission cannot be guaranteed to be secure, error free or without virus contamination. The sender therefore accepts no liability for any errors or omissions in the contents of this message, nor for any virus infection that might result from opening this message. Trencor is not responsible in the event of any third party interception of this email. If you have received this email in error please notify [EMAIL PROTECTED] For more information about Trencor, visit www.trencor.net http://www.trencor.net
RES: [ActiveDir] Policy on password
Probaly the everyone group dont have permission on all users to change password. See http://support.microsoft.com/?kbid=242795. regards, Marcio Schneider -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Em nome de John Balos Enviada em: terca-feira, 18 de fevereiro de 2003 15:42 Para: [EMAIL PROTECTED] Assunto: [ActiveDir] Policy on password I have a policy set for passwords; the passwords are set to expire every 90 days. When the passwords are about to expire, users are told that Your password will expire in 5 days. Do you want to change your password now? (The number changes, it does a countdown). However, if the user says yes to try and change the password, they get a message that tells them, you do not have permission to change your password. Does anyone have any idea what could be causing this? Thank you, John List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy on password
The everyone group had access to this however, the authenticated users didn't. I went ahead and added this group. What's the difference between authenticated and everyone? Shouldn't it of worked even if you have the everyone group on there? Thank you. John -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 12:02 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Policy on password Open the default DC policy, and view the right for access this computer from the network. Verify that authenticated users has this right. If authenticated users does not have that right, you will experience that error. Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory If you catch a man a fish, he eats for a day. If you teach a man to fish he eats for a lifetime - Original Message - From: John Balos [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 1:42 PM Subject: [ActiveDir] Policy on password I have a policy set for passwords; the passwords are set to expire every 90 days. When the passwords are about to expire, users are told that Your password will expire in 5 days. Do you want to change your password now? (The number changes, it does a countdown). However, if the user says yes to try and change the password, they get a message that tells them, you do not have permission to change your password. Does anyone have any idea what could be causing this? Thank you, John List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] admt v2.0
Graham: The password export server is only required for migration of accounts from Win2K to Win2K. It is not required for NT 4.0 to Win2K migrations. Diane -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 10:40 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] admt v2.0 Dear All, have picked up many useful pointers towards a version of ADMT v2.0 that is shipped with .NET RC1 (i think). keen to research the use of password export server and the processes of password migration which is new to v2.0 on the basis of planned migration from a source NT4 domain to Win2k, have reviewed the Technet document Chapter 9: migration of Windows NT4.0 account domain to AD presumably this documents ADMT v1.0 and as such does not indicate any configuration relating to pwd migration at what at the moment is an educated guess any options (???) for pwd migration would be available from the password options dialog ?? any info on the operation of the password export server would be well received - Technet seems a bit thin on searches for this, and the readme.doc with ADMT2 is a bit brief - NO real specific questions here sorry ! it does also document issues with the migration of local user profiles - any further confirmed instances of this List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security templates
Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security templates
Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security templates
Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Empty root domain benefits?
Hello Everyone, The simplest domain model is the Single Forest / Single Domain. I was thinking of using this model with an empty root domain? Does anyone have any experience with empty root domain? Is it really beneficial? We are only a small company with a few hundred users and have 4 domains in a multimaster NT domain model. What are the pros and cons? Thanks, Cliff Airhart Answer Financial Inc. Senior Systems Administrator - Server Support / eBusiness [EMAIL PROTECTED] 818.644.4225 We answer to you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Empty root domain benefits?
Hi Cliff, There are two pros that I am aware of... 1. In the case of radical naming hierarchy surgery, e.g., acquisition of another company, it provides a convenient place to merge in the new domains. 2. Enhanced security for the Enterprise Admins and Schema Admins groups is often claimed, but in practice an empty root buys you little with respect to security. Cons: 1. Its not a single domain forest, which is the best of all possible worlds when you can do it. 2. It makes names longer than the need to; a minor annoyance. Unless you have some overriding reason for multiple domains (multiple sites and slow WAN links can be an issue), I would stick with a single domain forest. It makes life much simpler. -gil -Original Message- From: Clifford Airhart [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 6:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Empty root domain benefits? Hello Everyone, The simplest domain model is the Single Forest / Single Domain. I was thinking of using this model with an empty root domain? Does anyone have any experience with empty root domain? Is it really beneficial? We are only a small company with a few hundred users and have 4 domains in a multimaster NT domain model. What are the pros and cons? Thanks, Cliff Airhart Answer Financial Inc. Senior Systems Administrator - Server Support / eBusiness [EMAIL PROTECTED] 818.644.4225 We answer to you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Empty root domain benefits?
In my opinion, the benefit to going with a dedicated forest root is recoverability. You will have a domain that you are doing most of your management. All of your user accounts, groups, computers and everything will be in that domain. If something goes wrong, you don't have to worry about blowing the entire forest away and starting from scratch. In addition, you can keep the FSMO roles, and the Schema Admins and Enterprise Admins separate from the influence of standard domain administrators. In some of the environments I've been involved in, the domain admins tend to be renegade cowboys and don't think about what they do. They just do it. This allows you to keep control over those groups and roles away from them. The main reason smaller companies don't go with the dedicated forest root is budget. It requires its own domain controllers and of course, you need to provide redundancy. I recommend going with the dedicated forest root whenever possible, but the almighty dollar that the clients have to answer to often prevents it. Hope this helps. Marc Zukerman Senior Network Engineer Greenwich Technology Partners - Original Message - From: Clifford Airhart [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 8:00 PM Subject: [ActiveDir] Empty root domain benefits? Hello Everyone, The simplest domain model is the Single Forest / Single Domain. I was thinking of using this model with an empty root domain? Does anyone have any experience with empty root domain? Is it really beneficial? We are only a small company with a few hundred users and have 4 domains in a multimaster NT domain model. What are the pros and cons? Thanks, Cliff Airhart Answer Financial Inc. Senior Systems Administrator - Server Support / eBusiness [EMAIL PROTECTED] 818.644.4225 We answer to you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/