[ActiveDir] Admt 2.0 roaming profile migration
I'm migrating users (ADMT 2.0) with 'translation of roaming profile' option and get the error message below. On user's profile directory Domain Admins have full controll from both domains. Does anybody have any experience on it? 2003-03-21 11:21:29 Processing \\servername\userprofilepath 2003-03-21 11:21:29 ERR2:7207 Skipping \\servername\userprofilepath, rc=5 Access is denied. 2003-03-21 11:21:29 Operation completed. A. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Admt 2.0 roaming profile migration
not worked on ADMT but it seems that the target profile path is denying the access check the permissions on the target folder for user profiles milind -Original Message- From: Kugler, Andras [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 2:25 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Admt 2.0 roaming profile migration I'm migrating users (ADMT 2.0) with 'translation of roaming profile' option and get the error message below. On user's profile directory Domain Admins have full controll from both domains. Does anybody have any experience on it? 2003-03-21 11:21:29 Processing \\servername\userprofilepath 2003-03-21 11:21:29 ERR2:7207 Skipping \\servername\userprofilepath, rc=5 Access is denied. 2003-03-21 11:21:29 Operation completed. A. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Admt 2.0 roaming profile migration
the strange thing is that even on the profiles directory, domain admins have full controll from the old and the new domain, too. Same thing with the share itself. It will be something else. A -Original Message- From: Milind Patil [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 10:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admt 2.0 roaming profile migration not worked on ADMT but it seems that the target profile path is denying the access check the permissions on the target folder for user profiles milind -Original Message- From: Kugler, Andras [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 2:25 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Admt 2.0 roaming profile migration I'm migrating users (ADMT 2.0) with 'translation of roaming profile' option and get the error message below. On user's profile directory Domain Admins have full controll from both domains. Does anybody have any experience on it? 2003-03-21 11:21:29 Processing \\servername\userprofilepath 2003-03-21 11:21:29 ERR2:7207 Skipping \\servername\userprofilepath, rc=5 Access is denied. 2003-03-21 11:21:29 Operation completed. A. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Admt 2.0 roaming profile migration
Andras, Given that the entire profile is parsed first, it may be a denial of access to the specific Security Principal that you are using. It's likely only a directory or file in the profile, but it will fail with an Error 5 nonetheless. We saw this on occasion and had to either take ownership of the profile, or manually join it to the new domain without migrating it. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kugler, Andras Sent: Monday, March 24, 2003 7:40 AM To: '[EMAIL PROTECTED]' the strange thing is that even on the profiles directory, domain admins have full controll from the old and the new domain, too. Same thing with the share itself. It will be something else. A -Original Message- From: Milind Patil [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 10:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admt 2.0 roaming profile migration not worked on ADMT but it seems that the target profile path is denying the access check the permissions on the target folder for user profiles milind -Original Message- From: Kugler, Andras [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 2:25 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Admt 2.0 roaming profile migration I'm migrating users (ADMT 2.0) with 'translation of roaming profile' option and get the error message below. On user's profile directory Domain Admins have full controll from both domains. Does anybody have any experience on it? 2003-03-21 11:21:29 Processing \\servername\userprofilepath 2003-03-21 11:21:29 ERR2:7207 Skipping \\servername\userprofilepath, rc=5 Access is denied. 2003-03-21 11:21:29 Operation completed. A. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Different password policy
I need to implement a stronger password policy for a large group of users in my AD, and run into the infamous domainwide security policy problem. What is the best way to do this, and still being able to let these users have access to the file/print, Ex2K mailboxes and other resources they use today? Regards, Ole Thomsen List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Different password policy
How much stronger would the policy be compared to the current one? Also, when you say a large group of users, what proportion of your total user base are we talking? If its like 75%, then its probably worth applying the policy to everyone, and save the hassle. If not, then I suppose the way to go is a new domain with a trust to the existing one. Regards, Rob Ellis Network Manager Profectus IT Tel 023 9224 7979 Mob 07974 111867 -Original Message- From: Ole Thomsen [mailto:[EMAIL PROTECTED] Sent: 24 March 2003 14:43 To: [EMAIL PROTECTED] Subject: [ActiveDir] Different password policy I need to implement a stronger password policy for a large group of users in my AD, and run into the infamous domainwide security policy problem. What is the best way to do this, and still being able to let these users have access to the file/print, Ex2K mailboxes and other resources they use today? Regards, Ole Thomsen List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Different password policy
Changing the policy won't affect existing passwords that don't meet the new criteria. The next time users change their password the policy will be enforced. Try this in your test environment first to check that it works the way you expect it to with your applications. Tony -- Original Message -- From: Ole Thomsen [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 24 Mar 2003 15:43:15 +0100 I need to implement a stronger password policy for a large group of users in my AD, and run into the infamous domainwide security policy problem. What is the best way to do this, and still being able to let these users have access to the file/print, Ex2K mailboxes and other resources they use today? Regards, Ole Thomsen List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Port Numbers
What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN services use? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 primary office 914.681.8117 secondary office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Port Numbers
A usefull link : http://www.keir.net/portlist.html Jochen -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: maandag 24 maart 2003 16:07 To: ActiveDir (E-mail) Subject: [ActiveDir] Port Numbers What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN services use? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 primary office 914.681.8117 secondary office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Port Numbers
Plus I don't see Terminal Services on that list -Original Message- From: Salandra, Justin A. Sent: Monday, March 24, 2003 10:30 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Port Numbers Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723 open with protocol GRE, is this true? -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 10:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Port Numbers A usefull link : http://www.keir.net/portlist.html Jochen -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: maandag 24 maart 2003 16:07 To: ActiveDir (E-mail) Subject: [ActiveDir] Port Numbers What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN services use? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 primary office 914.681.8117 secondary office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Port Numbers
