[ActiveDir] Admt 2.0 roaming profile migration

[Kugler, Andras]

I'm migrating users (ADMT 2.0) with 'translation of roaming profile' option
and get the error message below. On user's profile directory Domain Admins
have full controll from both domains. Does anybody have any experience on
it?

2003-03-21 11:21:29 Processing \\servername\userprofilepath
2003-03-21 11:21:29 ERR2:7207 Skipping \\servername\userprofilepath,
rc=5   Access is denied.
2003-03-21 11:21:29 Operation completed.

A.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Admt 2.0 roaming profile migration

[Milind Patil]

not worked on ADMT but it seems that the target profile path is denying the access 
check the permissions on the target folder for user profiles
milind

-Original Message-
From: Kugler, Andras [mailto:[EMAIL PROTECTED]
Sent: Monday, March 24, 2003 2:25 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Admt 2.0 roaming profile migration


I'm migrating users (ADMT 2.0) with 'translation of roaming profile' option
and get the error message below. On user's profile directory Domain Admins
have full controll from both domains. Does anybody have any experience on
it?

2003-03-21 11:21:29 Processing \\servername\userprofilepath
2003-03-21 11:21:29 ERR2:7207 Skipping \\servername\userprofilepath,
rc=5   Access is denied.
2003-03-21 11:21:29 Operation completed.

A.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

**Disclaimer

Information contained in this E-MAIL being proprietary to Wipro Limited is 
'privileged' and 'confidential' and intended for use only by the individual
 or entity to which it is addressed. You are notified that any use, copying 
or dissemination of the information contained in the E-MAIL in any manner 
whatsoever is strictly prohibited.

***
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Admt 2.0 roaming profile migration

[Kugler, Andras]

the strange thing is that even on the profiles directory, domain admins have
full controll from the old and the new domain, too. Same thing with the
share itself. It will be something else.

A

 -Original Message-
 From: Milind Patil [mailto:[EMAIL PROTECTED]
 Sent: Monday, March 24, 2003 10:07 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Admt 2.0 roaming profile migration
 
 
 
 
 not worked on ADMT but it seems that the target profile path 
 is denying the access check the permissions on the target 
 folder for user profiles
 milind
 
 -Original Message-
 From: Kugler, Andras [mailto:[EMAIL PROTECTED]
 Sent: Monday, March 24, 2003 2:25 PM
 To: '[EMAIL PROTECTED]'
 Subject: [ActiveDir] Admt 2.0 roaming profile migration
 
 
 I'm migrating users (ADMT 2.0) with 'translation of roaming 
 profile' option
 and get the error message below. On user's profile directory 
 Domain Admins
 have full controll from both domains. Does anybody have any 
 experience on
 it?
 
 2003-03-21 11:21:29 Processing \\servername\userprofilepath
 2003-03-21 11:21:29 ERR2:7207 Skipping 
 \\servername\userprofilepath,
 rc=5   Access is denied.
 2003-03-21 11:21:29 Operation completed.
 
 A.
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

**Disclaimer

Information contained in this E-MAIL being proprietary to Wipro Limited is 
'privileged' and 'confidential' and intended for use only by the individual
 or entity to which it is addressed. You are notified that any use, copying 
or dissemination of the information contained in the E-MAIL in any manner 
whatsoever is strictly prohibited.

***
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Admt 2.0 roaming profile migration

[Rick Kingslan]

Andras,

Given that the entire profile is parsed first, it may be a denial of access
to the specific Security Principal that you are using.  It's likely only a
directory or file in the profile, but it will fail with an Error 5
nonetheless.

We saw this on occasion and had to either take ownership of the profile, or
manually join it to the new domain without migrating it.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kugler, Andras
Sent: Monday, March 24, 2003 7:40 AM
To: '[EMAIL PROTECTED]'

the strange thing is that even on the profiles directory, domain admins have
full controll from the old and the new domain, too. Same thing with the
share itself. It will be something else.

A

 -Original Message-
 From: Milind Patil [mailto:[EMAIL PROTECTED]
 Sent: Monday, March 24, 2003 10:07 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Admt 2.0 roaming profile migration
 
 
 
 
 not worked on ADMT but it seems that the target profile path is 
 denying the access check the permissions on the target folder for 
 user profiles milind
 
 -Original Message-
 From: Kugler, Andras [mailto:[EMAIL PROTECTED]
 Sent: Monday, March 24, 2003 2:25 PM
 To: '[EMAIL PROTECTED]'
 Subject: [ActiveDir] Admt 2.0 roaming profile migration
 
 
 I'm migrating users (ADMT 2.0) with 'translation of roaming profile' 
 option and get the error message below. On user's profile directory 
 Domain Admins have full controll from both domains. Does anybody have 
 any experience on it?
 
 2003-03-21 11:21:29 Processing \\servername\userprofilepath
 2003-03-21 11:21:29 ERR2:7207 Skipping 
 \\servername\userprofilepath,
 rc=5   Access is denied.
 2003-03-21 11:21:29 Operation completed.
 
 A.
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

**Disclaimer

Information contained in this E-MAIL being proprietary to Wipro Limited is
'privileged' and 'confidential' and intended for use only by the individual
or entity to which it is addressed. You are notified that any use, copying
or dissemination of the information contained in the E-MAIL in any manner
whatsoever is strictly prohibited.

***
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Different password policy

[Ole Thomsen]

I need to implement a stronger password policy for
a large group of users in my AD, and run into the
infamous domainwide security policy problem.

What is the best way to do this, and still being
able to let these users have access to the file/print,
Ex2K mailboxes and other resources they use today?

Regards,
Ole Thomsen
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Different password policy

[Rob Ellis]

How much stronger would the policy be compared to the current one?

Also, when you say a large group of users, what proportion of your total
user base are we talking?

If its like 75%, then its probably worth applying the policy to
everyone, and save the hassle.

If not, then I suppose the way to go is a new domain with a trust to the
existing one.


Regards,
Rob Ellis 
Network Manager 
Profectus IT 
Tel 023 9224 7979 
Mob 07974 111867



-Original Message-
From: Ole Thomsen [mailto:[EMAIL PROTECTED] 
Sent: 24 March 2003 14:43
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Different password policy


I need to implement a stronger password policy for
a large group of users in my AD, and run into the
infamous domainwide security policy problem.

What is the best way to do this, and still being
able to let these users have access to the file/print,
Ex2K mailboxes and other resources they use today?

Regards,
Ole Thomsen
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Different password policy

[Tony Murray]

Changing the policy won't affect existing passwords that don't meet the new criteria.  
The next time users change their password the policy will be enforced.

Try this in your test environment first to check that it works the way you expect it 
to with your applications.

Tony
-- Original Message --
From: Ole Thomsen [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Mon, 24 Mar 2003 15:43:15 +0100

I need to implement a stronger password policy for
a large group of users in my AD, and run into the
infamous domainwide security policy problem.

What is the best way to do this, and still being
able to let these users have access to the file/print,
Ex2K mailboxes and other resources they use today?

Regards,
Ole Thomsen
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Port Numbers

[Salandra, Justin A.]

What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN
services use?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 primary office
914.681.8117 secondary office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Port Numbers

[Jochen Andries]

A usefull link :

http://www.keir.net/portlist.html


Jochen

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: maandag 24 maart 2003 16:07
To: ActiveDir (E-mail)
Subject: [ActiveDir] Port Numbers

What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN
services use?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 primary office
914.681.8117 secondary office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Port Numbers

[Salandra, Justin A.]

