RE: [ActiveDir] Password policy change

2005-08-29 Thread Peter Johnson 
OWA doesn't have a built in password change function but you can activate the 
standard IIS password changing module called iisadmpwd  which is placed in the 
options section of the OWA interface. However if the password has expired you 
be out of luck. 

Once article that covers this is:

http://support.microsoft.com/default.aspx?scid=kb;en-us;297121

Regards
Peter Johnson




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 27 August 2005 08:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in
Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your
password is expired (forced or otherwise) you aren't getting into OWA. I
also don't believe it has a password change function if you just want to go
and change it, but that could be something that could be enabled.
Alternatively you set up another web page to do it.

As for the OPs original issue. It all comes down to implementation. You told
the system to not allow people to change the password if the password age
was less than one day and then were confused when it did exactly that. The
reason for it is that there is one attribute for password age, pwdLastSet,
and it doesn't distinguish between a helpdesk set operation or a normal
password change, they are both password changes and you only want one day
between every change. The proper way to handle that case is to force the
user's to change their password on next logon (which sets the pwdLastSet to
0), but as you know, that will kill OWA users. So you either need another
process to follow for OWA only users, install some third party or custom
inhouse tool, or drop the minimum password aging. 

   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
Sent: Saturday, August 27, 2005 12:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change

Your right Aaron, I didn't know what it meant.!

I am not an outlook sort of person (we use Notes...), but the inferred
statement surprises me. It suggests that if the must change password is
set, you can't logon to Outlook Web Access.

This would suggest that forcing users to change password after (say) 28 days
is also a no-no.

And, it would also suggest that Outlook Web Access won't let you change your
password. If it did, it would surely allow you to logon, then require you to
change  the password before you do anything..

This all seems unlikely, given Microsoft's recommended use of forcing
password changes on a regular basis and forcing users to change a password
when a new user is created.

If it is all true, maybe you have to provide some way that the users can go
to a Citrix portal and change their password there, then go back and use
Outlook Web Access.

 Alan Cuthbertson


  Policy Management Software:-
 http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml
 ADM Template Editor:-
 http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml
 Policy Log Reporter(Free)
 http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml




- Original Message -
From: Aaron Visser [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Saturday, August 27, 2005 8:59 AM
Subject: Re: [ActiveDir] Password policy change


Nevermind OWA = Outlook Web Access


On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED]
wrote:


 I mean, if I use the check box to user must change password at next
logon
 our users whose only way into the domain is OWA will not prompt them to
change
 their password... Unless I am missing something.

 Thanks

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
 Sent: Friday, August 26, 2005 3:19 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Password policy change

 Johnny,

 We do exactly what you suggest, change the password and set the user must
 change password at next logon and they are able to change it, even within
the
 password cannot be changed period.

 What do you mean by that would effectively lock out the OWA only users?


  Alan Cuthbertson


  Policy Management Software:-
 http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml
 ADM Template Editor:-
 http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml
 Policy Log Reporter(Free)
 http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml



 - Original Message -
 From: Figueroa, Johnny [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Saturday, August 27, 2005 2:56 AM
 Subject: RE: [ActiveDir] Password policy change



 Help desk sets he password to something something, tells the user to
 change their password to whatever they want it to be and the user can not.
I
 thought about having the HD check the box that makes it so the user has to
 change the

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Hunter, Laura E. 
Yep, that was him.  Drat, dunno why I had Luther in my head as being his
first name.  


- L

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: Monday, August 29, 2005 12:32 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Heavy German accent?  I suspect that it was Andreas 
 Luther  (and looks nothing like Guido)
 
 And - it might have been DEC as Andreas was there for the Identity
 Management (read:MIIS) portion of the conference.
 
 Rick 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Hunter, Laura E.
 Sent: Sunday, August 28, 2005 7:02 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Oddly enough, this exact topic came up in a dinner 
 conversation at Tech Ed this year.[1]  Luther...oh heck somebody
remind me of his 
 last name...had apparently quizzed people with this one at a previous 
 conference (DEC?), only to utimately reveal that the answer was You
know how 
 people always ask you what the IM FSMO does? Well, now you can tell
them that 
 it's responsible for running /domainprep.
 