Terminal Services: port 3389 VPN: Port 1723 for PPTP, 46 for GRE, 1701 for L2TP Salandra, Justin A. [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/24/2003 10:07 AM Please respond to [EMAIL PROTECTED] To ActiveDir (E-mail) [EMAIL PROTECTED] cc Subject [ActiveDir] Port Numbers What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN services use? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 primary office 914.681.8117 secondary office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Port Numbers
Terminal services is 3389/tcp, and VPN depends on the VPN transport used. PPTP uses 1723 and protocol 50 (GRE). Other transports use other ports. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 10:07 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Port Numbers What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN services use? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 primary office 914.681.8117 secondary office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Identifying laptops on domain
Title: RE: [ActiveDir] OT: Identifying laptops on domain In case you want to know the possible numbers and definition, here is the info from the Platform SDK on Win32_SystemEnclosure: ChassisTypes Data type: uint16 array Access type: Read-only Array of chassis types. This property is inherited from CIM_Chassis. Value Meaning 1 Other 2 Unknown 3 Desktop 4 Low Profile Desktop 5 Pizza Box 6 Mini Tower 7 Tower 8 Portable 9 Laptop 10 Notebook 11 Hand Held 12 Docking Station 13 All in One 14 Sub Notebook 15 Space-Saving 16 Lunch Box 17 Main System Chassis 18 Expansion Chassis 19 SubChassis 20 Bus Expansion Chassis 21 Peripheral Chassis 22 Storage Chassis 23 Rack Mount Chassis 24 Sealed-Case PC And here is the modified script as well; CheckComputer_ChassisType2.v-b-s Rick J. Jones -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]] Sent: Friday, March 21, 2003 4:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain looks like you really found the best solution to the problem - I've just tested this in a script myself and it works very well! I suspect this not to help much on NT4 machines, but for Win2k and XP this really is your best bet (I tested against XP notebook and Win2k3 Server on a Desktop enclosure - both reported back the correct value). I've added a simple select statement to get the appropriate text-feedback - see attached script (remove dashes...). Be good to hear from others, if this also works well on their machines. /Guido -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Freitag, 7. März 2003 16:51 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Folks, I just found this: http://www.microsoft.com/technet/treeview/default.asp?url=""> ter/scrguide/sas_cpm_btnz.asp (watch the word wrap) strComputer = . Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colChassis = objWMIService.ExecQuery _ (SELECT * FROM Win32_SystemEnclosure) For Each objChassis in colChassis For Each intType in objChassis.ChassisTypes Wscript.Echo intType Next Next Where chassis type is one of 24 possible values. Seems like this might be the magic bullet, but I definately need to test. Thanks for the suggestion! Regards, John A. Bjelke -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Friday, March 07, 2003 8:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Bill, we are moving to that already, and if I can figure out how to differentiate the chasis type I can write scripts to automate the process instead of relying on attrition or a massive helpdesk effort to rename every pc and laptop. Catch-22. -Original Message- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED]] Sent: Friday, March 07, 2003 8:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain We employ a standardized machine naming convention whereby a laptop is given the name User-LT and this makes it a very simple process to break them out. R/Bill -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Friday, March 07, 2003 10:32 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Existing IP scheme is static, and that's not viable to change at this time. -Original Message- From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED]] Sent: Friday, March 07, 2003 8:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain You can do this with segmentation on a DHCP network. Martial -Message d'origine- De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Date: vendredi 7 mars 2003 16:04 À: '[EMAIL PROTECTED]' Objet: [ActiveDir] OT: Identifying laptops on domain Perhaps someone here might know: Is there any machine attribute or registry value that can be queried to differentiate workstations and laptops on a domain? We have a circumstance that requires laptops to be addressed differently from workstations, and we have been unable to find any consistent variable to poll for this determination. Any suggestions or assistance is most appreciated. John A. Bjelke Systems administrator 505.853.6774 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of Unisys Federal
[ActiveDir] changing the Pre-Windows 2000 computer name
Dear All, I know it can be done (because I have read it in the Microsoft documentation) but I can find where to do it. Please could someone let me know how I can change the pre-windows 2000 name for a computer ! Many thanks, Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED]
RE: [ActiveDir] Port Numbers
Look closer :-) Terminal services 3389 Windows 2000 VPN with IPSec/L2TP: UDP 500 1701 Andries -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 4:35 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Port Numbers Plus I don't see Terminal Services on that list -Original Message- From: Salandra, Justin A. Sent: Monday, March 24, 2003 10:30 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Port Numbers Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723 open with protocol GRE, is this true? -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 10:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Port Numbers A usefull link : http://www.keir.net/portlist.html Jochen -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: maandag 24 maart 2003 16:07 To: ActiveDir (E-mail) Subject: [ActiveDir] Port Numbers What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN services use? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 primary office 914.681.8117 secondary office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - ATTENTION: No legal consequences can be derived from the content of this e-mail and/or its attachments. Neither is sender committed to these. The content of this e-mail is exclusively intended for addressee(s) and information purposes. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Sender accepts no liability for any damage resulting from the use and/or acceptation of the content of this e-mail. Always scan attachments for viruses before opening them. - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Port Numbers
It is listed towards the middle of the page, 3389 Salandra, Justin A. [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/24/2003 10:35 AM Please respond to [EMAIL PROTECTED] To '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc Subject RE: [ActiveDir] Port Numbers Plus I don't see Terminal Services on that list -Original Message- From: Salandra, Justin A. Sent: Monday, March 24, 2003 10:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Port Numbers Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723 open with protocol GRE, is this true? -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 10:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Port Numbers A usefull link : http://www.keir.net/portlist.html Jochen -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: maandag 24 maart 2003 16:07 To: ActiveDir (E-mail) Subject: [ActiveDir] Port Numbers What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN services use? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 primary office 914.681.8117 secondary office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Port Numbers