Plus I don't see Terminal Services on that list

 -Original Message-
From:   Salandra, Justin A.  
Sent:   Monday, March 24, 2003 10:30 AM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] Port Numbers

Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723
open with protocol GRE, is this true?

 -Original Message-
From:   Jochen Andries [mailto:[EMAIL PROTECTED] 
Sent:   Monday, March 24, 2003 10:25 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Port Numbers

A usefull link :

http://www.keir.net/portlist.html


Jochen

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: maandag 24 maart 2003 16:07
To: ActiveDir (E-mail)
Subject: [ActiveDir] Port Numbers

What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN
services use?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 primary office
914.681.8117 secondary office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Port Numbers

[John Hicks/MIS/HQ/KEMET/US]

Terminal Services: port 3389

VPN: Port 1723 for PPTP, 46 for GRE,
1701 for L2TP






Salandra, Justin
A. [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
03/24/2003 10:07 AM



Please respond to
[EMAIL PROTECTED]





To
ActiveDir (E-mail)
[EMAIL PROTECTED]


cc



Subject
[ActiveDir] Port Numbers








What port numbers do Windows 2000 Terminal Server
and Windows 2000 VPN
services use?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 primary office
914.681.8117 secondary office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info  : http://www.activedir.org/mail_list.htm
List FAQ  : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Port Numbers

[Roger Seielstad]

Terminal services is 3389/tcp, and VPN depends on the VPN transport used.
PPTP uses 1723 and protocol 50 (GRE). Other transports use other ports.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis Inc.


 -Original Message-
 From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
 Sent: Monday, March 24, 2003 10:07 AM
 To: ActiveDir (E-mail)
 Subject: [ActiveDir] Port Numbers
 
 
 What port numbers do Windows 2000 Terminal Server and Windows 
 2000 VPN services use?
 
 Justin A. Salandra, MCSE
 Senior Network Engineer
 Catholic Healthcare System
 212.752.7300 primary office
 914.681.8117 secondary office
 646.483.3325 cell
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Identifying laptops on domain

[Jones, Rick J.(Desktop Engineering)]

Title: RE: [ActiveDir] OT: Identifying laptops on domain






In case you want to know the possible numbers and definition, here is the info from the Platform SDK on Win32_SystemEnclosure:

ChassisTypes 

Data type: uint16 array
Access type: Read-only 

Array of chassis types. This property is inherited from CIM_Chassis.

Value Meaning
1 Other
2 Unknown
3 Desktop
4 Low Profile Desktop
5 Pizza Box
6 Mini Tower
7 Tower
8 Portable
9 Laptop
10 Notebook
11 Hand Held
12 Docking Station
13 All in One
14 Sub Notebook
15 Space-Saving
16 Lunch Box
17 Main System Chassis
18 Expansion Chassis
19 SubChassis
20 Bus Expansion Chassis
21 Peripheral Chassis
22 Storage Chassis
23 Rack Mount Chassis
24 Sealed-Case PC


And here is the modified script as well;

 CheckComputer_ChassisType2.v-b-s 

Rick J. Jones



-Original Message-
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 21, 2003 4:10 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain

looks like you really found the best solution to the problem - I've just

tested this in a script myself and it works very well! I suspect this not

to help much on NT4 machines, but for Win2k and XP this really is your best

bet (I tested against XP notebook and Win2k3 Server on a Desktop enclosure -

both reported back the correct value).

I've added a simple select statement to get the appropriate text-feedback -

see attached script (remove dashes...). Be good to hear from others, if this

also works well on their machines.

/Guido

-Original Message-

From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] 

Sent: Freitag, 7. März 2003 16:51

To: '[EMAIL PROTECTED]'

Subject: RE: [ActiveDir] OT: Identifying laptops on domain


Folks, 

I just found this:

http://www.microsoft.com/technet/treeview/default.asp?url="">

ter/scrguide/sas_cpm_btnz.asp (watch the word wrap)

strComputer = .

Set objWMIService = GetObject(winmgmts: _

  {impersonationLevel=impersonate}!\\  strComputer  \root\cimv2)

Set colChassis = objWMIService.ExecQuery _

 (SELECT * FROM Win32_SystemEnclosure)

For Each objChassis in colChassis

 For Each intType in objChassis.ChassisTypes

 Wscript.Echo intType

 Next

Next

Where chassis type is one of 24 possible values. Seems like this might be

the magic bullet, but I definately need to test. Thanks for the suggestion! 

 Regards, 

  John A. Bjelke

-Original Message-

From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] 

Sent: Friday, March 07, 2003 8:41 AM

To: '[EMAIL PROTECTED]'

Subject: RE: [ActiveDir] OT: Identifying laptops on domain


Bill, 

 we are moving to that already, and if I can figure out how to

differentiate the chasis type I can write scripts to automate the process

instead of relying on attrition or a massive helpdesk effort to rename every

pc and laptop. Catch-22. 

-Original Message-

From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED]] 

Sent: Friday, March 07, 2003 8:38 AM

To: '[EMAIL PROTECTED]'

Subject: RE: [ActiveDir] OT: Identifying laptops on domain


We employ a standardized machine naming convention whereby a laptop is given

the name User-LT and this makes it a very simple process to break them out.

R/Bill

-Original Message-

From:  Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] 

Sent: Friday, March 07, 2003 10:32 AM

To: '[EMAIL PROTECTED]'

Subject: RE: [ActiveDir] OT: Identifying laptops on domain

Existing IP scheme is static, and that's not viable to change at this time. 

-Original Message-

From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED]] 

Sent: Friday, March 07, 2003 8:16 AM

To: '[EMAIL PROTECTED]'

Subject: RE: [ActiveDir] OT: Identifying laptops on domain


You can do this with segmentation on a DHCP network.



Martial

-Message d'origine-

De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]]

Date: vendredi 7 mars 2003 16:04

À: '[EMAIL PROTECTED]'

Objet: [ActiveDir] OT: Identifying laptops on domain



Perhaps someone here might know: 

 Is there any machine attribute or registry value that can be queried

to differentiate workstations and laptops on a domain? We have a

circumstance that requires laptops to be addressed differently from

workstations, and we have been unable to find any consistent variable to

poll for this determination. Any suggestions or assistance is most

appreciated. 

 John A. Bjelke 

 Systems administrator 

 505.853.6774 

 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] 

 

The contents of this Email communication are 

confidential to the addressee. 

If you are not the intended recipient you 

may not disclose or distribute this 

communication in any form but should 

immediately contact the Sender. 

The information, images, documents and views 

expressed in this Email are personal to the 

Sender and do not expressly or implicitly 

represent official positions and policies of 

Unisys Federal 

[ActiveDir] changing the Pre-Windows 2000 computer name

[Abbiss, Mark]

Dear 
All,

I know 
it can be done (because I have read it in the Microsoft documentation) but I can 
find where to do it. Please could someone let me know how I can change the 
pre-windows 2000 name for a computer !

Many 
thanks,
Mark Abbiss 
EADS Headquarters 81663 Muenchen Deutschland 
Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED] 

RE: [ActiveDir] Port Numbers

[Andries Thijssen]

Look closer :-)

Terminal services 3389
Windows 2000 VPN with IPSec/L2TP: UDP 500  1701

Andries

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 4:35 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Port Numbers


Plus I don't see Terminal Services on that list

 -Original Message-
From:   Salandra, Justin A.  
Sent:   Monday, March 24, 2003 10:30 AM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] Port Numbers

Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723 open with 
protocol GRE, is this true?