 
 
 [1] Please hold the jokes about having dinner conversations 
 about Active Directory internals until the end, please.  :-)
 
 
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of 
 Tony Murray
   Sent: Sunday, August 28, 2005 7:36 PM
   To: ActiveDir@mail.activedir.org
   Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
   
   Hi all

   Does anyone know why the documentation suggests that adprep 
   /domainprep be run on the DC holding the IM FSMO role?  I heard a 
   rumour to the effect that it was only because that DC is
  likely to be
   less busy than the other DCs, but I'd like to know for sure.

   Tony
   
  
  
  
  
  
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Urgent:Access Denied to Password Resets

2005-08-29 Thread Aramide Adebanjo 
Hi All,

Apologies for my silence on this issue. I have checked these support
pages and it involves installing a hotfix on the PDC to modify the
effects of the AdminSDHolder on protected groups. However I don't
believe this solves my issue because the problems stated in the article
was the issue of users with delegated rights not being able to reset
some user accounts under protected groups. In addition, this hotfix is
still under testing. I need to know if there is anyone out there who is
experiencing my challenges as well

BR

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, August 22, 2005 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Urgent:Access Denied to Password Resets

Could be the AdminSDHolder:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q232199

..and some words on this from Ulf:

http://msmvps.com/ulfbsimonweidner/archive/2005/05/29/49659.aspx

Tony 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aramide
Adebanjo
Sent: Monday, 22 August 2005 8:37 p.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Urgent:Access Denied to Password Resets


Hi All,

We have a delegation model we just adopted and part of the
responsibilites handed over to our helpdesk support staff is password
reset of users accounts. However this delegated right goes off every 48
hrs and I had to redo the delegation again. We have a 2003 domain and I
have searched the technet site to no avail for problems similiar to
this. In addition, helpdesk is not prompted to force password change at
next logon...
Any ideas guys..??
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Grillenmeier, Guido 
Andreas actually teased me with this at the second DEC in US (must have
been 2003 in Scottsdale, Arizona), as I also wondered why the IFM would
be required for this role.  So after a good discussion about the IFM's
functions it was clear there was absolutely no technical requirement
that adprep /domainprep be performed on the IFM FMSO ;-) 

The only reason the IFM was chosen to perform this special task is:
they had to ensure that the domainprep will only be performed on a
single DC in a domain and all the other FMSOs already had many more
special tasks than the IFM - this is why the domainprep was bound to be
executed on the IFM FSMO.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Montag, 29. August 2005 12:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep

Yep, that was him.  Drat, dunno why I had Luther in my head as being his
first name.  


- L

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: Monday, August 29, 2005 12:32 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Heavy German accent?  I suspect that it was Andreas 
 Luther  (and looks nothing like Guido)
 
 And - it might have been DEC as Andreas was there for the Identity
 Management (read:MIIS) portion of the conference.
 
 Rick 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Hunter, Laura E.
 Sent: Sunday, August 28, 2005 7:02 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Oddly enough, this exact topic came up in a dinner 
 conversation at Tech Ed this year.[1]  Luther...oh heck somebody
remind me of his 
 last name...had apparently quizzed people with this one at a previous 
 conference (DEC?), only to utimately reveal that the answer was You
know how 
 people always ask you what the IM FSMO does? Well, now you can tell
them that 
 it's responsible for running /domainprep.
 
 
 
 [1] Please hold the jokes about having dinner conversations 
 about Active Directory internals until the end, please.  :-)
 
 
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of 
 Tony Murray
   Sent: Sunday, August 28, 2005 7:36 PM
   To: ActiveDir@mail.activedir.org
   Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
   
   Hi all

   Does anyone know why the documentation suggests that adprep 
   /domainprep be run on the DC holding the IM FSMO role?  I heard a 
   rumour to the effect that it was only because that DC is
  likely to be
   less busy than the other DCs, but I'd like to know for sure.

   Tony
   
  
  
  
  
  
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Brett Shirley 
IFM is an odd abbreviation of the Infrstructure Master role.  I think IM
is more typical.