Title: RE: [ActiveDir] Port Numbers Terminal Services is 3389 Steven Duuude Comeau Sr. LAN Administrator Radio Frequency Systems 200 Pondview Drive Meriden, CT 06450 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, March 24, 2003 10:35 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Port Numbers Plus I don't see Terminal Services on that list -Original Message- From: Salandra, Justin A. Sent: Monday, March 24, 2003 10:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Port Numbers Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723 open with protocol GRE, is this true? -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED]] Sent: Monday, March 24, 2003 10:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Port Numbers A usefull link : http://www.keir.net/portlist.html Jochen -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: maandag 24 maart 2003 16:07 To: ActiveDir (E-mail) Subject: [ActiveDir] Port Numbers What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN services use? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 primary office 914.681.8117 secondary office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir]
List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] changing the Pre-Windows 2000 computer name
ADSI.. -- Kevinm WLKMMAS, Exchange MVP From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Monday, March 24, 2003 7:49 AM To: '[EMAIL PROTECTED]' Dear All, I know it can be done (because I have read it in the Microsoft documentation) but I can find where to do it. Please could someone let me know how I can change the pre-windows 2000 name for a computer ! Many thanks, Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED]
RE: [ActiveDir] Port Numbers
RDP uses port 3389. Regards, /Jimmy -- Jimmy Andersson, Q Advice AB Microsoft MVP - Active Directory www.qadvice.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Monday, March 24, 2003 4:35 PM To: '[EMAIL PROTECTED]' Plus I don't see Terminal Services on that list -Original Message- From: Salandra, Justin A. Sent: Monday, March 24, 2003 10:30 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Port Numbers Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723 open with protocol GRE, is this true? -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 10:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Port Numbers A usefull link : http://www.keir.net/portlist.html Jochen -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: maandag 24 maart 2003 16:07 To: ActiveDir (E-mail) Subject: [ActiveDir] Port Numbers What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN services use? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 primary office 914.681.8117 secondary office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Identifying laptops on domain
Title: Message Here's another one. Haven't made this live on the site yet: http://www.myitforum.com/inc/upload/7839islaptop-wsh-msica.vbs Here's the description: Detects if a computer is a laptop using up to 5 different WMI classes. Runs as WSH and MSI Custom Action without modification, supports verbose mode, allows "Model Override" when all other detection methods fail. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jones, Rick J.(Desktop Engineering)Sent: Monday, March 24, 2003 10:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Identifying laptops on domain In case you want to know the possible numbers and definition, here is the info from the Platform SDK on Win32_SystemEnclosure: ChassisTypes Data type: uint16 arrayAccess type: Read-only Array of chassis types. This property is inherited from CIM_Chassis. Value Meaning1 Other2 Unknown3 Desktop4 Low Profile Desktop5 Pizza Box6 Mini Tower7 Tower8 Portable9 Laptop10 Notebook11 Hand Held12 Docking Station13 All in One14 Sub Notebook15 Space-Saving16 Lunch Box17 Main System Chassis18 Expansion Chassis19 SubChassis20 Bus Expansion Chassis21 Peripheral Chassis22 Storage Chassis23 Rack Mount Chassis24 Sealed-Case PC And here is the modified script as well; CheckComputer_ChassisType2.v-b-s Rick J. Jones -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]]Sent: Friday, March 21, 2003 4:10 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Identifying laptops on domain looks like you really found the best solution to the problem - I've just tested this in a script myself and it works very well! I suspect this not to help much on NT4 machines, but for Win2k and XP this really is your best bet (I tested against XP notebook and Win2k3 Server on a Desktop enclosure - both reported back the correct value). I've added a simple select statement to get the appropriate text-feedback - see attached script (remove dashes...). Be good to hear from others, if this also works well on their machines. /Guido -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Freitag, 7. März 2003 16:51 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Folks, I just found this: http://www.microsoft.com/technet/treeview/default.asp?url=""> ter/scrguide/sas_cpm_btnz.asp (watch the word wrap) strComputer = "." Set objWMIService = GetObject("winmgmts:" _ "{impersonationLevel=impersonate}!\\" strComputer "\root\cimv2") Set colChassis = objWMIService.ExecQuery _ ("SELECT * FROM Win32_SystemEnclosure") For Each objChassis in colChassis For Each intType in objChassis.ChassisTypes Wscript.Echo intType Next Next Where chassis type is one of 24 possible values. Seems like this might be the magic bullet, but I definately need to test. Thanks for the suggestion! Regards, John A. Bjelke -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Friday, March 07, 2003 8:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Bill, we are moving to that already, and if I can figure out how to differentiate the chasis type I can write scripts to automate the process instead of relying on attrition or a massive helpdesk effort to rename every pc and laptop. Catch-22. -Original Message- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED]] Sent: Friday, March 07, 2003 8:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain We employ a standardized machine naming convention whereby a laptop is given the name User-LT and this makes it a very simple process to break them out. R/Bill -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Friday, March 07, 2003 10:32 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Existing IP scheme is static, and that's not viable to change at this time. -Original Message- From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED]] Sent: Friday, March 07, 2003 8:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain You can do this with segmentation on a DHCP network. Martial -Message d'origine- De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Date: vendredi 7 mars 2003 16:04 À: '[EMAIL PROTECTED]' Objet:
[ActiveDir] Account Lockout after password reset
Hello, I have had a few users where I work reset their password and they didn't reboot the computer and it locks them out after a while. I look at their account and see 5 bad passwords (our GPO is set for 5) The strange thing is I can unlock their account and they can get in to their mail, network drive and other network resources and not show any bad passwords, but after a few hours and sometimes not until the next day it will lock them out with again. I watch their authenticating domain controller for bad passwords after I unlock them and I don't see any bad passwords, sometimes a few bad passwords will show up after a few hours but I talk to the user and they haven't done anything on the computer. And when they come in the next day, they will be locked out with 5 bad passwords. It's not specific with the company because I've had it happen to me on my home Win2K domain. I finally solved my problem by resetting the password on the Computer, not through the MMC and rebooting. The problem at work is if the user resets their password they can't reset it for 5 days. Any ideas or has anyone else encountered this, I've searched Microsoft high and low and can't find anything specific. Regards, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockout after password reset
