RE: [ActiveDir] Separate Administrator password policy

[petter.borling]

Why not use certificates or rsa for admin accounts?
IF you have a pki environment that would be my suggestion. Then only
then default administrator account would be insecure. But that can be
mitigated with very long password.

An other option is to put admin accounts in a separate child or top
domain.

/petter borling

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: den 7 september 2006 05:54
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Separate Administrator password policy

Hi Al,

All good questions.  I'll answer here, but if it starts to get hairy,
lets take it offline (same as my post to Susan - I don't want this to
become a deep discussion of our product on the list).

 Not to pick, but it occurs to me that you're trying to complicate the 
 problem.  While I agree that changing the passwords every 24 hours 
 (whatever freq works is likely going to be fine), is not a bad idea, 
 it has the likely problem of being very problematic.  This is similar 
 to a push vs. pull paradigm and if looked at that way, you have 
 similar issues such as connectivity and reliability.  i.e. how do you 
 ensure that the password change was successful if there's a network
outage? Or just a network blip?
 Is it important that you do so is assumed from the previous 
 information to date.

100% reliability is mandatory in this kind of app.  Funny that you raise
push vs. pull, as we have two modes of operations, called push and pull.
:-)  We push passwords to server-class target systems (e.g., AD,
mainframes, whatever), and pull password changes from workstations
(i.e., the workstations push to the server).  The handshake used ensures
that password changes are 100% reliable - we abort if there isn't a
connection, etc.; and password history is retained just in case
something went wrong anyways.

 A solution that scales up, down, or laterally is appropriate.  
 Something that allows an account to traverse the different sites, 
 possibly into the hundreds or even thousands, and allows almost 
 instant revocation of the user account with administrative privileges 
 should that become necessary during the course of normal business.

Scaling is easy enough - just arrange for different devices, of which
there may be tens of thousands, to contact a central server at somewhat
randomized times, and keep trying in case of powerdown, connection
failures, etc. etc.  This eliminates nasty traffic bursts.

Traversing sites is easy too - use HTTPS to connect to the central
server, and use whatever proxy settings are needed to get out.

Instant revocation is another matter.  Our approach provides for timed
revocation on workstations (due to limitations fundamental to pull
mode), and instant revocation on servers (since push allows for it).

 Now, if only we had such an technology...

We sell it, more or less as described.

 Some suggestions that come to mind would be everything from a 
 toaster-like device placed at the client site to a certificate based

 credential system come to mind. Hybrid ideas also entertained. Plenty 
 of pros and cons for each, such as the ability to have something 
 tangible at the client site that can also be a multi-functional device

 and can work semi-autonmously to monitor even if the WAN link goes 
 away (different issues can be monitored.) It can also provide the 8th 
 layer with a sense of investment and partnership.  Downside is that 
 it's more to manage and monitor. But that can be mitigated by allowing

 it to be gasp sales person installable meaning that if something 
 goes wrong with the device, then you roll a salesperson to replace it.

 That gives the salesperson reason to have more facetime with the
client and gives a chance to sell more business.

A service on each client device is probably cheaper than yet another
machine at the client site, if you're managing lots of small-ish
clients...  Of course, you pointed to other, unrelated but quite useful
functionality above, such as WAN link monitoring.

 The conversation could be longer, but I'm sure that a solution is 
 possible that fits many of the criteria defined.  Because the original

 problem scope is to remove the administrative access, using a hybrid 
 solution that relies on certificates and a toaster item would be more 
 likely.  The details and pricing would need to be hammered out in such

 a way that the final solution is reliable, inexpensive (drive 
 adoption), and easy to use (dumb down the interface such that your 
 salesforce or interns could deploy or you could even just drop ship 
 one to the client and they could hook it up in 5 steps or less - 
 similar to voip device installation in that sense.)

Personally, I'm not big on appliances (toasters) -- in the end they
are mostly just cheap Intel/AMD boxes, but without the hardware support
that Dell/HP/IBM offer.  Niche market vendors really can't offer the
kind of hardware support that these huge 

RE: [ActiveDir] Strange password issue

[petter.borling]

UAC bitmask is 32. A normal user then gets UAC = 544. 

Try doing a ldap query for 
((objectClas=user)(useraccountcontrol=544)) 
You could then modify the attribute to 512 on these 
users either with adsiedit or in a nice tool such as 
ADModify.net.

Note: if the option password not required is set. Then 
you can either have a blank password or comply with the password policy in 
defdom GPO.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: den 6 september 2006 21:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password 
issue


Pressed send before 
I finished typing! : (

Following on from 
the last mail

You can, however, 
modify the policy so that you can have shorter passwords, create the user, and 
then change the password policy back. Perhaps someone did 
this?

If you test this, 
when you set the policy to zero it says no password required (in the 
Window).


--Paul






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password 
issue

From what I recall, if the password is 
not required, then there's no need to check the minimum length. Since it 
would be overridden at the user object level, that does not affect the domain. 
I don't recall the UAC bitmask, and I'm not going to figure it out at 
the moment. I'll take your word that the password not required is true for 
this user. If you remove that setting (i.e. require the user to have a 
password) then that password would, by policy, have to be at least 6 chars in 
length. 