-B

On Mon, 29 Aug 2005, Grillenmeier, Guido wrote:

 Andreas actually teased me with this at the second DEC in US (must have
 been 2003 in Scottsdale, Arizona), as I also wondered why the IFM would
 be required for this role.  So after a good discussion about the IFM's
 functions it was clear there was absolutely no technical requirement
 that adprep /domainprep be performed on the IFM FMSO ;-) 
 
 The only reason the IFM was chosen to perform this special task is:
 they had to ensure that the domainprep will only be performed on a
 single DC in a domain and all the other FMSOs already had many more
 special tasks than the IFM - this is why the domainprep was bound to be
 executed on the IFM FSMO.
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
 E.
 Sent: Montag, 29. August 2005 12:36
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Yep, that was him.  Drat, dunno why I had Luther in my head as being his
 first name.  
 
 
 - L
 
  -Original Message-
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
  Sent: Monday, August 29, 2005 12:32 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
  
  Heavy German accent?  I suspect that it was Andreas 
  Luther  (and looks nothing like Guido)
  
  And - it might have been DEC as Andreas was there for the Identity
  Management (read:MIIS) portion of the conference.
  
  Rick 
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  Hunter, Laura E.
  Sent: Sunday, August 28, 2005 7:02 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
  
  Oddly enough, this exact topic came up in a dinner 
  conversation at Tech Ed this year.[1]  Luther...oh heck somebody
 remind me of his 
  last name...had apparently quizzed people with this one at a previous 
  conference (DEC?), only to utimately reveal that the answer was You
 know how 
  people always ask you what the IM FSMO does? Well, now you can tell
 them that 
  it's responsible for running /domainprep.
  
  
  
  [1] Please hold the jokes about having dinner conversations 
  about Active Directory internals until the end, please.  :-)
  
  
   
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of 
  Tony Murray
Sent: Sunday, August 28, 2005 7:36 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Infrastucture Master and adprep /domainprep

Hi all
 
Does anyone know why the documentation suggests that adprep 
/domainprep be run on the DC holding the IM FSMO role?  I heard a 
rumour to the effect that it was only because that DC is
   likely to be
less busy than the other DCs, but I'd like to know for sure.
 
Tony

   
   
   
   
   
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Password policy change

2005-08-29 Thread Cothern Jeff D. Team EITC 
I have a possible solution for the OWA users.  I havent used this particular 
software but we use one of their other products and it works well.  I'll let 
the website speak for itself.  But I believe this would provide a means via the 
web for your users to change their passwords.

http://www.anixis.com/products/ppeweb/default.htm 

Jeff Cothern


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, August 29, 2005 4:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

OWA doesn't have a built in password change function but you can activate the 
standard IIS password changing module called iisadmpwd  which is placed in the 
options section of the OWA interface. However if the password has expired you 
be out of luck. 

Once article that covers this is:

http://support.microsoft.com/default.aspx?scid=kb;en-us;297121

Regards
Peter Johnson




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 27 August 2005 08:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in 
Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your 
password is expired (forced or otherwise) you aren't getting into OWA. I also 
don't believe it has a password change function if you just want to go and 
change it, but that could be something that could be enabled.
Alternatively you set up another web page to do it.

As for the OPs original issue. It all comes down to implementation. You told 
the system to not allow people to change the password if the password age was 
less than one day and then were confused when it did exactly that. The reason 
for it is that there is one attribute for password age, pwdLastSet, and it 
doesn't distinguish between a helpdesk set operation or a normal password 
change, they are both password changes and you only want one day between every 
change. The proper way to handle that case is to force the user's to change 
their password on next logon (which sets the pwdLastSet to 0), but as you know, 
that will kill OWA users. So you either need another process to follow for OWA 
only users, install some third party or custom inhouse tool, or drop the 
minimum password aging. 

   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
Sent: Saturday, August 27, 2005 12:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change

Your right Aaron, I didn't know what it meant.!

I am not an outlook sort of person (we use Notes...), but the inferred 
statement surprises me. It suggests that if the must change password is set, 
you can't logon to Outlook Web Access.

This would suggest that forcing users to change password after (say) 28 days is 
also a no-no.

And, it would also suggest that Outlook Web Access won't let you change your 
password. If it did, it would surely allow you to logon, then require you to 
change  the password before you do anything..

This all seems unlikely, given Microsoft's recommended use of forcing password 
changes on a regular basis and forcing users to change a password when a new 
user is created.

If it is all true, maybe you have to provide some way that the users can go to 
a Citrix portal and change their password there, then go back and use Outlook 
Web Access.