Check and see if they have any mapped drives using their old credentials. Todd -Original Message- From: Chuck [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockout after password reset Hello, I have had a few users where I work reset their password and they didn't reboot the computer and it locks them out after a while. I look at their account and see 5 bad passwords (our GPO is set for 5) The strange thing is I can unlock their account and they can get in to their mail, network drive and other network resources and not show any bad passwords, but after a few hours and sometimes not until the next day it will lock them out with again. I watch their authenticating domain controller for bad passwords after I unlock them and I don't see any bad passwords, sometimes a few bad passwords will show up after a few hours but I talk to the user and they haven't done anything on the computer. And when they come in the next day, they will be locked out with 5 bad passwords. It's not specific with the company because I've had it happen to me on my home Win2K domain. I finally solved my problem by resetting the password on the Computer, not through the MMC and rebooting. The problem at work is if the user resets their password they can't reset it for 5 days. Any ideas or has anyone else encountered this, I've searched Microsoft high and low and can't find anything specific. Regards, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockout after password reset
Are they using Windows 98 or 95? If so do they have any drives mapped? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Sent: Monday, March 24, 2003 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockout after password reset Hello, I have had a few users where I work reset their password and they didn't reboot the computer and it locks them out after a while. I look at their account and see 5 bad passwords (our GPO is set for 5) The strange thing is I can unlock their account and they can get in to their mail, network drive and other network resources and not show any bad passwords, but after a few hours and sometimes not until the next day it will lock them out with again. I watch their authenticating domain controller for bad passwords after I unlock them and I don't see any bad passwords, sometimes a few bad passwords will show up after a few hours but I talk to the user and they haven't done anything on the computer. And when they come in the next day, they will be locked out with 5 bad passwords. It's not specific with the company because I've had it happen to me on my home Win2K domain. I finally solved my problem by resetting the password on the Computer, not through the MMC and rebooting. The problem at work is if the user resets their password they can't reset it for 5 days. Any ideas or has anyone else encountered this, I've searched Microsoft high and low and can't find anything specific. Regards, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockout after password reset
I've thought about that, but it's only there network drive which maps through the Profile script. But it would seem using the network drive would cause it to show a bad password, and I don't see any bad passwords when they access their share drive. Regards, Chuck -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 11:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Account Lockout after password reset Check and see if they have any mapped drives using their old credentials. Todd -Original Message- From: Chuck [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockout after password reset Hello, I have had a few users where I work reset their password and they didn't reboot the computer and it locks them out after a while. I look at their account and see 5 bad passwords (our GPO is set for 5) The strange thing is I can unlock their account and they can get in to their mail, network drive and other network resources and not show any bad passwords, but after a few hours and sometimes not until the next day it will lock them out with again. I watch their authenticating domain controller for bad passwords after I unlock them and I don't see any bad passwords, sometimes a few bad passwords will show up after a few hours but I talk to the user and they haven't done anything on the computer. And when they come in the next day, they will be locked out with 5 bad passwords. It's not specific with the company because I've had it happen to me on my home Win2K domain. I finally solved my problem by resetting the password on the Computer, not through the MMC and rebooting. The problem at work is if the user resets their password they can't reset it for 5 days. Any ideas or has anyone else encountered this, I've searched Microsoft high and low and can't find anything specific. Regards, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockout after password reset
Check Security Event logs on your domain controllers for locked out accounts. You may find username credentials are being used on other boxes or resources. dumpel -f filename.txt -s \\domaincontroller -l security -t -d 1 -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 9:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Account Lockout after password reset Check and see if they have any mapped drives using their old credentials. Todd -Original Message- From: Chuck [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockout after password reset Hello, I have had a few users where I work reset their password and they didn't reboot the computer and it locks them out after a while. I look at their account and see 5 bad passwords (our GPO is set for 5) The strange thing is I can unlock their account and they can get in to their mail, network drive and other network resources and not show any bad passwords, but after a few hours and sometimes not until the next day it will lock them out with again. I watch their authenticating domain controller for bad passwords after I unlock them and I don't see any bad passwords, sometimes a few bad passwords will show up after a few hours but I talk to the user and they haven't done anything on the computer. And when they come in the next day, they will be locked out with 5 bad passwords. It's not specific with the company because I've had it happen to me on my home Win2K domain. I finally solved my problem by resetting the password on the Computer, not through the MMC and rebooting. The problem at work is if the user resets their password they can't reset it for 5 days. Any ideas or has anyone else encountered this, I've searched Microsoft high and low and can't find anything specific. Regards, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockout after password reset
All Windows 2000, and the only mapped drives are there H drive (Share Drive) which is loaded through the profile, not Mapped as another user. -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 12:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Account Lockout after password reset Are they using Windows 98 or 95? If so do they have any drives mapped? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Sent: Monday, March 24, 2003 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockout after password reset Hello, I have had a few users where I work reset their password and they didn't reboot the computer and it locks them out after a while. I look at their account and see 5 bad passwords (our GPO is set for 5) The strange thing is I can unlock their account and they can get in to their mail, network drive and other network resources and not show any bad passwords, but after a few hours and sometimes not until the next day it will lock them out with again. I watch their authenticating domain controller for bad passwords after I unlock them and I don't see any bad passwords, sometimes a few bad passwords will show up after a few hours but I talk to the user and they haven't done anything on the computer. And when they come in the next day, they will be locked out with 5 bad passwords. It's not specific with the company because I've had it happen to me on my home Win2K domain. I finally solved my problem by resetting the password on the Computer, not through the MMC and rebooting. The problem at work is if the user resets their password they can't reset it for 5 days. Any ideas or has anyone else encountered this, I've searched Microsoft high and low and can't find anything specific. Regards, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] changing the Pre-Windows 2000 computer name