 -Original Message-
From:   Jochen Andries [mailto:[EMAIL PROTECTED] 
Sent:   Monday, March 24, 2003 10:25 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Port Numbers

A usefull link :

http://www.keir.net/portlist.html


Jochen

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: maandag 24 maart 2003 16:07
To: ActiveDir (E-mail)
Subject: [ActiveDir] Port Numbers

What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN services use?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 primary office
914.681.8117 secondary office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-
ATTENTION:
No legal consequences can be derived from the content of this 
e-mail and/or its attachments. Neither is sender committed to 
these. The content of this e-mail is exclusively intended for 
addressee(s) and information purposes. Should you receive this 
message by mistake, you are hereby notified that any disclosure, 
reproduction, distribution or use of this message is strictly 
prohibited. Sender accepts no liability for any damage resulting 
from the use and/or acceptation of the content of this e-mail. 
Always scan attachments for viruses before opening them. 
- 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Port Numbers

[John Hicks/MIS/HQ/KEMET/US]

It is listed towards the middle of the
page, 3389






Salandra, Justin
A. [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
03/24/2003 10:35 AM



Please respond to
[EMAIL PROTECTED]





To
'[EMAIL PROTECTED]'
[EMAIL PROTECTED]


cc



Subject
RE: [ActiveDir] Port Numbers








Plus I don't see Terminal Services on that list

 -Original Message-
From: Salandra,
Justin A. 
Sent:
Monday, March 24, 2003 10:30 AM
To:
'[EMAIL PROTECTED]'
Subject:
RE: [ActiveDir] Port Numbers

Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723
open with protocol GRE, is this true?

 -Original Message-
From: Jochen
Andries [mailto:[EMAIL PROTECTED] 
Sent:
Monday, March 24, 2003 10:25 AM
To:
[EMAIL PROTECTED]
Subject:
RE: [ActiveDir] Port Numbers

A usefull link :

http://www.keir.net/portlist.html


Jochen

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: maandag 24 maart 2003 16:07
To: ActiveDir (E-mail)
Subject: [ActiveDir] Port Numbers

What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN
services use?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 primary office
914.681.8117 secondary office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info  : http://www.activedir.org/mail_list.htm
List FAQ  : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info  : http://www.activedir.org/mail_list.htm
List FAQ  : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info  : http://www.activedir.org/mail_list.htm
List FAQ  : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info  : http://www.activedir.org/mail_list.htm
List FAQ  : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Port Numbers

[Comeau, Steven]

Title: RE: [ActiveDir] Port Numbers





Terminal Services is 3389


Steven Duuude Comeau
Sr. LAN Administrator
Radio Frequency Systems
200 Pondview Drive
Meriden, CT 06450



-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 24, 2003 10:35 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Port Numbers



Plus I don't see Terminal Services on that list


-Original Message-
From:  Salandra, Justin A. 
Sent: Monday, March 24, 2003 10:30 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Port Numbers


Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723
open with protocol GRE, is this true?


-Original Message-
From:  Jochen Andries [mailto:[EMAIL PROTECTED]] 
Sent: Monday, March 24, 2003 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Port Numbers


A usefull link :


http://www.keir.net/portlist.html



Jochen


-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] 
Sent: maandag 24 maart 2003 16:07
To: ActiveDir (E-mail)
Subject: [ActiveDir] Port Numbers


What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN
services use?


Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 primary office
914.681.8117 secondary office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 


List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir]

[Brad Mccrillis]

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] changing the Pre-Windows 2000 computer name

[Kevin Miller]

ADSI.. 





-- Kevinm WLKMMAS, Exchange MVP











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark
Sent: Monday, March 24, 2003 7:49
AM
To: '[EMAIL PROTECTED]'







Dear All,











I know it can be done (because I have read
it in the Microsoft documentation) but I can find where to do it. Please could
someone let me know how I can change the pre-windows 2000 name for a computer !











Many thanks,



Mark Abbiss 

EADS
Headquarters 
81663
Muenchen 
Deutschland

Phone :
+49 (0)89 607-34776 
Email:[EMAIL PROTECTED]

RE: [ActiveDir] Port Numbers

[Jimmy Andersson]

RDP uses port 3389.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Monday, March 24, 2003 4:35 PM
To: '[EMAIL PROTECTED]'

Plus I don't see Terminal Services on that list

 -Original Message-
From:   Salandra, Justin A.  
Sent:   Monday, March 24, 2003 10:30 AM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] Port Numbers

Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723
open with protocol GRE, is this true?

 -Original Message-
From:   Jochen Andries [mailto:[EMAIL PROTECTED] 
Sent:   Monday, March 24, 2003 10:25 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Port Numbers

A usefull link :

http://www.keir.net/portlist.html


Jochen

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: maandag 24 maart 2003 16:07
To: ActiveDir (E-mail)
Subject: [ActiveDir] Port Numbers

What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN
services use?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 primary office
914.681.8117 secondary office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Identifying laptops on domain

[Rod Trent]

Title: Message



Here's another one. Haven't made this live on the site 
yet:

http://www.myitforum.com/inc/upload/7839islaptop-wsh-msica.vbs

Here's the description:

Detects if a computer is a laptop using up to 5 different WMI 
classes. Runs as WSH and MSI Custom Action without modification, supports 
verbose mode, allows "Model Override" when all other detection methods 
fail.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jones, Rick J.(Desktop Engineering)Sent: 
  Monday, March 24, 2003 10:42 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: 
  Identifying laptops on domain
  In case you 
  want to know the possible numbers and definition, here is the info 
  from the Platform SDK on 
  Win32_SystemEnclosure:
  ChassisTypes 
  

  Data type: uint16 arrayAccess 
  type: Read-only 
  Array of chassis types. This property is 
  inherited from CIM_Chassis.
  Value Meaning1 
  Other2 Unknown3 
  Desktop4 Low Profile 
  Desktop5 Pizza 
  Box6 
  Mini Tower7 
  Tower8 
  Portable9 
  Laptop10 
  Notebook11 Hand 
  Held12 
  Docking Station13 All in 
  One14 Sub 
  Notebook15 
  Space-Saving16 Lunch 
  Box17 Main 
  System Chassis18 Expansion 
  Chassis19 
  SubChassis20 Bus 
  Expansion Chassis21 Peripheral 
  Chassis22 Storage Chassis23 Rack 
  Mount Chassis24 
  Sealed-Case PC
  And here is the 
  modified script as well;
  CheckComputer_ChassisType2.v-b-s 
  Rick J. Jones
  
  -Original 
  Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]]Sent: 
  Friday, March 21, 2003 4:10 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Identifying 
  laptops on domain
  looks like you 
  really found the best solution to the problem - I've just
  tested this in 
  a script myself and it works very well! I suspect this 
  not
  to help much on 
  NT4 machines, but for Win2k and XP this really is your best
  bet (I tested 
  against XP notebook and Win2k3 Server on a Desktop enclosure 
  -
  both reported 
  back the correct value).
  I've added a 
  simple select statement to get the appropriate text-feedback 
  -
  see attached 
  script (remove dashes...). Be good to hear from others, if 
  this
  also works well 
  on their machines.
  /Guido
  -Original 
  Message-
  From: Bjelke 
  John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] 
  
  Sent: Freitag, 
  7. März 2003 16:51
  To: 
  '[EMAIL PROTECTED]'
  Subject: RE: 
  [ActiveDir] OT: Identifying laptops on domain
  Folks, 
  
  I just found 
  this:
  http://www.microsoft.com/technet/treeview/default.asp?url="">
  ter/scrguide/sas_cpm_btnz.asp (watch the word 
  wrap)
  strComputer = 
  "."
  Set 
  objWMIService = GetObject("winmgmts:" _
"{impersonationLevel=impersonate}!\\"  
  strComputer  "\root\cimv2")
  Set colChassis 
  = objWMIService.ExecQuery _
   ("SELECT * FROM 
  Win32_SystemEnclosure")
  For Each 
  objChassis in colChassis
   For Each intType in 
  objChassis.ChassisTypes
   Wscript.Echo 
  intType
   Next
  Next
  Where chassis 
  type is one of 24 possible values. Seems like this might be
  the magic 
  bullet, but I definately need to test. Thanks for the suggestion! 
  