On 9/6/06, Tom Kern [EMAIL PROTECTED] 
wrote:


This is a domain 
account.



To rehash-



The Default Domain Policy is set to min password length- 
6 charcters.

This was created 2 years ago and never 
changed.

User account is a domain account created a month 
ago.

It was bought to my attention that the user can log in 
with no password.

I confirmed.

The userAccountControl attribute of the user object was 
set to 512(not that i'm certain if setting the passwd_notreqd overrides the 
DDP).

The domain/forest is at w2k3 
FL.



Thanks




On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] 
 wrote: 



Impossible/irrelevant.If 
it's a domain account, the policy applies regardless, because the account is 
stored in AD. If it's a local account, then the policy doesn't apply regardless; 
domain account policies don't apply to local accounts. Is this a local account 
or a domain account? 



Laura

  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On 
  Behalf Of Tom Kern
  
  Sent: Wednesday, 
  September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password 
  issue


If you mean before the policy was set up, then, 
no.

This policy has been in effect for acouple 
ofyears and the account was created a month 
ago..



Maybe the PC is not getting the Default Domain 
Policy?





On 9/6/06, Williams, Robert [EMAIL PROTECTED]  
wrote: 



Tom,

This is just a stab in 
the dark but is it possible that this user's password was set prior to the 
Default Domain Policy being in effect? 

Robert 
Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 
AMTo: 
activedirectorySubject: 
[ActiveDir] Strange password issue



I'm having this weird issue where I have a user 
account who is able to log in with a blank 
password.

The Default Domain Policy is set to a min password 
length of 6 characters.

The userAccountControl on the user is set to 
512.



The Domain is at win2k3 DFL and 
FFL.



Is there any other way besides a migration tool like 
Quest that could circumvent this policy and allow blank 
passwords?




Thanks

2006-09-06, 11:32:05The information contained in 
this e-mail message and any attachments may be privileged and confidential. If 
the reader of this message is not the intended recipient or an agent responsible 
for delivering it to the intended recipient, you are hereby notified that any 
review, dissemination, distribution or copying of this communication is strictly 
prohibited. If you have received this communication in error, please notify the 
sender immediately by replying to this e-mail and delete the message and any 
attachments from your computer. 

RE: [ActiveDir] NTFRS - Journal Wrap Errors

[Kurt Falde]

If you only have a single DC then you
should utilize D4 for an authoritative restore as its own contents are
the valid contents and there is no where else to pull from. You may need
to restart FRS or possibly run a D2 on the new DC to get FRS replicating on
that server as well. Check out downloading Sonar.exe for viewing FRS
stats so that you can see if your backlogged files start replicating between
the DCs once you do this. FRSdiag is also useful if you need to
troubleshoot as well.



Sonar

http://www.microsoft.com/downloads/details.aspx?FamilyID=158cb0fb-fe09-477c-8148-25ae02cf15d8DisplayLang=en



FRSdiag

http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid=43CB658E-8553-4DE7-811A-562563EB5EBF








Kurt Falde











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Burg
Sent: Thursday, September 07, 2006
1:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTFRS -
Journal Wrap Errors







Hi-











I am new to the list and was hoping someone could help with an ugly
situation I was brought in to clean up:











I am working with a W2K native mode domain with only ONE active domain
controller (W2K SP4). There is a second DC, but it was brought on-line after
the journal wrap errors (Event 13568 ) began and has never replicated sysvol
(doesn't even exist on the box). It appears AD and such are working with the
new DC... just not NTFRS. 











The original DC does have sysvol and appears to be working to authenticate
clients as normal. I need to get the journal wrap errors resolved so I can
bring the second DC on-line, transfer FSMO roles and get the old box rebuilt
since it doesn't even have redundant drives - Yikes! 











Everything I have read says to do a D2 non-authoritative restore, but
since I only have the one DC, where would it restore from? I have run an NT
backup of c:\ and system state to try and get some comfort, but still am afraid
of making matters worse. 











Any suggestions/recommendations would be very much appreciated...I
would like to get this cleaned up this week!











Thanks so much,





Aaron





[EMAIL PROTECTED]

Re: [ActiveDir] DNS Entries --Laptop Users--

[Jaspreet Singh]

Hi Ravi,
Are you talking about your own company or is is for someone else's scenario ?
If it for your own company then:
1) VPN box is CISCO PIX 515e
2) Your VPN box forwards all DNS queries to your DC/ Primary DNS server.
3) As far as i remember It does register machines (As the moment your machine comes to domain and gets ip from domain it would register with DNS)

Now i am bit perplexed...what seems to be the problem here?


Regards,
Jaspreet Singh Jolly

On 9/6/06, Ravi Dogra [EMAIL PROTECTED] wrote:
1. I Didnt understand what exactly u r asking?2. Yes DHCP Is configured properly.3. Yes it is running on DC
4. No, not running any other credential.5. VPN Machine is entirely a different BOX on other site.6. It doesnt register in my DNS. (Will extract other information fromSite B Admin)update you very soon...
ThanksRDList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Strange password issue

[Paul Williams]

But you cannot set UAC to 512 if the 
password is blank, as it doesn't comply with the password policy. Try 
it. The other half of my post shows the error. I also tried it 
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although 
less specific) and it said it wasn't compliant with the security policy, so it 
is checking the password when you do this.

p.s. your query, while illustrating the 
point, isn't really appropriate. The following is how you should be 
looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, 
objectClass isn't indexed and although UAC is, this also applies to non-people 
objects, e.g. computers.