Mark, With all due respect, the Pre-Windows 2000 (or NetBIOS name) is the ONLY one that cannot be changed - regardless of what ever level of mess you want to go through. You can change the domain name (the FQDN) of a domain - provided it is still in mixed, by using NT 4.0 DCs to back out Windows 2000 completely (see Q292541). This is not a supported solution, but it can be done. There are other ways, (VBS script was posted here a few weeks to a month ago)but this seems to be the most straight-forward and least complex (IMHO, they all are messy, and generally suck). As to changing the NetBIOS name - that's another story all together. I've never seen that done, and would be interested in seeing detail from someone who has successfully done it. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Monday, March 24, 2003 9:49 AMTo: '[EMAIL PROTECTED]' Dear All, I know it can be done (because I have read it in the Microsoft documentation) but I can find where to do it. Please could someone let me know how I can change the pre-windows 2000 name for a computer ! Many thanks, Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED]
RE: [ActiveDir] Account Lockout after password reset
you won't be happy, until you increase the limit of the nr for bad pw attempts. There are multiple reasons for PW lockouts, a lot of them related to replication latency in AD. Next to mapped drives, disconnected Terminal Services sessions are also good caveats. Some of this is fixed with SP3 but what really fixed it for us was to increase from 5 to 10 bad pw attempts on the Domain policy. This won't really increase your risk for attacks, as many more attempts are needed to crack the passwords. It will however, decrease your problems to a VERY large extend (i.e. for a specific location with 5000 users, where we had 90-150 helpdesk calls per day due to pw lockouts after resetting the pw, it went down to 10 calls, after we increased the bad pw attemts to 10 tries.) MS generally recommends to allow 10-15 bad passwords. /Guido -Original Message- From: Chuck [mailto:[EMAIL PROTECTED] Sent: Montag, 24. März 2003 19:49 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Account Lockout after password reset All Windows 2000, and the only mapped drives are there H drive (Share Drive) which is loaded through the profile, not Mapped as another user. -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 12:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Account Lockout after password reset Are they using Windows 98 or 95? If so do they have any drives mapped? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Sent: Monday, March 24, 2003 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockout after password reset Hello, I have had a few users where I work reset their password and they didn't reboot the computer and it locks them out after a while. I look at their account and see 5 bad passwords (our GPO is set for 5) The strange thing is I can unlock their account and they can get in to their mail, network drive and other network resources and not show any bad passwords, but after a few hours and sometimes not until the next day it will lock them out with again. I watch their authenticating domain controller for bad passwords after I unlock them and I don't see any bad passwords, sometimes a few bad passwords will show up after a few hours but I talk to the user and they haven't done anything on the computer. And when they come in the next day, they will be locked out with 5 bad passwords. It's not specific with the company because I've had it happen to me on my home Win2K domain. I finally solved my problem by resetting the password on the Computer, not through the MMC and rebooting. The problem at work is if the user resets their password they can't reset it for 5 days. Any ideas or has anyone else encountered this, I've searched Microsoft high and low and can't find anything specific. Regards, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Different password policy
You mention a new domain, does this mean that a child or sub-domain cannot have its own security policy? Nope - a child domain DOES have a separate security policy. Look at it like this. I have a company that does technical research and then sells it. The marketing folks are in one domain that requires password changes every 45 days with 5 character passwords and locks out their machine for 15 min. after 5 unsuccessful login attempts. BUT! The really sensitive stuff (the intellectual property) of the company is managed and created by the researchers. We need to make sure that the research information is very secure. Given that I can only have one account / password / lockout policy per domain, I create a child of the first domain and call it research.company.com. I move all of the researchers into the research domain and apply the strong password requirements (14 chars, complex required, changes every 10 days, retain 24 password history, etc) and the lockout duration might be infinite, requiring interaction from administration. So, yes - the password policy is at the domain level and if you have differing requirements for class of user, you are going to need a new domain for that new class of user. Hope this helps Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen Sent: Monday, March 24, 2003 12:30 PM To: [EMAIL PROTECTED] Thousands of students and teachers will not accept a password policy forcing them to change every 60 days, and i have no valid argument to make them :-) Then there is a part of the staff working with administrative applications, for whom i have to implement a strong policy in the AD as these apps are migrated from Unix to Windows. You mention a new domain, does this mean that a child or sub-domain cannot have its own security policy? Ole -Original Message- From: Rob Ellis [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Different password policy How much stronger would the policy be compared to the current one? Also, when you say a large group of users, what proportion of your total user base are we talking? If its like 75%, then its probably worth applying the policy to everyone, and save the hassle. If not, then I suppose the way to go is a new domain with a trust to the existing one. Regards, Rob Ellis Network Manager Profectus IT Tel 023 9224 7979 Mob 07974 111867 -Original Message- From: Ole Thomsen [mailto:[EMAIL PROTECTED] Sent: 24 March 2003 14:43 To: [EMAIL PROTECTED] Subject: [ActiveDir] Different password policy I need to implement a stronger password policy for a large group of users in my AD, and run into the infamous domainwide security policy problem. What is the best way to do this, and still being able to let these users have access to the file/print, Ex2K mailboxes and other resources they use today? Regards, Ole Thomsen List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Identifying laptops on domain