   
  Regards, 
   
   John A. Bjelke
  -Original 
  Message-
  From: Bjelke 
  John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] 
  
  Sent: Friday, 
  March 07, 2003 8:41 AM
  To: 
  '[EMAIL PROTECTED]'
  Subject: RE: 
  [ActiveDir] OT: Identifying laptops on domain
  Bill, 
  
   
  we are moving to that already, and if I can 
  figure out how to
  differentiate 
  the chasis type I can write scripts to automate the process
  instead of 
  relying on attrition or a massive helpdesk effort to rename 
  every
  pc and laptop. 
  Catch-22. 
  -Original 
  Message-
  From: Brown, 
  Bill [contractor] [mailto:[EMAIL PROTECTED]] 
  
  Sent: Friday, 
  March 07, 2003 8:38 AM
  To: 
  '[EMAIL PROTECTED]'
  Subject: RE: 
  [ActiveDir] OT: Identifying laptops on domain
  We employ a 
  standardized machine naming convention whereby a laptop is 
  given
  the name 
  User-LT and this makes it a very simple process to break them 
  out.
  R/Bill
  -Original Message-
  From:  
  Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] 
  
  Sent: Friday, March 07, 2003 10:32 AM
  To: 
  '[EMAIL PROTECTED]'
  Subject: RE: [ActiveDir] OT: 
  Identifying laptops on domain
  Existing IP 
  scheme is static, and that's not viable to change at this time. 
  
  -Original 
  Message-
  From: PERRIN 
  Martial (EURIWARE) [mailto:[EMAIL PROTECTED]] 
  
  Sent: Friday, 
  March 07, 2003 8:16 AM
  To: 
  '[EMAIL PROTECTED]'
  Subject: RE: 
  [ActiveDir] OT: Identifying laptops on domain
  You can do this 
  with segmentation on a DHCP network.
  
  Martial
  -Message 
  d'origine-
  De: Bjelke John 
  A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]]
  Date: vendredi 
  7 mars 2003 16:04
  À: 
  '[EMAIL PROTECTED]'
  Objet: 
  

[ActiveDir] Account Lockout after password reset

[Chuck]

  Hello,
I have had a few users where I work reset their password and they didn't
reboot the computer and it locks them out after a while. I look at their
account and see 5 bad passwords (our GPO is set for 5) The strange thing
is I can unlock their account and they can get in to their mail, network
drive and other network resources and not show any bad passwords, but
after a few hours and sometimes not until the next day it will lock them
out with again.
 
I watch their authenticating domain controller for bad passwords after I
unlock them and I don't see any bad passwords, sometimes a few bad
passwords will show up after a few hours but I talk to the user and they
haven't done anything on the computer. And when they come in the next
day, they will be locked out with 5 bad passwords. It's not specific
with the company because I've had it happen to me on my home Win2K
domain. I finally solved my problem by resetting the password on the
Computer, not through the MMC and rebooting. The problem at work is if
the user resets their password they can't reset it for 5 days.
 
Any ideas or has anyone else encountered this, I've searched Microsoft
high and low and can't find anything specific.
 
Regards,
  Chuck
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Account Lockout after password reset

[Myrick, Todd (NIH/CIT)]

Check and see if they have any mapped drives using their old credentials.

Todd

-Original Message-
From: Chuck [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 12:37 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockout after password reset


  Hello,
I have had a few users where I work reset their password and they didn't
reboot the computer and it locks them out after a while. I look at their
account and see 5 bad passwords (our GPO is set for 5) The strange thing is
I can unlock their account and they can get in to their mail, network drive
and other network resources and not show any bad passwords, but after a few
hours and sometimes not until the next day it will lock them out with again.
 
I watch their authenticating domain controller for bad passwords after I
unlock them and I don't see any bad passwords, sometimes a few bad passwords
will show up after a few hours but I talk to the user and they haven't done
anything on the computer. And when they come in the next day, they will be
locked out with 5 bad passwords. It's not specific with the company because
I've had it happen to me on my home Win2K domain. I finally solved my
problem by resetting the password on the Computer, not through the MMC and
rebooting. The problem at work is if the user resets their password they
can't reset it for 5 days.
 
Any ideas or has anyone else encountered this, I've searched Microsoft high
and low and can't find anything specific.
 
Regards,
  Chuck
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Account Lockout after password reset

[Christopher Hummert]

Are they using Windows 98 or 95? If so do they have any drives mapped?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck
Sent: Monday, March 24, 2003 9:37 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockout after password reset


  Hello,
I have had a few users where I work reset their password and they didn't
reboot the computer and it locks them out after a while. I look at their
account and see 5 bad passwords (our GPO is set for 5) The strange thing
is I can unlock their account and they can get in to their mail, network
drive and other network resources and not show any bad passwords, but
after a few hours and sometimes not until the next day it will lock them
out with again.
 
I watch their authenticating domain controller for bad passwords after I
unlock them and I don't see any bad passwords, sometimes a few bad
passwords will show up after a few hours but I talk to the user and they
haven't done anything on the computer. And when they come in the next
day, they will be locked out with 5 bad passwords. It's not specific
with the company because I've had it happen to me on my home Win2K
domain. I finally solved my problem by resetting the password on the
Computer, not through the MMC and rebooting. The problem at work is if
the user resets their password they can't reset it for 5 days.
 
Any ideas or has anyone else encountered this, I've searched Microsoft
high and low and can't find anything specific.
 
Regards,
  Chuck
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Account Lockout after password reset

[Chuck]

  I've thought about that, but it's only there network drive which maps
through the Profile script.
But it would seem using the network drive would cause it to show a bad
password, and I don't see any bad passwords when they access their share
drive.

Regards,
  Chuck

-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 11:38 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Account Lockout after password reset


Check and see if they have any mapped drives using their old
credentials.

Todd

-Original Message-
From: Chuck [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 12:37 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockout after password reset


  Hello,
I have had a few users where I work reset their password and they didn't
reboot the computer and it locks them out after a while. I look at their
account and see 5 bad passwords (our GPO is set for 5) The strange thing
is I can unlock their account and they can get in to their mail, network
drive and other network resources and not show any bad passwords, but
after a few hours and sometimes not until the next day it will lock them
out with again.
 
I watch their authenticating domain controller for bad passwords after I
unlock them and I don't see any bad passwords, sometimes a few bad
passwords will show up after a few hours but I talk to the user and they
haven't done anything on the computer. And when they come in the next
day, they will be locked out with 5 bad passwords. It's not specific
with the company because I've had it happen to me on my home Win2K
domain. I finally solved my problem by resetting the password on the
Computer, not through the MMC and rebooting. The problem at work is if
the user resets their password they can't reset it for 5 days.
 
Any ideas or has anyone else encountered this, I've searched Microsoft
high and low and can't find anything specific.
 
Regards,
  Chuck
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Account Lockout after password reset

[Schick, Mary L - CNF]

Check Security Event logs on your domain controllers for locked out
accounts. You may find username credentials are being used on other boxes or
resources.

dumpel -f filename.txt -s \\domaincontroller -l security -t -d 1

-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 9:38 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Account Lockout after password reset


Check and see if they have any mapped drives using their old credentials.