 Alan Cuthbertson


  Policy Management Software:-
 http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml
 ADM Template Editor:-
 http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml
 Policy Log Reporter(Free)
 http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml




- Original Message -
From: Aaron Visser [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Saturday, August 27, 2005 8:59 AM
Subject: Re: [ActiveDir] Password policy change


Nevermind OWA = Outlook Web Access


On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED]
wrote:


 I mean, if I use the check box to user must change password at next
logon
 our users whose only way into the domain is OWA will not prompt them 
 to
change
 their password... Unless I am missing something.

 Thanks

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of SysPro 
 Support
 Sent: Friday, August 26, 2005 3:19 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Password policy change

 Johnny,

 We do exactly what you suggest, change the password and set the user 
 must change password at next logon and they are able to change it, 
 even within
the
 password cannot be changed period.

 What do you mean by that would effectively lock out the OWA only users?


  Alan Cuthbertson


  Policy Management Software:-
 http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml
 ADM Template Editor:-

RE: [ActiveDir] Permissions for a user to add users to a group

2005-08-29 Thread Cothern Jeff D. Team EITC 
Ok that is what I figured.  SO if I install just aduc from the adminpak
and create a custom task pad for the manager.  It would be the easier
and best method to alliviate confusion etc?

Jeff
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, August 27, 2005 2:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group

It means the manager can add or remove DNs to the member attribute of
the group. So they will be able to add or remove members of the group.
They won't actually be able to add/remove users from AD with just those
rights.

ADUC can be used, as can a script or anything else that modifies the
member attribute of the group in question.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Friday, August 26, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Permissions for a user to add users to a group

If I set a group to managed by to a particular user and check the box
Manger can update member list.  

That means the Manager can add or delete users correct?

Does he need ADUC or is there another way he can add those users?  


Thanks

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GP setting for IE lockdown

2005-08-29 Thread Cothern Jeff D. Team EITC 
If I read you right they will only be accessing the website thru this
Terminal Service.  If this is the case there are a few settings you
would need to set to lock down the system.  It is not just IE you have
to think about.  

User Configuration  Windows Components  Windows Explorer

Hide These Drives in My Computer Enabled
Restrict a,b,c,d drives only
Remove Map Network drive and disconnect network  Enabled
Remove CD Burning Features
Enabled
Remove Hardware tab
Enabled

Start Menu and Taskbar

Remove Run menu from Start Menu Enabled


Another area to look at is 

http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebb
f834fc6f7/Win2003_Teminal_Server_Lockdown.doc

I found that document invaluable when I had to create a locked down TS
system.

One Item to note.  Your gonna want to make the TS system part of the
domain definitely and use group policies to apply the settings as it
makes it hard to change settings once you lock it down if you do it on
the local policy.

Jeff Cothern


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Friday, August 26, 2005 6:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GP setting for IE lockdown

I've been tasked with the following project...

Provide access for partner company personnel to a LOB app and our
intranet via a terminal server session [1]. The IE session should allow
access to the intranet site and nothing else, no internet, no local
machine, no customization.

Plan is to create a VM with the appropriate restricted desktop access
and the LOB app. That part's ok; however, I'm having trouble finding
good info on securing IE so that it can only get to our intranet. 
I can set a non-existent proxy and add our intranet to the proxy bypass
sites; that's easy enough.

What I can't remember is how to lock down IE so no one can type c:\ or
some other folder name and get to the local file system. I tried the
NoFileURL setting under
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, but
it's not restricting the test user.
Anyone remember a good way to prevent local file system access through
IE?

A good ADM file that chokes IE to the bone would be nice, too, but I
haven't found one of those lately either.

My Google Mojo isn't working today...

Thanks!

[1] I know; running IE on a server is bad juju. That's why it's going to
be in a snapshotted VM I can wipe daily. :-) You don't want to know how
ugly the other alternatives were...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Rick Kingslan 
I suppose it's much like my gaff of a couple weeks ago with our good friend
Bernard Aric (sic) from HP.

(Cheers, Aric! )

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Monday, August 29, 2005 5:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep

Yep, that was him.  Drat, dunno why I had Luther in my head as being his
first name.  