FYI - a Tablet-PC is identified as type 14 which according to the SystemEnclosure documentation is a Subnotebook. This is the same for Tablet-PCs with and without the keyboard attached. /Guido -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Freitag, 21. März 2003 22:32 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain I'll have the script executed on a Tablet-PC and will let you know. Cheers, Guido -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Freitag, 21. März 2003 16:58 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Worked for us just fine in our initial testing. We are planning on moving all the laptops to their own sub-OU to make change management a little easier for us. Thanks for all of the fine suggestions, folks! Depending on the level of accuracy we see in further testing we may use some of the other suggestions, such as battery, pcmcia services, etc, as a further check... like when WMI returns Other for the chassis type value. Anyone know what the new tablet pc's return as chassis type, or care to hazard a guess? We don't have any on the wire yet that I am aware of, but it is just a matter of time! Regards, John A. Bjelke -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Friday, March 21, 2003 5:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain looks like you really found the best solution to the problem - I've just tested this in a script myself and it works very well! I suspect this not to help much on NT4 machines, but for Win2k and XP this really is your best bet (I tested against XP notebook and Win2k3 Server on a Desktop enclosure - both reported back the correct value). I've added a simple select statement to get the appropriate text-feedback - see attached script (remove dashes...). Be good to hear from others, if this also works well on their machines. /Guido -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Freitag, 7. März 2003 16:51 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Folks, I just found this: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen ter/scrguide/sas_cpm_btnz.asp (watch the word wrap) strComputer = . Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colChassis = objWMIService.ExecQuery _ (SELECT * FROM Win32_SystemEnclosure) For Each objChassis in colChassis For Each intType in objChassis.ChassisTypes Wscript.Echo intType Next Next Where chassis type is one of 24 possible values. Seems like this might be the magic bullet, but I definately need to test. Thanks for the suggestion! Regards, John A. Bjelke -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 8:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Bill, we are moving to that already, and if I can figure out how to differentiate the chasis type I can write scripts to automate the process instead of relying on attrition or a massive helpdesk effort to rename every pc and laptop. Catch-22. -Original Message- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 8:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain We employ a standardized machine naming convention whereby a laptop is given the name User-LT and this makes it a very simple process to break them out. R/Bill -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 10:32 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] OT: Identifying laptops on domain Existing IP scheme is static, and that's not viable to change at this time. -Original Message- From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 8:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain You can do this with segmentation on a DHCP network. Martial -Message d'origine- De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Date: vendredi 7 mars 2003 16:04 À: '[EMAIL PROTECTED]' Objet: [ActiveDir] OT: Identifying laptops on domain Perhaps someone here might know: Is there any machine attribute or registry value that can be queried to differentiate workstations and laptops on a domain? We have a circumstance that requires laptops to be addressed differently from workstations, and we have been unable to find any consistent variable to poll for this determination. Any suggestions or assistance is
RE: [ActiveDir] changing the Pre-Windows 2000 computer name
Pardons to all! I re-read the originalmessage from Mark, and I may have read WAAAY too much into this. If you're only looking to change the name of a member server, it's a bit easier - DCs however, are pretty touch to change. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Monday, March 24, 2003 1:00 PMTo: [EMAIL PROTECTED] Mark, With all due respect, the Pre-Windows 2000 (or NetBIOS name) is the ONLY one that cannot be changed - regardless of what ever level of mess you want to go through. You can change the domain name (the FQDN) of a domain - provided it is still in mixed, by using NT 4.0 DCs to back out Windows 2000 completely (see Q292541). This is not a supported solution, but it can be done. There are other ways, (VBS script was posted here a few weeks to a month ago)but this seems to be the most straight-forward and least complex (IMHO, they all are messy, and generally suck). As to changing the NetBIOS name - that's another story all together. I've never seen that done, and would be interested in seeing detail from someone who has successfully done it. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Monday, March 24, 2003 9:49 AMTo: '[EMAIL PROTECTED]' Dear All, I know it can be done (because I have read it in the Microsoft documentation) but I can find where to do it. Please could someone let me know how I can change the pre-windows 2000 name for a computer ! Many thanks, Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED]
RE: [ActiveDir] Account Lockout after password reset
Better yet get eventcombMT and search all the DC's at once with the canned account lockout routine. -Original Message- From: Schick, Mary L - CNF [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 10:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Account Lockout after password reset Check Security Event logs on your domain controllers for locked out accounts. You may find username credentials are being used on other boxes or resources. dumpel -f filename.txt -s \\domaincontroller -l security -t -d 1 -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 9:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Account Lockout after password reset Check and see if they have any mapped drives using their old credentials. Todd -Original Message- From: Chuck [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockout after password reset Hello, I have had a few users where I work reset their password and they didn't reboot the computer and it locks them out after a while. I look at their account and see 5 bad passwords (our GPO is set for 5) The strange thing is I can unlock their account and they can get in to their mail, network drive and other network resources and not show any bad passwords, but after a few hours and sometimes not until the next day it will lock them out with again. I watch their authenticating domain controller for bad passwords after I unlock them and I don't see any bad passwords, sometimes a few bad passwords will show up after a few hours but I talk to the user and they haven't done anything on the computer. And when they come in the next day, they will be locked out with 5 bad passwords. It's not specific with the company because I've had it happen to me on my home Win2K domain. I finally solved my problem by resetting the password on the Computer, not through the MMC and rebooting. The problem at work is if the user resets their password they can't reset it for 5 days. Any ideas or has anyone else encountered this, I've searched Microsoft high and low and can't find anything specific. Regards, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Active Directory vs. SunONE directory
Hello, I would like to get opinions on ActiveDirectory as compared to SunONE directory from this forum. If you could use the following format for your feedback, I would really appreciate it. Dimensions : 1) Discovery Features 2) Security Features 3) Scalability Features 4) Management Features Please reply directly to me. Thanks Vikas Deolaliker Sun Microsystems, Inc. (650) 786-7734 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory vs. SunONE directory
I think there's only one question that needs to be posed. Why would anyone need another directory technology? Go back and innovate instead of duplicate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vikas Deolaliker Sent: Monday, March 24, 2003 3:15 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory vs. SunONE directory Hello, I would like to get opinions on ActiveDirectory as compared to SunONE directory from this forum. If you could use the following format for your feedback, I would really appreciate it. Dimensions : 1) Discovery Features 2) Security Features 3) Scalability Features 4) Management Features Please reply directly to me. Thanks Vikas Deolaliker Sun Microsystems, Inc. (650) 786-7734 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Different password policy