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 11:35 
  AM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  UAC bitmask is 32. A normal user then gets UAC = 544. 
  
  Try doing a ldap query for 
  ((objectClas=user)(useraccountcontrol=544)) 
  You could then modify the attribute to 512 on these 
  users either with adsiedit or in a nice tool such as 
  ADModify.net.
  
  Note: if the option password not required is set. 
  Then you can either have a blank password or comply with the password policy 
  in defdom GPO.
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: den 6 september 2006 21:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  Pressed send 
  before I finished typing! : (
  
  Following on from 
  the last mail…
  
  You can, however, 
  modify the policy so that you can have shorter passwords, create the user, and 
  then change the password policy back. Perhaps someone did 
  this?
  
  If you test this, 
  when you set the policy to zero it says no password required (in the 
  Window).
  
  
  --Paul
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al 
  MulnickSent: 06 September 
  2006 19:28To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password 
  issue
  
  From what I recall, if the password 
  is not required, then there's no need to check the minimum length. Since 
  it would be overridden at the user object level, that does not affect the 
  domain. I don't recall the UAC bitmask, and I'm not going to figure it 
  out at the moment. I'll take your word that the password not required is 
  true for this user. If you remove that setting (i.e. require the user 
  to have a password) then that password would, by policy, have to be at least 6 
  chars in length. 
  
  On 9/6/06, Tom Kern [EMAIL PROTECTED] 
  wrote:
  
  
  This is a domain 
  account.
  
  
  
  To rehash-
  
  
  
  The Default Domain Policy is set to min password 
  length- 6 charcters.
  
  This was created 2 years ago and never 
  changed.
  
  User account is a domain account created a month 
  ago.
  
  It was bought to my attention that the user can log in 
  with no password.
  
  I confirmed.
  
  The userAccountControl attribute of the user object 
  was set to 512(not that i'm certain if setting the passwd_notreqd overrides 
  the DDP).
  
  The domain/forest is at w2k3 
  FL.
  
  
  
  Thanks
  
  
  
  
  On 9/6/06, Laura A. Robinson [EMAIL PROTECTED]  wrote: 
  
  
  
  
  Impossible/irrelevant.If 
  it's a domain account, the policy applies regardless, because the account is 
  stored in AD. If it's a local account, then the policy doesn't apply 
  regardless; domain account policies don't apply to local accounts. Is this a 
  local account or a domain account? 
  
  
  
  Laura
  





From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Tom 
Kern

Sent: 
Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange 
password issue
  
  
  If you mean before the policy was set up, then, 
  no.
  
  This policy has been in effect for acouple 
  ofyears and the account was created a month 
  ago..
  
  
  
  Maybe the PC is not getting the Default Domain 
  Policy?
  
  
  
  
  
  On 9/6/06, Williams, Robert [EMAIL PROTECTED]  
  wrote: 
  
  
  
  Tom,
  
  This is just a stab 
  in the dark but is it possible that this user's password was set prior to the 
  Default Domain Policy being in effect? 
  
  Robert 
  Williams
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 
  AMTo: 
  activedirectorySubject: 
  [ActiveDir] Strange password issue
  
  
  
  I'm having this weird issue where I have a user 
  account who is able to log in with a blank 
  password.
  
  The Default Domain Policy is set to a min password 
  length of 6 characters.
  
  The userAccountControl on the user is set to 
  512.
  
  
  
  The 

RE: [ActiveDir] Strange password issue

[Almeida Pinto, Jorge de]

Yes, there is.
 
The password policy is checked as soon as the password entered (using 
characters) is written into the directory, whether it is a new password or a 
changed password.
If a password hash is written into the directory the system cannot check if the 
password that generated the hash meets the password policy or not. Migration 
tools like ADMT and Quest DMW migrate passwords by migrating the hash and not 
the actual password. For those accounts that were migrated, the password policy 
comes into effect as soon as the user is forced to change the password, but 
until that time
 
You mention Quest's migration tool. Are you saying the user was migrated from 
another forest/domain outside the existing forest and where it was created 
using ADUC?
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Wed 2006-09-06 16:38
To: activedirectory
Subject: [ActiveDir] Strange password issue


I'm having this weird  issue where I have a user account who is able to log in 
with a blank password.
The Default Domain Policy is set to a min password length of 6 characters.
The userAccountControl on the user is set to 512.
 
The Domain is at win2k3 DFL and FFL.
 
Is there any other way besides a migration tool like Quest that could 
circumvent this policy and allow blank passwords?
 
Thanks


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

[ActiveDir] ADAM

[James Carter]

Hello - I know Microsoft ADAMsupports LDAP referralsbut I wanted to know if it's possible to create them and if so how.I'd like to create a container in the directory that returns contents based on a referral to another part of the directory.ThanksJim 
		Do you Yahoo!? Everyone is raving about the  all-new Yahoo! Mail.

RE: [ActiveDir] NTFRS - Journal Wrap Errors

[Aaron Burg]

Ok... Can someone tell me what happens if I do the D2 and it doesn't work? Am I 
where I am right now, or will the current sysvol share be removed? What about 
the D4? 