- L

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: Monday, August 29, 2005 12:32 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Heavy German accent?  I suspect that it was Andreas Luther  (and 
 looks nothing like Guido)
 
 And - it might have been DEC as Andreas was there for the Identity 
 Management (read:MIIS) portion of the conference.
 
 Rick
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura 
 E.
 Sent: Sunday, August 28, 2005 7:02 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Oddly enough, this exact topic came up in a dinner conversation at 
 Tech Ed this year.[1]  Luther...oh heck somebody
remind me of his 
 last name...had apparently quizzed people with this one at a previous 
 conference (DEC?), only to utimately reveal that the answer was You
know how 
 people always ask you what the IM FSMO does? Well, now you can tell
them that 
 it's responsible for running /domainprep.
 
 
 
 [1] Please hold the jokes about having dinner conversations about 
 Active Directory internals until the end, please.  :-)
 
 
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of
 Tony Murray
   Sent: Sunday, August 28, 2005 7:36 PM
   To: ActiveDir@mail.activedir.org
   Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
   
   Hi all

   Does anyone know why the documentation suggests that adprep 
   /domainprep be run on the DC holding the IM FSMO role?  I heard a 
   rumour to the effect that it was only because that DC is
  likely to be
   less busy than the other DCs, but I'd like to know for sure.

   Tony
   
  
  
  
  
  
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Rick Kingslan 
Guido is doing that for me, I'm quite sure.  Any time anyone mentions IM to
me, I want to add them to my contact list.  I'm much like a teenage little
girl in that regard (and scream like one too, when frightened! :-)

VBG

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, August 29, 2005 6:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep

IFM is an odd abbreviation of the Infrstructure Master role.  I think IM is
more typical.

-B

On Mon, 29 Aug 2005, Grillenmeier, Guido wrote:

 Andreas actually teased me with this at the second DEC in US (must 
 have been 2003 in Scottsdale, Arizona), as I also wondered why the IFM 
 would be required for this role.  So after a good discussion about the 
 IFM's functions it was clear there was absolutely no technical 
 requirement that adprep /domainprep be performed on the IFM FMSO ;-)
 
 The only reason the IFM was chosen to perform this special task is:
 they had to ensure that the domainprep will only be performed on a 
 single DC in a domain and all the other FMSOs already had many more 
 special tasks than the IFM - this is why the domainprep was bound to 
 be executed on the IFM FSMO.
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura 
 E.
 Sent: Montag, 29. August 2005 12:36
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Yep, that was him.  Drat, dunno why I had Luther in my head as being 
 his first name.
 
 
 - L
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Rick 
  Kingslan
  Sent: Monday, August 29, 2005 12:32 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
  
  Heavy German accent?  I suspect that it was Andreas Luther  (and 
  looks nothing like Guido)
  
  And - it might have been DEC as Andreas was there for the Identity 
  Management (read:MIIS) portion of the conference.
  
  Rick
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, 
  Laura E.
  Sent: Sunday, August 28, 2005 7:02 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
  
  Oddly enough, this exact topic came up in a dinner conversation at 
  Tech Ed this year.[1]  Luther...oh heck somebody
 remind me of his
  last name...had apparently quizzed people with this one at a 
  previous conference (DEC?), only to utimately reveal that the answer 
  was You
 know how
  people always ask you what the IM FSMO does? Well, now you can tell
 them that
  it's responsible for running /domainprep.
  
  
  
  [1] Please hold the jokes about having dinner conversations about 
  Active Directory internals until the end, please.  :-)
  
  
   
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
  Tony Murray
Sent: Sunday, August 28, 2005 7:36 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Infrastucture Master and adprep /domainprep

Hi all
 
Does anyone know why the documentation suggests that adprep 
/domainprep be run on the DC holding the IM FSMO role?  I heard 
a rumour to the effect that it was only because that DC is
   likely to be
less busy than the other DCs, but I'd like to know for sure.
 
Tony

   
   
   
   
   
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] determine number of users logged on last 60 days

2005-08-29 Thread Cothern Jeff D. Team EITC 
Is there query I could run that would tell me the number of users -minus
service accounts (guess filter by OU) that have logged on in the last 60
days.

Jeff Cothern

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] determine number of users logged on last 60 days

2005-08-29 Thread Al Mulnick 
It's possible, but not absolute.  Are you trying to automate user
management?
Can you give some more details about what you want and what you want to
do with the data?  That might help to spur some better information.