I'm interested to see you say this. Thousands of students and teachers accept this where I work because the security of their data and accounts is important. -Original Message- From: Ole Thomsen [mailto:[EMAIL PROTECTED] Sent: Mon 24/03/2003 18:30 To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Different password policy Thousands of students and teachers will not accept a password policy forcing them to change every 60 days, and i have no valid argument to make them :-) Then there is a part of the staff working with administrative applications, for whom i have to implement a strong policy in the AD as these apps are migrated from Unix to Windows. You mention a new domain, does this mean that a child or sub-domain cannot have its own security policy? Ole -Original Message- From: Rob Ellis [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Different password policy How much stronger would the policy be compared to the current one? Also, when you say a large group of users, what proportion of your total user base are we talking? If its like 75%, then its probably worth applying the policy to everyone, and save the hassle. If not, then I suppose the way to go is a new domain with a trust to the existing one. Regards, Rob Ellis Network Manager Profectus IT Tel 023 9224 7979 Mob 07974 111867 -Original Message- From: Ole Thomsen [mailto:[EMAIL PROTECTED] Sent: 24 March 2003 14:43 To: [EMAIL PROTECTED] Subject: [ActiveDir] Different password policy I need to implement a stronger password policy for a large group of users in my AD, and run into the infamous domainwide security policy problem. What is the best way to do this, and still being able to let these users have access to the file/print, Ex2K mailboxes and other resources they use today? Regards, Ole Thomsen List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Ëbú!¶Úÿ0iËb½çb®àþf¢X¬¶f.+-!¶Úÿ0iËb½çb®àþX¬µöªËZÈb½èm¶ÿà j)ZÈb½ç(ö¶+Þv*øÒf¢§-+
Re: [ActiveDir] Different password policy
If you need to make it super-secure, they really should have their own forest. There aren't a lot of details on this available, but the domain isn't a complete security boundary. - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 24, 2003 2:08 PM Subject: RE: [ActiveDir] Different password policy snip Nope - a child domain DOES have a separate security policy. snip BUT! The really sensitive stuff (the intellectual property) of the company is managed and created by the researchers. We need to make sure that the research information is very secure. snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] What Services/Server's can be combined with Active Directory.
Glenn, I'd want to keep DHCP off my DC's to avoid name hijacking. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q255134 Hope all is well with you! Missy Koslosky - Original Message - From: Glenn Corbett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 22, 2003 5:33 PM Subject: Re: [ActiveDir] What Services/Server's can be combined with Active Directory. John, The reason why you havent really been able to find a source, is that the answer is it depends. Depending on the size of your sites, the amount of data, number of clients, other applications using DC services etc, you can really have a single server that does DC, GC, DNS, WINS, DHCP, FP. I really wouldn't worry about putting DHCP on a server by itself, the load is so small. Out of all of the infrastructure services, DCHP is probably the smallest load. Client machines get a dhcp address when they start, and IIRC there are two requests during the lifetime of the IP address (one halfway though, and one at the end of the lease). So for a 2 week lease timeout, you have essentially 3 requests to a DHCP server which is nothing to really worry about. I recently did some AD design work where small sites (up to about 30 uers) had a single server (Dual PIII 2+Ghz) ran all the functions listed previously, plus Exchange with no real trouble. For larger sites, my suggestion would be one infrastructure server (DC, GC, WINS, DHCP, DNS), and application server(s) (File Print, Exchange etc). As long as you design your AD site topology correctly (so that replication is optimised, and GC placement is relevant for your clients), AD can pretty much co-exist with most things, its a question of network bandwidth and load on the server. Other Databases (like Exchange, SQL, Oracle) are really the main applications you need to be careful with when putting on the same server as AD, because they can cramp each others style (Exchange and SQL on the same box for example is very touchy). If you are thinking or layering other applications onto an AD DC, just have a read of the requirements. In a lot of cases MS force you down a particular path. For example, SUS (System Update Services), and MOM (Microsoft Ops Manager) wont run on DC's, so you are forced to put in an additional server to run these. so, as for your original question *grin*, I would have one server that does the infrastructure stuff, and another server for FP. Glenn - Original Message - From: John Strongosky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 22, 2003 11:27 AM Subject: [ActiveDir] What Services/Server's can be combined with Active Directory. In our planning group we are having a discussion on what server's/services do we need to combine or can combine for our AD deployment. I have looked thru allot of Technote's there is not one definitive answer. Can anyone point me to a source or answer this for me. We are thinking of combing: DC,dns and gc's on a server, file and print and dhcp on another in our sites or DC, dns, gc on a server, file and print on a server and dhcp by itself. john List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Different password policy
Missy, Well said - and quite true. But, given the difficulty of implementing the compromise, the obvious decision point is going to be based on a risk analysis. Given that we're talking about password policy, I'm not sure how this is germane. But, nonetheless - you're right. If you want to guarantee true security autonomy, the forest is the model to use. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Missy Koslosky Sent: Monday, March 24, 2003 9:08 PM To: [EMAIL PROTECTED] If you need to make it super-secure, they really should have their own forest. There aren't a lot of details on this available, but the domain isn't a complete security boundary. - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 24, 2003 2:08 PM Subject: RE: [ActiveDir] Different password policy snip Nope - a child domain DOES have a separate security policy. snip BUT! The really sensitive stuff (the intellectual property) of the company is managed and created by the researchers. We need to make sure that the research information is very secure. snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT Password Policy:
http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc022703/wcblurb022703.asp The below is referenced from: http://winxp.bink.nu/ : Interesting password points: Password length and possible permutations 6 characters = 689,869,781,056 7 characters = 64,847,759,419,264 8 characters = 6,095,689,385,410,816 9 characters = 572,994,802,228,616,704 10 characters = 53,861,511,409,489,970,176 Given a 60 day password expiry date and a password of 7 characters, it would require about 7,407,407 logon attempts per second to find the password Play the lottery, the odds are much better! Password security recommendations: Security Category Account Lockout Settings** Password Policy Settings Cost Max Password Age Password Age Password Length Low - - - 3 42 0 0 disabled Low Medium 10 30 30 24 42 1 7 enabled Medium High 10 30 Infinite/0 24 42 1 8 enabled High
RE: [ActiveDir] What Services/Server's can be combined with Active Directory.