How long do these take in a very small domain?

Will a system state/AD restore get me back to where I am now?

I am trying to give the business their options/risks since this problem has 
been going on long before I arrived on the scene...

Thanks
Aaron
-Original Message-
From: Kurt Falde [EMAIL PROTECTED]
Date: Thursday, Sep 7, 2006 3:51 am
Subject: RE: [ActiveDir] NTFRS - Journal Wrap Errors

   
If you only have a single DC then youshould utilize D4 for an authoritative 
restore as it's own contents arethe valid contents and there is no where else 
to pull from.  You may needto restart FRS or possibly run a D2 on the new DC to 
get FRS replicating onthat server as well.  Check out downloading Sonar.exe for 
viewing FRSstats so that you can see if your backlogged files start replicating 
betweenthe DC's once you do this.  FRSdiag is also useful if you need 
totroubleshoot as well. 
  
Sonar 
http://www.microsoft.com/downloads/details.aspx?FamilyID8cb0fb-fe09-477c-8148-25ae02cf15d8DisplayLang=en
 
  
FRSdiag 
http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyidCCB658E-8553-4DE7-811A-562563EB5EBF
  
  
  

Kurt Falde  
   
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Burg
Sent: Thursday, September 07, 20061:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTFRS -Journal Wrap Errors  
  

Hi-  

   

I am new to the list and was hoping someone could help with an uglysituation I 
was brought in to clean up:  

   

I am working with a W2K native mode domain with only ONE active 
domaincontroller (W2K SP4). There is a second DC, but it was brought on-line 
afterthe journal wrap errors (Event 13568 ) began and has never replicated 
sysvol(doesn't even exist on the box). It appears AD and such are working with 
thenew DC... just not NTFRS.   

   

The original DC does have sysvol and appears to be working to 
authenticateclients as normal. I need to get the journal wrap errors resolved 
so I canbring the second DC on-line, transfer FSMO roles and get the old box 
rebuiltsince it doesn't even have redundant drives - Yikes!   

   

Everything I have read says to do a D2 non-authoritative restore, butsince I 
only have the one DC, where would it restore from? I have run an NTbackup of 
c:\ and system state to try and get some comfort, but still am afraidof making 
matters worse.   

   

Any suggestions/recommendations would be very much appreciated...Iwould like to 
get this cleaned up this week!  

   

Thanks so much,  

Aaron  

[EMAIL PROTECTED] 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] NTFRS - Journal Wrap Errors

[Scott, Anthony]

Demote the second DC first, just concentrate on getting the first DC
working problem. Then do the D4 on the first DC. Wait a while to verify
it worked. Re-promote the second DC. 

 
Thanks,
Anthony 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Burg
Sent: Thursday, September 07, 2006 8:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS - Journal Wrap Errors

Ok... Can someone tell me what happens if I do the D2 and it doesn't
work? Am I where I am right now, or will the current sysvol share be
removed? What about the D4? 

How long do these take in a very small domain?

Will a system state/AD restore get me back to where I am now?

I am trying to give the business their options/risks since this problem
has been going on long before I arrived on the scene...

Thanks
Aaron
-Original Message-
From: Kurt Falde [EMAIL PROTECTED]
Date: Thursday, Sep 7, 2006 3:51 am
Subject: RE: [ActiveDir] NTFRS - Journal Wrap Errors

   
If you only have a single DC then youshould utilize D4 for an
authoritative restore as it's own contents arethe valid contents and
there is no where else to pull from.  You may needto restart FRS or
possibly run a D2 on the new DC to get FRS replicating onthat server as
well.  Check out downloading Sonar.exe for viewing FRSstats so that you
can see if your backlogged files start replicating betweenthe DC's once
you do this.  FRSdiag is also useful if you need totroubleshoot as well.

  
Sonar 
http://www.microsoft.com/downloads/details.aspx?FamilyID8cb0fb-fe09-477
c-8148-25ae02cf15d8DisplayLang=en 
  
FRSdiag 
http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyidC
CB658E-8553-4DE7-811A-562563EB5EBF  
  
  

Kurt Falde  
   
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Burg
Sent: Thursday, September 07, 20061:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTFRS -Journal Wrap Errors  
  

Hi-  

   

I am new to the list and was hoping someone could help with an
uglysituation I was brought in to clean up:  

   

I am working with a W2K native mode domain with only ONE active
domaincontroller (W2K SP4). There is a second DC, but it was brought
on-line afterthe journal wrap errors (Event 13568 ) began and has never
replicated sysvol(doesn't even exist on the box). It appears AD and such
are working with thenew DC... just not NTFRS.   

   

The original DC does have sysvol and appears to be working to
authenticateclients as normal. I need to get the journal wrap errors
resolved so I canbring the second DC on-line, transfer FSMO roles and
get the old box rebuiltsince it doesn't even have redundant drives -
Yikes!   

   

Everything I have read says to do a D2 non-authoritative restore,
butsince I only have the one DC, where would it restore from? I have run
an NTbackup of c:\ and system state to try and get some comfort, but
still am afraidof making matters worse.   

   

Any suggestions/recommendations would be very much appreciated...Iwould
like to get this cleaned up this week!  