Todd

-Original Message-
From: Chuck [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 12:37 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockout after password reset


  Hello,
I have had a few users where I work reset their password and they didn't
reboot the computer and it locks them out after a while. I look at their
account and see 5 bad passwords (our GPO is set for 5) The strange thing is
I can unlock their account and they can get in to their mail, network drive
and other network resources and not show any bad passwords, but after a few
hours and sometimes not until the next day it will lock them out with again.
 
I watch their authenticating domain controller for bad passwords after I
unlock them and I don't see any bad passwords, sometimes a few bad passwords
will show up after a few hours but I talk to the user and they haven't done
anything on the computer. And when they come in the next day, they will be
locked out with 5 bad passwords. It's not specific with the company because
I've had it happen to me on my home Win2K domain. I finally solved my
problem by resetting the password on the Computer, not through the MMC and
rebooting. The problem at work is if the user resets their password they
can't reset it for 5 days.
 
Any ideas or has anyone else encountered this, I've searched Microsoft high
and low and can't find anything specific.
 
Regards,
  Chuck
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Account Lockout after password reset

[Chuck]

  All Windows 2000, and the only mapped drives are there H drive (Share
Drive) which is loaded through the profile, not Mapped as another
user.

-Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 12:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Account Lockout after password reset


Are they using Windows 98 or 95? If so do they have any drives mapped?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck
Sent: Monday, March 24, 2003 9:37 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockout after password reset


  Hello,
I have had a few users where I work reset their password and they didn't
reboot the computer and it locks them out after a while. I look at their
account and see 5 bad passwords (our GPO is set for 5) The strange thing
is I can unlock their account and they can get in to their mail, network
drive and other network resources and not show any bad passwords, but
after a few hours and sometimes not until the next day it will lock them
out with again.
 
I watch their authenticating domain controller for bad passwords after I
unlock them and I don't see any bad passwords, sometimes a few bad
passwords will show up after a few hours but I talk to the user and they
haven't done anything on the computer. And when they come in the next
day, they will be locked out with 5 bad passwords. It's not specific
with the company because I've had it happen to me on my home Win2K
domain. I finally solved my problem by resetting the password on the
Computer, not through the MMC and rebooting. The problem at work is if
the user resets their password they can't reset it for 5 days.
 
Any ideas or has anyone else encountered this, I've searched Microsoft
high and low and can't find anything specific.
 
Regards,
  Chuck
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] changing the Pre-Windows 2000 computer name

[Rick Kingslan]

Mark,

With 
all due respect, the Pre-Windows 2000 (or NetBIOS name) is the ONLY one that 
cannot be changed - regardless of what ever level of mess you want to go 
through.

You 
can change the domain name (the FQDN) of a domain - provided it is still in 
mixed, by using NT 4.0 DCs to back out Windows 2000 completely (see 
Q292541). This is not a supported solution, but it can be done. 
There are other ways, (VBS script was posted here a few weeks to a month 
ago)but this seems to be the most straight-forward and least complex 
(IMHO, they all are messy, and generally suck).

As to 
changing the NetBIOS name - that's another story all together. I've never 
seen that done, and would be interested in seeing detail from someone who has 
successfully done it.

Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
MarkSent: Monday, March 24, 2003 9:49 AMTo: 
'[EMAIL PROTECTED]'

Dear All,

I know 
it can be done (because I have read it in the Microsoft documentation) but I can 
find where to do it. Please could someone let me know how I can change the 
pre-windows 2000 name for a computer !

Many 
thanks,
Mark Abbiss 
EADS Headquarters 81663 Muenchen Deutschland 
Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED] 

RE: [ActiveDir] Account Lockout after password reset

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

you won't be happy, until you increase the limit of the nr for bad pw
attempts.  There are multiple reasons for PW lockouts, a lot of them related
to replication latency in AD.  Next to mapped drives, disconnected Terminal
Services sessions are also good caveats.  

Some of this is fixed with SP3 but what really fixed it for us was to
increase from 5 to 10 bad pw attempts on the Domain policy.  This won't
really increase your risk for attacks, as many more attempts are needed to
crack the passwords.  It will however, decrease your problems to a VERY
large extend (i.e. for a specific location with 5000 users, where we had
90-150 helpdesk calls per day due to pw lockouts after resetting the pw, it
went down to 10 calls, after we increased the bad pw attemts to 10 tries.)

MS generally recommends to allow 10-15 bad passwords.

/Guido

-Original Message-
From: Chuck [mailto:[EMAIL PROTECTED] 
Sent: Montag, 24. März 2003 19:49
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Account Lockout after password reset


  All Windows 2000, and the only mapped drives are there H drive (Share
Drive) which is loaded through the profile, not Mapped as another
user.

-Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 12:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Account Lockout after password reset


Are they using Windows 98 or 95? If so do they have any drives mapped?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck
Sent: Monday, March 24, 2003 9:37 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockout after password reset


  Hello,
I have had a few users where I work reset their password and they didn't
reboot the computer and it locks them out after a while. I look at their
account and see 5 bad passwords (our GPO is set for 5) The strange thing
is I can unlock their account and they can get in to their mail, network
drive and other network resources and not show any bad passwords, but
after a few hours and sometimes not until the next day it will lock them
out with again.
 
I watch their authenticating domain controller for bad passwords after I
unlock them and I don't see any bad passwords, sometimes a few bad
passwords will show up after a few hours but I talk to the user and they
haven't done anything on the computer. And when they come in the next
day, they will be locked out with 5 bad passwords. It's not specific
with the company because I've had it happen to me on my home Win2K
domain. I finally solved my problem by resetting the password on the
Computer, not through the MMC and rebooting. The problem at work is if
the user resets their password they can't reset it for 5 days.
 
Any ideas or has anyone else encountered this, I've searched Microsoft
high and low and can't find anything specific.
 
Regards,
  Chuck
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Different password policy

[Rick Kingslan]

You mention a new domain, does this mean that a child or sub-domain cannot
have its own security policy?

Nope - a child domain DOES have a separate security policy.  Look at it like
this.  I have a company that does technical research and then sells it.  The
marketing folks are in one domain that requires password changes every 45
days with 5 character passwords and locks out their machine for 15 min.
after 5 unsuccessful login attempts.

BUT!  The really sensitive stuff (the intellectual property) of the company
is managed and created by the researchers.  We need to make sure that the
research information is very secure.

Given that I can only have one account / password / lockout policy per
domain, I create a child of the first domain and call it
research.company.com.  I move all of the researchers into the research
domain and apply the strong password requirements (14 chars, complex
required, changes every 10 days, retain 24 password history, etc) and
the lockout duration might be infinite, requiring interaction from
administration.

So, yes - the password policy is at the domain level and if you have
differing requirements for class of user, you are going to need a new domain
for that new class of user.

Hope this helps

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen
Sent: Monday, March 24, 2003 12:30 PM
To: [EMAIL PROTECTED]

Thousands of students and teachers will not accept a password policy forcing
them to change every 60 days, and i have no valid argument to make them :-)

Then there is a part of the staff working with administrative applications,
for whom i have to implement a strong policy in the AD as these apps are
migrated from Unix to Windows.

You mention a new domain, does this mean that a child or sub-domain cannot
have its own security policy?

Ole

 -Original Message-
 From: Rob Ellis [mailto:[EMAIL PROTECTED]
 Sent: Monday, March 24, 2003 3:56 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Different password policy
 
 
 How much stronger would the policy be compared to the current one?
 
 Also, when you say a large group of users, what proportion of your 
 total user base are we talking?
 