Missy, Doesn't this only apply when a DNS is also present on the DC? Combining the DNS and DHCP services can cause a security issue as you noted. But, if I combine DC services and DNS services, the compromise is not possible. Also, if I combine DHCP and DC functionality, I'm still secure - true? Good to have you here! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Missy Koslosky Sent: Monday, March 24, 2003 9:18 PM To: [EMAIL PROTECTED] Glenn, I'd want to keep DHCP off my DC's to avoid name hijacking. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q255134 Hope all is well with you! Missy Koslosky - Original Message - From: Glenn Corbett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 22, 2003 5:33 PM Subject: Re: [ActiveDir] What Services/Server's can be combined with Active Directory. John, The reason why you havent really been able to find a source, is that the answer is it depends. Depending on the size of your sites, the amount of data, number of clients, other applications using DC services etc, you can really have a single server that does DC, GC, DNS, WINS, DHCP, FP. I really wouldn't worry about putting DHCP on a server by itself, the load is so small. Out of all of the infrastructure services, DCHP is probably the smallest load. Client machines get a dhcp address when they start, and IIRC there are two requests during the lifetime of the IP address (one halfway though, and one at the end of the lease). So for a 2 week lease timeout, you have essentially 3 requests to a DHCP server which is nothing to really worry about. I recently did some AD design work where small sites (up to about 30 uers) had a single server (Dual PIII 2+Ghz) ran all the functions listed previously, plus Exchange with no real trouble. For larger sites, my suggestion would be one infrastructure server (DC, GC, WINS, DHCP, DNS), and application server(s) (File Print, Exchange etc). As long as you design your AD site topology correctly (so that replication is optimised, and GC placement is relevant for your clients), AD can pretty much co-exist with most things, its a question of network bandwidth and load on the server. Other Databases (like Exchange, SQL, Oracle) are really the main applications you need to be careful with when putting on the same server as AD, because they can cramp each others style (Exchange and SQL on the same box for example is very touchy). If you are thinking or layering other applications onto an AD DC, just have a read of the requirements. In a lot of cases MS force you down a particular path. For example, SUS (System Update Services), and MOM (Microsoft Ops Manager) wont run on DC's, so you are forced to put in an additional server to run these. so, as for your original question *grin*, I would have one server that does the infrastructure stuff, and another server for FP. Glenn - Original Message - From: John Strongosky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 22, 2003 11:27 AM Subject: [ActiveDir] What Services/Server's can be combined with Active Directory. In our planning group we are having a discussion on what server's/services do we need to combine or can combine for our AD deployment. I have looked thru allot of Technote's there is not one definitive answer. Can anyone point me to a source or answer this for me. We are thinking of combing: DC,dns and gc's on a server, file and print and dhcp on another in our sites or DC, dns, gc on a server, file and print on a server and dhcp by itself. john List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Different password policy
There's always a risk, indeed. I've yet to design an AD infrastructure where there wasn't some sort of compromise involved! M - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 24, 2003 10:28 PM Subject: RE: [ActiveDir] Different password policy Missy, Well said - and quite true. But, given the difficulty of implementing the compromise, the obvious decision point is going to be based on a risk analysis. Given that we're talking about password policy, I'm not sure how this is germane. But, nonetheless - you're right. If you want to guarantee true security autonomy, the forest is the model to use. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Missy Koslosky Sent: Monday, March 24, 2003 9:08 PM To: [EMAIL PROTECTED] If you need to make it super-secure, they really should have their own forest. There aren't a lot of details on this available, but the domain isn't a complete security boundary. - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 24, 2003 2:08 PM Subject: RE: [ActiveDir] Different password policy snip Nope - a child domain DOES have a separate security policy. snip BUT! The really sensitive stuff (the intellectual property) of the company is managed and created by the researchers. We need to make sure that the research information is very secure. snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT Password Policy:
James, The password problem is not one of brute force. Believe me, I use these figures frequently when discussing things with Executives, because Bink's chart (BTW not a name loved in the MVP Community - and shame on MS for caving) is very impressive. But, if I can grab some pertinent data (pwdump, etc.) and use tools such as John the Ripper or L0phTCrack, then these numbers are meaningless as the brute force element is no longer in play. The reason that it is important to change passwords on some relative frequency is not because Stephen Bink is right - because he is - if pure math is all that is at work. The reason to change passwords at some relative frequency is to ensure that you are lessening the risk of compromise due to a number of other factors that have nothing to do with brute force. Let's look at it from another perspective: Security is ALL ABOUT reducing the Attack Surface. We as the Defenders have a hard job - we are required to secure and strengthen each and every nook and cranny of our computers, OSs, networks, buildings, etc. The attackers have an advantage - they can attack that one small area that we missed or didn't bolster to a sufficient level. And, if they can't get it immediately, they can chip away a little bit at a time until they do in a very quiet and clandestine way. This is why we change passwords frequently - because you just don't know who is using your user's username and password. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 24, 2003 9:33 PMTo: [EMAIL PROTECTED] http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc022703/wcblurb022703.asp The below is referenced from: http://winxp.bink.nu/ : Interesting password points: Password length and possible permutations6 characters = 689,869,781,0567 characters = 64,847,759,419,2648 characters = 6,095,689,385,410,8169 characters = 572,994,802,228,616,70410 characters = 53,861,511,409,489,970,176 Given a 60 day password expiry date and a password of 7 characters, it would require about 7,407,407 logon attempts per second to find the passwordPlay the lottery, the odds are much better! Password security recommendations: Security Category Account Lockout Settings** Password Policy Settings Cost Max Password Age Password Age Password Length Low - - - 3 42 0 0 disabled Low Medium 10 30 30 24 42 1 7 enabled Medium High 10 30 Infinite/0 24 42 1 8 enabled High