   

Thanks so much,  

Aaron  

[EMAIL PROTECTED] 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] aexp.asp Changing user password via web

[Ramon Linan]

Hi,

When you deploy MS Exchange it also install a bunch of asp scripts in
IIS.
For instance MS iisadmpwd/aexp.asp that allow users to change their
password via browser!!

I was wondering how secure is to have this scripts accessible from
internet?

Any suggestion?

Rezuma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Strange password issue

[AFidel]

This brings up a very good point, HOW
is it checking the password length? As we pointed out earlier once the
hash is created there should not be a way to easily check the password
length.

Andrew Fidel





Paul Williams
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
09/07/2006 07:35 AM



Please respond to
ActiveDir@mail.activedir.org





To
ActiveDir@mail.activedir.org


cc



Subject
Re: [ActiveDir] Strange password
issue








But you cannot set UAC to 512 if the password
is blank, as it doesn't comply with the password policy. Try it.
The other half of my post shows the error. I also tried it
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although
less specific) and it said it wasn't compliant with the security policy,
so it is checking the password when you do this.

p.s. your query, while illustrating the
point, isn't really appropriate. The following is how you should
be looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, objectClass
isn't indexed and although UAC is, this also applies to non-people objects,
e.g. computers.


--Paul
- Original Message - 
From: [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org

Sent: Thursday, September 07, 2006 11:35 AM
Subject: RE: [ActiveDir] Strange password issue

UAC bitmask is 32. A normal user
then gets UAC = 544. 
Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544))

You could then modify the attribute
to 512 on these users either with adsiedit or in a nice tool such as ADModify.net.

Note: if the option password not
required is set. Then you can either have a blank password or comply with
the password policy in defdom GPO.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: den 6 september 2006 21:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue

Pressed send before I finished
typing! : (

Following on from the last
mail

You can, however, modify
the policy so that you can have shorter passwords, create the user, and
then change the password policy back. Perhaps someone did this?

If you test this, when you
set the policy to zero it says no password required (in the Window).


--Paul





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue

From what I recall, if the
password is not required, then there's no need to check the minimum length.
Since it would be overridden at the user object level, that does
not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment. I'll take your word that the password not required is true
for this user. 

If you remove that setting (i.e. require the user to have a password) then
that password would, by policy, have to be at least 6 chars in length.



On 9/6/06, Tom Kern [EMAIL PROTECTED]
wrote:
This is a domain account.

To rehash-

The Default Domain Policy is set
to min password length- 6 charcters.
This was created 2 years ago and
never changed.
User account is a domain account
created a month ago.
It was bought to my attention that
the user can log in with no password.
I confirmed.
The userAccountControl attribute
of the user object was set to 512(not that i'm certain if setting the passwd_notreqd
overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks


 
On 9/6/06, Laura A. Robinson
[EMAIL PROTECTED]
 wrote: 
Impossible/irrelevant. If it's
a domain account, the policy applies regardless, because the account is
stored in AD. If it's a local account, then the policy doesn't apply regardless;
domain account policies don't apply to local accounts. Is this a local
account or a domain account? 

Laura




From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September
06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange password issue

 
If you mean before the policy was
set up, then, no.
This policy has been in effect
for a couple of years and the account was created a month ago..

Maybe the PC is not getting the
Default Domain Policy?



 
On 9/6/06, Williams, Robert
[EMAIL PROTECTED]
 wrote: 
Tom,

This is just a stab in the dark
but is it possible that this user's password was set prior to the Default
Domain Policy being in effect? 
Robert Williams



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange password issue

I'm having this weird issue
where I have a user account who is able to log in with a blank password.
The Default Domain Policy is set
to a min password length of 6 characters.
The userAccountControl on the user
is set to 512.

The Domain is at win2k3 DFL and
FFL.

Is there any other way besides a
migration 

[ActiveDir] OT: uptime.exe in a 2003/sp1 world - problem

[Thommes, Michael M.]

Hi,

 I have moved a job that employs uptime.exe (in
a loop using the FOR command) from a Windows 2000/SP4 server to a Windows
2003/SP1 server. Now part way through the job, I get:



Event Type: Information

Event Source: Application Popup

Event Category: None

Event ID: 26

Date: 9/7/2006

Time: 9:29:36
AM

User: N/A

Computer: ODDJOB221

Description:

Application popup: UPTIME.EXE - Application Error : The
instruction at 0x7c837cf5 referenced memory at
0xfffd. The memory could not be read.



Click on OK to terminate the program

Click on CANCEL to debug the program



For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.



Any thoughts? TIA!



Mike Thommes

Re: [ActiveDir] DNS Entries --Laptop Users--

[Al Mulnick]

1. I Didnt understand what exactly u r asking?2. Yes DHCP Is configured properly.
That's not what I asked. I asked if it's updating the records for the device or is it letting the devices update their own? 


Al
On 9/6/06, Ravi Dogra [EMAIL PROTECTED] wrote:
1. I Didnt understand what exactly u r asking?2. Yes DHCP Is configured properly.3. Yes it is running on DC
4. No, not running any other credential.5. VPN Machine is entirely a different BOX on other site.6. It doesnt register in my DNS. (Will extract other information fromSite B Admin)update you very soon...
ThanksRDList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Strange password issue

[Paul Williams]

Does it have a hash though? There's 
no password. It's null.