 If its like 75%, then its probably worth applying the policy to 
 everyone, and save the hassle.
 
 If not, then I suppose the way to go is a new domain with a trust to 
 the existing one.
 
 
 Regards,
 Rob Ellis
 Network Manager
 Profectus IT
 Tel 023 9224 7979
 Mob 07974 111867
 
 
 
 -Original Message-
 From: Ole Thomsen [mailto:[EMAIL PROTECTED]
 Sent: 24 March 2003 14:43
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Different password policy
 

 I need to implement a stronger password policy for a large group of 
 users in my AD, and run into the infamous domainwide security policy 
 problem.
 
 What is the best way to do this, and still being able to let these 
 users have access to the file/print, Ex2K mailboxes and other 
 resources they use today?
 
 Regards,
 Ole Thomsen
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Identifying laptops on domain

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

FYI - a Tablet-PC is identified as type 14 which according to the
SystemEnclosure documentation is a Subnotebook.  This is the same for
Tablet-PCs with and without the keyboard attached.

/Guido

-Original Message-
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]

Sent: Freitag, 21. März 2003 22:32
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


I'll have the script executed on a Tablet-PC and will let you know.

Cheers,
Guido

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Freitag, 21. März 2003 16:58
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


Worked for us just fine in our initial testing. We are planning on moving
all the laptops to their own sub-OU to make change management a little
easier for us. Thanks for all of the fine suggestions, folks! Depending on
the level of accuracy we see in further testing we may use some of the other
suggestions, such as battery, pcmcia services, etc, as a further check...
like when WMI returns Other for the chassis type value. Anyone know what
the new tablet pc's return as chassis type, or care to hazard a guess? We
don't have any on the wire yet that I am aware of, but it is just a matter
of time! 
Regards, 
John A. Bjelke

-Original Message-
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]

Sent: Friday, March 21, 2003 5:10 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


looks like you really found the best solution to the problem - I've just
tested this in a script myself and it works very well!  I suspect this not
to help much on NT4 machines, but for Win2k and XP this really is your best
bet (I tested against XP notebook and Win2k3 Server on a Desktop enclosure -
both reported back the correct value).

I've added a simple select statement to get the appropriate text-feedback -
see attached script (remove dashes...). Be good to hear from others, if this
also works well on their machines.

/Guido

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Freitag, 7. März 2003 16:51
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


Folks, 
I just found this:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen
ter/scrguide/sas_cpm_btnz.asp  (watch the word wrap)

strComputer = .
Set objWMIService = GetObject(winmgmts: _
 {impersonationLevel=impersonate}!\\  strComputer  \root\cimv2)
Set colChassis = objWMIService.ExecQuery _
(SELECT * FROM Win32_SystemEnclosure)
For Each objChassis in colChassis
For Each intType in objChassis.ChassisTypes
Wscript.Echo intType
Next
Next

Where chassis type is one of 24 possible values. Seems like this might be
the magic bullet, but I definately need to test. Thanks for the suggestion! 
Regards, 
John A. Bjelke

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 8:41 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


Bill, 
we are moving to that already, and if I can figure out how to
differentiate the chasis type I can write scripts to automate the process
instead of relying on attrition or a massive helpdesk effort to rename every
pc and laptop. Catch-22. 

-Original Message-
From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 8:38 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


We employ a standardized machine naming convention whereby a laptop is given
the name User-LT and this makes it a very simple process to break them out.

R/Bill

 -Original Message-
From:   Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent:   Friday, March 07, 2003 10:32 AM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] OT: Identifying laptops on domain

Existing IP scheme is static, and that's not viable to change at this time. 

-Original Message-
From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 8:16 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


You can do this with segmentation on a DHCP network.
 
Martial

-Message d'origine-
De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]
Date: vendredi 7 mars 2003 16:04
À: '[EMAIL PROTECTED]'
Objet: [ActiveDir] OT: Identifying laptops on domain



Perhaps someone here might know: 

Is there any machine attribute or registry value that can be queried
to differentiate workstations and laptops on a domain? We have a
circumstance that requires laptops to be addressed differently from
workstations, and we have been unable to find any consistent variable to
poll for this determination. Any suggestions or assistance is 

RE: [ActiveDir] changing the Pre-Windows 2000 computer name

[Rick Kingslan]

Pardons to all! I re-read the originalmessage from Mark, and 
I may have read WAAAY too much into this. If you're only looking to 
change the name of a member server, it's a bit easier - DCs however, are pretty 
touch to change.

Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Monday, March 24, 2003 1:00 PMTo: 
[EMAIL PROTECTED]

Mark,

With 
all due respect, the Pre-Windows 2000 (or NetBIOS name) is the ONLY one that 
cannot be changed - regardless of what ever level of mess you want to go 
through.

You 
can change the domain name (the FQDN) of a domain - provided it is still in 
mixed, by using NT 4.0 DCs to back out Windows 2000 completely (see 
Q292541). This is not a supported solution, but it can be done. 
There are other ways, (VBS script was posted here a few weeks to a month 
ago)but this seems to be the most straight-forward and least complex 
(IMHO, they all are messy, and generally suck).

As to 
changing the NetBIOS name - that's another story all together. I've never 
seen that done, and would be interested in seeing detail from someone who has 
successfully done it.

Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
MarkSent: Monday, March 24, 2003 9:49 AMTo: 
'[EMAIL PROTECTED]'

Dear All,

I know 
it can be done (because I have read it in the Microsoft documentation) but I can 
find where to do it. Please could someone let me know how I can change the 
pre-windows 2000 name for a computer !

Many 
thanks,
Mark Abbiss 
EADS Headquarters 81663 Muenchen Deutschland 
Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED] 

RE: [ActiveDir] Account Lockout after password reset

[Free, Bob]

Better yet get eventcombMT and search all the DC's at once with the canned account 
lockout routine.


-Original Message-
From: Schick, Mary L - CNF [mailto:[EMAIL PROTECTED]
Sent: Monday, March 24, 2003 10:30 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Account Lockout after password reset


Check Security Event logs on your domain controllers for locked out
accounts. You may find username credentials are being used on other boxes or
resources.

dumpel -f filename.txt -s \\domaincontroller -l security -t -d 1

-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 9:38 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Account Lockout after password reset


Check and see if they have any mapped drives using their old credentials.

Todd

-Original Message-
From: Chuck [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 12:37 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockout after password reset


  Hello,
I have had a few users where I work reset their password and they didn't
reboot the computer and it locks them out after a while. I look at their
account and see 5 bad passwords (our GPO is set for 5) The strange thing is
I can unlock their account and they can get in to their mail, network drive
and other network resources and not show any bad passwords, but after a few
hours and sometimes not until the next day it will lock them out with again.
 
I watch their authenticating domain controller for bad passwords after I
unlock them and I don't see any bad passwords, sometimes a few bad passwords
will show up after a few hours but I talk to the user and they haven't done
anything on the computer. And when they come in the next day, they will be
locked out with 5 bad passwords. It's not specific with the company because
I've had it happen to me on my home Win2K domain. I finally solved my
problem by resetting the password on the Computer, not through the MMC and
rebooting. The problem at work is if the user resets their password they
can't reset it for 5 days.
 
Any ideas or has anyone else encountered this, I've searched Microsoft high
and low and can't find anything specific.
 
Regards,
  Chuck
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Active Directory vs. SunONE directory

[Vikas Deolaliker]

Hello,

I would like to get opinions on ActiveDirectory as compared to SunONE
directory from this forum. 

If you could use the following format for your feedback, I would really
appreciate it. 