Basically, you can use lastlogontimestamp (dsquery makes it pretty easy
if you want to use that) to find out about when the last time a user
logged on assuming they triggered an update to this.  Some actions don't
trigger this update so a second data point is a useful thing to have to
narrow it down even more.  pwdLastSet is a useful data point IIRC. 

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] determine number of users logged on last 60 days

Is there query I could run that would tell me the number of users -minus
service accounts (guess filter by OU) that have logged on in the last 60
days.

Jeff Cothern

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: Extend W2K3 Boot Partiton

2005-08-29 Thread Harding, Devon 





Is there a way to 
extend boot  system partitions on Windows 2003? Diskpart.exe only 
does data partions and PowerQuest Volume Manager stops at Windows 
2000.

Devon 
Harding
Windows Systems 
Engineer
Southern Wine  Spirits 
- BSG
954-602-2469





__This message and any attachments are solely for the intended recipientand may contain confidential or privileged information.  If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited.  If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments.  Thank You.

RE: [ActiveDir] OT: Extend W2K3 Boot Partiton

2005-08-29 Thread Michael B. Smith 



Partition Manager

(I'm a satisfied customer of the 
product.)

http://www.partition-manager.com/


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Monday, August 29, 2005 11:28 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Extend W2K3 Boot 
Partiton


Is there a way to 
extend boot  system partitions on Windows 2003? Diskpart.exe only 
does data partions and PowerQuest Volume Manager stops at Windows 
2000.

Devon 
Harding
Windows Systems 
Engineer
Southern Wine  Spirits 
- BSG
954-602-2469





__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You.

RE: [ActiveDir] Exchange 2k hotfix issue(OT)

2005-08-29 Thread Hunter, Laura E. 
You might want to fire up regmon to see what is causing the setup to fail. I 
had a similar situation a few weeks ago and we figured out (*waves at Dean*) 
that there was a ServicePackBuild registry entry under 
HKLM\Software\Exchange\Setup that didn't get correctly re-populated during the 
recovery install.

- Laura

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
 Sent: Monday, August 29, 2005 12:20 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Exchange 2k hotfix issue(OT)
 
 I reinstalled exchange 2k with the /diasterrecovery swtich.
 Did the same with sp3 for exchange.
  
 however when i try to install the post sp3 rollup, it tells 
 me i'm not at sp 3.
  
 Also there is no M: drive created and when i try to do a db 
 restore, the store won't mount with eventid 619.
  
 Event id 619 suggests to me that exchange thinks its not at 
 sp3 but the restore is from a sp3 info store, thus creating 
 an inconsistency.
 However, sp3 installed with the dr switch without error and 
 in ESM, it says SP3 under the restored server.
  
 Any ideas would be great.
  
 thanks
 .BövrzÊryi
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] finding txt in a message

2005-08-29 Thread Al Mulnick 
The anti-virus server application (Exchange aware) is a great way to do
that. 

Do you have one?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Monday, August 29, 2005 7:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding txt in a message

Group,

Sorry for sending an Exchange question to an AD group, but I really need
an answer to this quick.

Does anyone know how to find a specific string or text in email?  I know
that exmerge can do subjects and system manager can track a message by
sender or receiver.. But, I need to know how to find specific text in an
email.

Thanks
S
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] finding txt in a message

2005-08-29 Thread Steve Shaff 
I have Antigen, but will do subject and domain filtering... :(

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, August 29, 2005 5:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding txt in a message

The anti-virus server application (Exchange aware) is a great way to do
that. 

Do you have one?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Monday, August 29, 2005 7:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding txt in a message

Group,

Sorry for sending an Exchange question to an AD group, but I really need
an answer to this quick.

Does anyone know how to find a specific string or text in email?  I know
that exmerge can do subjects and system manager can track a message by
sender or receiver.. But, I need to know how to find specific text in an
email.

Thanks
S
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Extend W2K3 Boot Partiton

2005-08-29 Thread Arlo Clizer 
I've been pretty pleased with BootItNG. It has gotten me out of some 
jams in the past.


http://www.terabyteunlimited.com/bootitng.html

I've been lurking here about a week or so. Great content!