I don't know the answer to that. It 
could, I suppose, pad it out but...who knows?


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Cc: ActiveDir@mail.activedir.org ; 
  [EMAIL PROTECTED] 
  
  Sent: Thursday, September 07, 2006 3:10 
  PM
  Subject: Re: [ActiveDir] Strange password 
  issue
  This brings up a very good 
  point, HOW is it checking the password length? As we pointed out earlier once 
  the hash is created there should not be a way to easily check the password 
  length. Andrew Fidel 
  
  


  "Paul Williams" [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 

09/07/2006 07:35 AM 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
ActiveDir@mail.activedir.org 

  

  cc

  

  Subject
Re: [ActiveDir] 
  Strange password issue

  
  

But you cannot set UAC to 512 if the password is blank, 
  as it doesn't comply with the password policy. Try it. The other 
  half of my post shows the error. I also tried it through the GUI 
  (ADSIEDIT gives errors that are easier on the eyes, although less specific) 
  and it said it wasn't compliant with the security policy, so it is checking 
  the password when you do this.  p.s. your query, while illustrating the point, isn't 
  really appropriate. The following is how you should be looking for 
  people with this bit set.  ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) 
Remember, unless you've made it so, objectClass isn't 
  indexed and although UAC is, this also applies to non-people objects, e.g. 
  computers.   --Paul - Original Message - From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, September 07, 2006 11:35 
  AM Subject: RE: [ActiveDir] Strange password 
  issue UAC bitmask is 32. A 
  normal user then gets UAC = 544. Try doing a ldap query for 
  ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users 
  either with adsiedit or in a nice tool such as ADModify.net.  Note: if the 
  option password not required is set. Then you can either have a blank password 
  or comply with the password policy in defdom GPO.  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: den 6 september 2006 21:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issuePressed send before I finished typing! : ( 
   Following on from the last mail… 
   You can, however, modify the policy so that 
  you can have shorter passwords, create the user, and then change the password 
  policy back. Perhaps someone did this?  If you test this, when you set the policy to zero it says no password 
  required (in the Window).   
  --Paul   
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al MulnickSent: 06 September 2006 
  19:28To: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] Strange password issue  From what I 
  recall, if the password is not required, then there's no need to check the 
  minimum length. Since it would be overridden at the user object level, 
  that does not affect the domain. I don't recall the UAC bitmask, and 
  I'm not going to figure it out at the moment. I'll take your word that 
  the password not required is true for this user. If you remove that 
  setting (i.e. require the user to have a password) then that password would, 
  by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a 
  domain account.  
  To rehash-  The Default Domain Policy is set to min password length- 6 
  charcters. This was created 2 
  years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can 
  log in with no password. I 
  confirmed. The 
  userAccountControl attribute of the user object was set to 512(not that i'm 
  certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. 
   Thanks On 9/6/06, 
  Laura A. Robinson [EMAIL PROTECTED]  wrote: Impossible/irrelevant. If it's a domain account, the policy 
  applies regardless, because the account is stored in AD. If it's a local 
  account, then the policy doesn't apply regardless; domain account policies 
  don't apply to local accounts. Is this a local account or a domain account? 
   Laura  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: 
  ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange 
  

Re: [ActiveDir] Is a Global Security group being used?

[Mark Parris]

The question was a way - not the best way. This method was actually 
suggested by MS at TechED one year, so I am not totally insane.
-Original Message-
From: Laura A. Robinson [EMAIL PROTECTED]
Date: Wed, 06 Sep 2006 13:44:53 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is a Global Security group being used?

While that's an interesting approach, unless this is a very small environment 
(as in, there's no help desk that's going to be baffled by the screaming and no 
multi-gazillionaire CXOs who are going to be doing the screaming), that might 
not be such a good idea. ;-)

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Wednesday, September 06, 2006 1:18 PM
 To: ActiveDir.org
 Subject: Re: [ActiveDir] Is a Global Security group being used?
 
 Change it to a Distribution Group and see who screams - if 
 anyone does change it back to a security group again.
 
 M.
 
 -Original Message-
 From: Figueroa, Johnny [EMAIL PROTECTED]
 Date: Wed, 6 Sep 2006 09:43:58
 To:ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Is a Global Security group being used?
 
 Does anyone have a way to determine if a domain global group 
 is being used?. Will auditing on the DCs tell me this? 
   
 Thanks in advance. 
   
 Johnny Figueroa
 
 .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§Ã¶v®—­±

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] AD object (User accounts) Permissions dissappearing

[Danny]

Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users.
I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems.Thanks,...D

RE: [ActiveDir] Separate Administrator password policy

[Laura A. Robinson]

Or use smartcards.

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: Thursday, September 07, 2006 6:35 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Separate Administrator password policy
 
 Why not use certificates or rsa for admin accounts?
 IF you have a pki environment that would be my suggestion. 
 Then only then default administrator account would be 
 insecure. But that can be mitigated with very long password.
 
 An other option is to put admin accounts in a separate child 
 or top domain.
 