Dimensions : 

1) Discovery Features
2) Security Features
3) Scalability Features
4) Management Features

Please reply directly to me.

Thanks

Vikas Deolaliker
Sun Microsystems, Inc. 
(650) 786-7734


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory vs. SunONE directory

[Rod Trent]

I think there's only one question that needs to be posed.  Why would anyone
need another directory technology?

Go back and innovate instead of duplicate.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vikas Deolaliker
Sent: Monday, March 24, 2003 3:15 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Active Directory vs. SunONE directory



Hello,

I would like to get opinions on ActiveDirectory as compared to SunONE
directory from this forum. 

If you could use the following format for your feedback, I would really
appreciate it. 

Dimensions : 

1) Discovery Features
2) Security Features
3) Scalability Features
4) Management Features

Please reply directly to me.

Thanks

Vikas Deolaliker
Sun Microsystems, Inc. 
(650) 786-7734


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Different password policy

[Robert Moir]

I'm interested to see you say this. Thousands of students and teachers accept this 
where I work because the security of their data and accounts is important. 

-Original Message- 
From: Ole Thomsen [mailto:[EMAIL PROTECTED] 
Sent: Mon 24/03/2003 18:30 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Different password policy



Thousands of students and teachers will not accept
a password policy forcing them to change every 60
days, and i have no valid argument to make them :-)

Then there is a part of the staff working with
administrative applications, for whom i have to
implement a strong policy in the AD as these apps
are migrated from Unix to Windows.

You mention a new domain, does this mean that a
child or sub-domain cannot have its own security
policy?

Ole

 -Original Message-
 From: Rob Ellis [mailto:[EMAIL PROTECTED]
 Sent: Monday, March 24, 2003 3:56 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Different password policy


 How much stronger would the policy be compared to the current one?

 Also, when you say a large group of users, what proportion of
 your total
 user base are we talking?

 If its like 75%, then its probably worth applying the policy to
 everyone, and save the hassle.

 If not, then I suppose the way to go is a new domain with a
 trust to the
 existing one.


 Regards,
 Rob Ellis
 Network Manager
 Profectus IT
 Tel 023 9224 7979
 Mob 07974 111867



 -Original Message-
 From: Ole Thomsen [mailto:[EMAIL PROTECTED]
 Sent: 24 March 2003 14:43
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Different password policy


 I need to implement a stronger password policy for
 a large group of users in my AD, and run into the
 infamous domainwide security policy problem.

 What is the best way to do this, and still being
 able to let these users have access to the file/print,
 Ex2K mailboxes and other resources they use today?

 Regards,
 Ole Thomsen
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir% 40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


ŠËbú!¶Úÿ0iËb½çb®Šàþf¢–X¬¶f.+-!¶Úÿ0iËb½çb®ŠàþX¬µöª†ŠËZ­Èb½èm¶ŸÿÃ
j)Z­Èb½ç(›öœ¶+Þv*øÒf¢•§-Š+ƒ

Re: [ActiveDir] Different password policy

[Missy Koslosky]

If you need to make it super-secure, they really should have their own
forest.  There aren't a lot of details on this available, but the domain
isn't a complete security boundary.
- Original Message -
From: Rick Kingslan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 24, 2003 2:08 PM
Subject: RE: [ActiveDir] Different password policy


snip
Nope - a child domain DOES have a separate security policy.
snip

BUT!  The really sensitive stuff (the intellectual property) of the company
is managed and created by the researchers.  We need to make sure that the
research information is very secure.
snip

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] What Services/Server's can be combined with Active Directory.

[Missy Koslosky]

Glenn,

I'd want to keep DHCP off my DC's to avoid name hijacking.  See
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q255134

Hope all is well with you!

Missy Koslosky
- Original Message -
From: Glenn Corbett [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 22, 2003 5:33 PM
Subject: Re: [ActiveDir] What Services/Server's can be combined with Active
Directory.


John,

The reason why you havent really been able to find a source, is that the
answer is it depends.

Depending on the size of your sites, the amount of data, number of clients,
other applications using DC services etc, you can really have a single
server that does DC, GC, DNS, WINS, DHCP, FP.  I really wouldn't worry about
putting DHCP on a server by itself, the load is so small. Out of all of the
infrastructure services, DCHP is probably the smallest load.  Client
machines get a dhcp address when they start, and IIRC there are two requests
during the lifetime of the IP address (one halfway though, and one at the
end of the lease).  So for a 2 week lease timeout, you have essentially 3
requests to a DHCP server which is nothing to really worry about.

I recently did some AD design work where small sites (up to about 30 uers)
had a single server (Dual PIII 2+Ghz) ran all the functions listed
previously, plus Exchange with no real trouble.  For larger sites, my
suggestion would be one infrastructure server (DC, GC, WINS, DHCP, DNS),
and application server(s) (File Print, Exchange etc).

As long as you design your AD site topology correctly (so that replication
is optimised, and GC placement is relevant for your clients), AD can pretty
much co-exist with most things, its a question of network bandwidth and load
on the server.  Other Databases (like Exchange, SQL, Oracle) are really the
main applications you need to be careful with when putting on the same
server as AD, because they can cramp each others style (Exchange and SQL on
the same box for example is very touchy).

If you are thinking or layering other applications onto an AD DC, just have
a read of the requirements.  In a lot of cases MS force you down a
particular path. For example, SUS (System Update Services), and MOM
(Microsoft Ops Manager) wont run on DC's, so you are forced to put in an
additional server to run these.

so, as for your original question *grin*, I would have one server that does
the infrastructure stuff, and another server for FP.

Glenn


- Original Message -
From: John Strongosky [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 22, 2003 11:27 AM
Subject: [ActiveDir] What Services/Server's can be combined with Active
Directory.


 In our planning group we are having a discussion on what server's/services
 do we need to combine or can combine for our AD deployment. I have looked
 thru allot of Technote's there is not one definitive answer. Can anyone
 point me to a source or answer this for me.

 We are thinking of combing: DC,dns and gc's on a server, file and print
and
 dhcp on another in our sites or DC, dns, gc on a server, file and print on
a
 server and dhcp by itself.


 john

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Different password policy

[Rick Kingslan]

Missy,

Well said - and quite true.  But, given the difficulty of implementing the
compromise, the obvious decision point is going to be based on a risk
analysis.

Given that we're talking about password policy, I'm not sure how this is
germane.

But, nonetheless - you're right.  If you want to guarantee true security
autonomy, the forest is the model to use.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Missy Koslosky
Sent: Monday, March 24, 2003 9:08 PM
To: [EMAIL PROTECTED]

If you need to make it super-secure, they really should have their own
forest.  There aren't a lot of details on this available, but the domain
isn't a complete security boundary.
- Original Message -
From: Rick Kingslan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 24, 2003 2:08 PM
Subject: RE: [ActiveDir] Different password policy


snip
Nope - a child domain DOES have a separate security policy.
snip

BUT!  The really sensitive stuff (the intellectual property) of the company
is managed and created by the researchers.  We need to make sure that the
research information is very secure.
snip

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT Password Policy:

[james . blair]

http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc022703/wcblurb022703.asp

The below is referenced from:

http://winxp.bink.nu/ :

Interesting password points: 

Password length and possible
permutations
6 characters = 689,869,781,056
7 characters = 64,847,759,419,264
8 characters = 6,095,689,385,410,816
9 characters = 572,994,802,228,616,704
10 characters = 53,861,511,409,489,970,176

Given a 60 day password expiry date and a
password of 7 characters, it would require about 7,407,407 logon attempts per
second to find the password
Play the lottery, the odds are much better!