Regards,

Arlo

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] finding txt in a message

2005-08-29 Thread deji 
If you are thinking of finding them as they arrive or as they are being sent,
eventsink is the way to go. I don't know how to write one that will go
through messages already in the store and look for the keyword. But, writing
one that looks for the keyword as the message is coming in or leaving should
do the trick.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Steve Shaff
Sent: Mon 8/29/2005 5:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding txt in a message



I have Antigen, but will do subject and domain filtering... :(

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, August 29, 2005 5:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding txt in a message

The anti-virus server application (Exchange aware) is a great way to do
that.

Do you have one?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Monday, August 29, 2005 7:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding txt in a message

Group,

Sorry for sending an Exchange question to an AD group, but I really need
an answer to this quick.

Does anyone know how to find a specific string or text in email?  I know
that exmerge can do subjects and system manager can track a message by
sender or receiver.. But, I need to know how to find specific text in an
email.

Thanks
S
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Password policy change

2005-08-29 Thread lists 

That should work.  :-)

There are actually many web-, phone- and login-prompt- accessible
password change/synchronization/reset applications out there, some of
which support password updates to multiple types of systems, rather than 
just AD.


PROMOTIONAL ALERT - CLOSE YOUR EYES TO AVOID ADVERTISING
  One such is http://psynch.com/
/PROMOTIONAL ALERT - COULDN'T HELP MYSELF

Linking one of these to OWA should be trivial.  With this product, and 
probably others, you should have no trouble detecting password expiry and 
bouncing the user to the 'change now' page either.


Good luck,

-- Idan

On Mon, 29 Aug 2005, Cothern Jeff D. Team EITC wrote:


I have a possible solution for the OWA users.  I havent used this particular 
software but we use one of their other products and it works well.  I'll let 
the website speak for itself.  But I believe this would provide a means via the 
web for your users to change their passwords.

http://www.anixis.com/products/ppeweb/default.htm

Jeff Cothern


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, August 29, 2005 4:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

OWA doesn't have a built in password change function but you can activate the 
standard IIS password changing module called iisadmpwd  which is placed in the 
options section of the OWA interface. However if the password has expired you 
be out of luck.

Once article that covers this is:

http://support.microsoft.com/default.aspx?scid=kb;en-us;297121

Regards
Peter Johnson




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 27 August 2005 08:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in 
Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your 
password is expired (forced or otherwise) you aren't getting into OWA. I also 
don't believe it has a password change function if you just want to go and 
change it, but that could be something that could be enabled.
Alternatively you set up another web page to do it.

As for the OPs original issue. It all comes down to implementation. You told 
the system to not allow people to change the password if the password age was 
less than one day and then were confused when it did exactly that. The reason 
for it is that there is one attribute for password age, pwdLastSet, and it 
doesn't distinguish between a helpdesk set operation or a normal password 
change, they are both password changes and you only want one day between every 
change. The proper way to handle that case is to force the user's to change 
their password on next logon (which sets the pwdLastSet to 0), but as you know, 
that will kill OWA users. So you either need another process to follow for OWA 
only users, install some third party or custom inhouse tool, or drop the 
minimum password aging.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
Sent: Saturday, August 27, 2005 12:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change

Your right Aaron, I didn't know what it meant.!

I am not an outlook sort of person (we use Notes...), but the inferred statement 
surprises me. It suggests that if the must change password is set, you can't 
logon to Outlook Web Access.

This would suggest that forcing users to change password after (say) 28 days is 
also a no-no.

And, it would also suggest that Outlook Web Access won't let you change your 
password. If it did, it would surely allow you to logon, then require you to 
change  the password before you do anything..

This all seems unlikely, given Microsoft's recommended use of forcing password 
changes on a regular basis and forcing users to change a password when a new 
user is created.

If it is all true, maybe you have to provide some way that the users can go to 
a Citrix portal and change their password there, then go back and use Outlook 
Web Access.

Alan Cuthbertson


 Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml




- Original Message -
From: Aaron Visser [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Saturday, August 27, 2005 8:59 AM
Subject: Re: [ActiveDir] Password policy change


Nevermind OWA = Outlook Web Access


On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED]
wrote:



I mean, if I use the check box to user must change password at next

logon

our users whose only way into the domain is OWA will not prompt them
to

change

their password... Unless I am missing something.

Thanks

-Original