 /petter borling
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: den 7 september 2006 05:54
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Separate Administrator password policy
 
 Hi Al,
 
 All good questions.  I'll answer here, but if it starts to 
 get hairy, lets take it offline (same as my post to Susan - I 
 don't want this to become a deep discussion of our product on 
 the list).
 
  Not to pick, but it occurs to me that you're trying to 
 complicate the 
  problem.  While I agree that changing the passwords every 24 hours 
  (whatever freq works is likely going to be fine), is not a 
 bad idea, 
  it has the likely problem of being very problematic.  This 
 is similar 
  to a push vs. pull paradigm and if looked at that way, you have 
  similar issues such as connectivity and reliability.  i.e. 
 how do you 
  ensure that the password change was successful if there's a network
 outage? Or just a network blip?
  Is it important that you do so is assumed from the previous 
  information to date.
 
 100% reliability is mandatory in this kind of app.  Funny 
 that you raise push vs. pull, as we have two modes of 
 operations, called push and pull.
 :-)  We push passwords to server-class target systems 
 (e.g., AD, mainframes, whatever), and pull password changes 
 from workstations (i.e., the workstations push to the 
 server).  The handshake used ensures that password changes 
 are 100% reliable - we abort if there isn't a connection, 
 etc.; and password history is retained just in case something 
 went wrong anyways.
 
  A solution that scales up, down, or laterally is appropriate.  
  Something that allows an account to traverse the different sites, 
  possibly into the hundreds or even thousands, and allows almost 
  instant revocation of the user account with administrative 
 privileges 
  should that become necessary during the course of normal business.
 
 Scaling is easy enough - just arrange for different devices, 
 of which there may be tens of thousands, to contact a central 
 server at somewhat randomized times, and keep trying in case 
 of powerdown, connection failures, etc. etc.  This eliminates 
 nasty traffic bursts.
 
 Traversing sites is easy too - use HTTPS to connect to the 
 central server, and use whatever proxy settings are needed to 
 get out.
 
 Instant revocation is another matter.  Our approach provides 
 for timed revocation on workstations (due to limitations 
 fundamental to pull mode), and instant revocation on servers 
 (since push allows for it).
 
  Now, if only we had such an technology...
 
 We sell it, more or less as described.
 
  Some suggestions that come to mind would be everything from a 
  toaster-like device placed at the client site to a 
 certificate based
 
  credential system come to mind. Hybrid ideas also 
 entertained. Plenty 
  of pros and cons for each, such as the ability to have something 
  tangible at the client site that can also be a 
 multi-functional device
 
  and can work semi-autonmously to monitor even if the WAN link goes 
  away (different issues can be monitored.) It can also 
 provide the 8th 
  layer with a sense of investment and partnership.  Downside is that 
  it's more to manage and monitor. But that can be mitigated 
 by allowing
 
  it to be gasp sales person installable meaning that if something 
  goes wrong with the device, then you roll a salesperson to 
 replace it.
 
  That gives the salesperson reason to have more facetime with the
 client and gives a chance to sell more business.
 
 A service on each client device is probably cheaper than yet 
 another machine at the client site, if you're managing lots 
 of small-ish clients...  Of course, you pointed to other, 
 unrelated but quite useful functionality above, such as WAN 
 link monitoring.
 
  The conversation could be longer, but I'm sure that a solution is 
  possible that fits many of the criteria defined.  Because 
 the original
 
  problem scope is to remove the administrative access, using 
 a hybrid 
  solution that relies on certificates and a toaster item 
 would be more 
  likely.  The details and pricing would need to be hammered 
 out in such
 
  a way that the final solution is reliable, inexpensive (drive 
  adoption), and easy to use (dumb down the interface such that 

RE: [ActiveDir] Strange password issue

[Laura A. Robinson]

Since 
the OP has said that the accounts' UAC flags are 512, not 544, the entire 
discussion around this is moot.

BTW, 
did anybody notice if my post about the 512/544 value hit the list yesterday? I 
don't remember seeing it and am wondering if I actually sent it. 
:-)

Thanks,

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: Thursday, September 07, 2006 7:36 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  But you cannot set UAC to 512 if the 
  password is blank, as it doesn't comply with the password policy. Try 
  it. The other half of my post shows the error. I also tried it 
  through the GUI (ADSIEDIT gives errors that are easier on the eyes, although 
  less specific) and it said it wasn't compliant with the security policy, so it 
  is checking the password when you do this.
  
  p.s. your query, while illustrating the 
  point, isn't really appropriate. The following is how you should be 
  looking for people with this bit set.
  
  ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))
  
  
  Remember, unless you've made it so, 
  objectClass isn't indexed and although UAC is, this also applies to non-people 
  objects, e.g. computers.
  
  
  --Paul
  
- Original Message - 
From: 
[EMAIL PROTECTED] 

To: ActiveDir@mail.activedir.org 

Sent: Thursday, September 07, 2006 
11:35 AM
Subject: RE: [ActiveDir] Strange 
password issue

UAC bitmask is 32. A normal user then gets UAC = 
544. 
Try doing a ldap query for 
((objectClas=user)(useraccountcontrol=544)) 
You could then modify the attribute to 512 on these 
users either with adsiedit or in a nice tool such as 
ADModify.net.