Password security
recommendations:


 
 
  
  Security
  Category
  
  
  Account Lockout Settings**
  
  
  Password Policy Settings
  
  
  Cost
  
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  Max Password Age
  
  
  Password Age
  
  
  Password Length
  
  
  
  
 
 
  
  Low
  
  
  -
  
  
  -
  
  
  -
  
  
  3
  
  
  42
  
  
  0
  
  
  0
  
  
  disabled
  
  
  Low
  
 
 
  
  Medium
  
  
  10
  
  
  30
  
  
  30
  
  
  24
  
  
  42
  
  
  1
  
  
  7
  
  
  enabled
  
  
  Medium
  
 
 
  
  High
  
  
  10
  
  
  30
  
  
  Infinite/0
  
  
  24
  
  
  42
  
  
  1
  
  
  8
  
  
  enabled
  
  
  High
  
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 

RE: [ActiveDir] What Services/Server's can be combined with Active Directory.

[Rick Kingslan]

Missy,

Doesn't this only apply when a DNS is also present on the DC?  Combining the
DNS and DHCP services can cause a security issue as you noted.  But, if I
combine DC services and DNS services, the compromise is not possible.  Also,
if I combine DHCP and DC functionality, I'm still secure - true?

Good to have you here!

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Missy Koslosky
Sent: Monday, March 24, 2003 9:18 PM
To: [EMAIL PROTECTED]

Glenn,

I'd want to keep DHCP off my DC's to avoid name hijacking.  See
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q255134

Hope all is well with you!

Missy Koslosky
- Original Message -
From: Glenn Corbett [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 22, 2003 5:33 PM
Subject: Re: [ActiveDir] What Services/Server's can be combined with Active
Directory.


John,

The reason why you havent really been able to find a source, is that the
answer is it depends.

Depending on the size of your sites, the amount of data, number of clients,
other applications using DC services etc, you can really have a single
server that does DC, GC, DNS, WINS, DHCP, FP.  I really wouldn't worry about
putting DHCP on a server by itself, the load is so small. Out of all of the
infrastructure services, DCHP is probably the smallest load.  Client
machines get a dhcp address when they start, and IIRC there are two requests
during the lifetime of the IP address (one halfway though, and one at the
end of the lease).  So for a 2 week lease timeout, you have essentially 3
requests to a DHCP server which is nothing to really worry about.

I recently did some AD design work where small sites (up to about 30 uers)
had a single server (Dual PIII 2+Ghz) ran all the functions listed
previously, plus Exchange with no real trouble.  For larger sites, my
suggestion would be one infrastructure server (DC, GC, WINS, DHCP, DNS),
and application server(s) (File Print, Exchange etc).

As long as you design your AD site topology correctly (so that replication
is optimised, and GC placement is relevant for your clients), AD can pretty
much co-exist with most things, its a question of network bandwidth and load
on the server.  Other Databases (like Exchange, SQL, Oracle) are really the
main applications you need to be careful with when putting on the same
server as AD, because they can cramp each others style (Exchange and SQL on
the same box for example is very touchy).

If you are thinking or layering other applications onto an AD DC, just have
a read of the requirements.  In a lot of cases MS force you down a
particular path. For example, SUS (System Update Services), and MOM
(Microsoft Ops Manager) wont run on DC's, so you are forced to put in an
additional server to run these.

so, as for your original question *grin*, I would have one server that does
the infrastructure stuff, and another server for FP.

Glenn


- Original Message -
From: John Strongosky [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 22, 2003 11:27 AM
Subject: [ActiveDir] What Services/Server's can be combined with Active
Directory.


 In our planning group we are having a discussion on what 
 server's/services do we need to combine or can combine for our AD 
 deployment. I have looked thru allot of Technote's there is not one 
 definitive answer. Can anyone point me to a source or answer this for me.

 We are thinking of combing: DC,dns and gc's on a server, file and 
 print
and
 dhcp on another in our sites or DC, dns, gc on a server, file and 
 print on
a
 server and dhcp by itself.


 john

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Different password policy

[Missy Koslosky]

There's always a risk, indeed.  I've yet to design an AD infrastructure
where there wasn't some sort of compromise involved!

M
- Original Message -
From: Rick Kingslan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 24, 2003 10:28 PM
Subject: RE: [ActiveDir] Different password policy


Missy,

Well said - and quite true.  But, given the difficulty of implementing the
compromise, the obvious decision point is going to be based on a risk
analysis.

Given that we're talking about password policy, I'm not sure how this is
germane.

But, nonetheless - you're right.  If you want to guarantee true security
autonomy, the forest is the model to use.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Missy Koslosky
Sent: Monday, March 24, 2003 9:08 PM
To: [EMAIL PROTECTED]

If you need to make it super-secure, they really should have their own
forest.  There aren't a lot of details on this available, but the domain
isn't a complete security boundary.
- Original Message -
From: Rick Kingslan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 24, 2003 2:08 PM
Subject: RE: [ActiveDir] Different password policy


snip
Nope - a child domain DOES have a separate security policy.
snip

BUT!  The really sensitive stuff (the intellectual property) of the company
is managed and created by the researchers.  We need to make sure that the
research information is very secure.
snip

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT Password Policy:

[Rick Kingslan]

James,

The 
password problem is not one of brute force. Believe me, I use these 
figures frequently when discussing things with Executives, because Bink's chart 
(BTW not a name loved in the MVP Community - and shame on MS for caving) is 
very impressive. But, if I can grab some pertinent data (pwdump, etc.) and 
use tools such as John the Ripper or L0phTCrack, then these numbers are 
meaningless as the brute force element is no longer in play.

The 
reason that it is important to change passwords on some relative frequency is 
not because Stephen Bink is right - because he is - if pure math is all that is 
at work. The reason to change passwords at some relative frequency is to 
ensure that you are lessening the risk of compromise due to a number of other 
factors that have nothing to do with brute force.

Let's 
look at it from another perspective: Security is ALL ABOUT reducing the 
Attack Surface. We as the Defenders have a hard job - we are required to 
secure and strengthen each and every nook and cranny of our computers, OSs, 
networks, buildings, etc. The attackers have an advantage - they can 
attack that one small area that we missed or didn't bolster to a sufficient 
level. And, if they can't get it immediately, they can chip away a little 
bit at a time until they do in a very quiet and clandestine 
way.

This 
is why we change passwords frequently - because you just don't know who is using 
your user's username and password.


Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 24, 
2003 9:33 PMTo: [EMAIL PROTECTED]


http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc022703/wcblurb022703.asp
The 
below is referenced from:
http://winxp.bink.nu/ :
Interesting 
password points: 
Password 
length and possible permutations6 characters = 
689,869,781,0567 characters = 64,847,759,419,2648 characters = 
6,095,689,385,410,8169 characters = 572,994,802,228,616,70410 characters 
= 53,861,511,409,489,970,176
Given a 60 day 
password expiry date and a password of 7 characters, it would require about 
7,407,407 logon attempts per second to find the passwordPlay the lottery, 
the odds are much better!
Password 
security recommendations:

  
  
  
  
  
  
  
  
  
  
  
  

  Security Category

  Account 
  Lockout Settings**

  Password 
  Policy Settings

  Cost
  

  

  

  

  

  Max Password 
  Age

  Password 
  Age

  Password 
  Length

  
  

  Low

  -

  -

  -

  3

  42

  0

  0

  disabled

  Low
  

  Medium

  10

  30

  30

  24

  42

  1

  7

  enabled

  Medium
  

  High

  10

  30

  Infinite/0

  24

  42

  1

  8

  enabled

  High