Note: if the option password not required is set. 
Then you can either have a blank password or comply with the password policy 
in defdom GPO.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: den 6 september 2006 21:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
password issue


Pressed send 
before I finished typing! : (

Following on 
from the last mail

You can, 
however, modify the policy so that you can have shorter passwords, create 
the user, and then change the password policy back. Perhaps someone 
did this?

If you test 
this, when you set the policy to zero it says no password required (in the 
Window).


--Paul






From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 
19:28To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
password issue

From what I recall, if the password 
is not required, then there's no need to check the minimum length. 
Since it would be overridden at the user object level, that does not affect 
the domain. I don't recall the UAC bitmask, and I'm not going to 
figure it out at the moment. I'll take your word that the password not 
required is true for this user. If you remove that setting (i.e. 
require the user to have a password) then that password would, by policy, 
have to be at least 6 chars in length. 


On 9/6/06, Tom Kern [EMAIL PROTECTED] 
wrote:


This is a domain 
account.



To rehash-



The Default Domain Policy is set to min password 
length- 6 charcters.

This was created 2 years ago and never 
changed.

User account is a domain account created a month 
ago.

It was bought to my attention that the user can log 
in with no password.

I confirmed.

The userAccountControl attribute of the user object 
was set to 512(not that i'm certain if setting the passwd_notreqd overrides 
the DDP).

The domain/forest is at w2k3 
FL.



Thanks




On 9/6/06, Laura A. Robinson [EMAIL PROTECTED]  wrote: 




Impossible/irrelevant.If 
it's a domain account, the policy applies regardless, because the account is 
stored in AD. If it's a local account, then the policy doesn't apply 
regardless; domain account policies don't apply to local accounts. Is this a 
local account or a domain account? 



Laura

  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom 
  Kern
  
  Sent: 
  Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange 
  password issue


If you mean before the policy was set up, then, 
no.

This policy has been in effect for acouple 
ofyears and the 

RE: [ActiveDir] Is a Global Security group being used?

[Patrick Parker]

We met with the Microsoft Identity and Access Management product group recently 
and this was mentioned as the method used internally.

Patrick


Patrick Parker . The Dot Net Factory . (877) 996-4276 . [EMAIL PROTECTED]
EmpowerID for Microsoft Active Directory  ADAM – Manage . Collaborate . Empower


Patrick Parker . The Dot Net Factory . (877) 996-4276 . [EMAIL PROTECTED]
EmpowerID for Microsoft Active Directory – Manage . Collaborate . Empower

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, September 07, 2006 11:41 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] Is a Global Security group being used?

The question was a way - not the best way. This method was actually 
suggested by MS at TechED one year, so I am not totally insane.
-Original Message-
From: Laura A. Robinson [EMAIL PROTECTED]
Date: Wed, 06 Sep 2006 13:44:53
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is a Global Security group being used?

While that's an interesting approach, unless this is a very small environment 
(as in, there's no help desk that's going to be baffled by the screaming and no 
multi-gazillionaire CXOs who are going to be doing the screaming), that might 
not be such a good idea. ;-)

Laura 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Wednesday, September 06, 2006 1:18 PM
 To: ActiveDir.org
 Subject: Re: [ActiveDir] Is a Global Security group being used?
 
 Change it to a Distribution Group and see who screams - if anyone does 
 change it back to a security group again.
 
 M.
 
 -Original Message-
 From: Figueroa, Johnny [EMAIL PROTECTED]
 Date: Wed, 6 Sep 2006 09:43:58
 To:ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Is a Global Security group being used?
 
 Does anyone have a way to determine if a domain global group is being 
 used?. Will auditing on the DCs tell me this?
   
 Thanks in advance. 
   
 Johnny Figueroa
 
 .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§Ã¶v®—­±

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

.+w֧B+v*
rz+v*汫
[EMAIL PROTECTED])

RE: [ActiveDir] Strange password issue

[WATSON, BEN]

Yep, your e-mail definitely hit the list.







I'm confused as to why the 512 UAC flag is making anybody
think that passwd_notreqd is set. A setting of 512 indicates a normal account.
544 would indicate a normal account with passwd_notreqd set.





Laura





If that is the e-mail you are talking about.



~Ben







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Laura A. Robinson
Sent: Thursday, September 07, 2006 8:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue









Since the OP has said that the accounts' UAC flags are 512, not
544, the entire discussion around this is moot.











BTW, did anybody notice if my post about the 512/544 value hit the
list yesterday? I don't remember seeing it and am wondering if I actually sent
it. :-)











Thanks,











Laura













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, September 07, 2006 7:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue



But you cannot set UAC to 512 if the password is blank, as it
doesn't comply with the password policy. Try it. The other half of
my post shows the error. I also tried it through the GUI (ADSIEDIT gives
errors that are easier on the eyes, although less specific) and it said it wasn't
compliant with the security policy, so it is checking the password when you do
this.











p.s. your query, while illustrating the point, isn't really
appropriate. The following is how you should be looking for people with
this bit set.











((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))

















Remember, unless you've made it so, objectClass isn't indexed and
although UAC is, this also applies to non-people objects, e.g. computers.

















--Paul







-
Original Message - 





From: [EMAIL PROTECTED] 





To: ActiveDir@mail.activedir.org 





Sent: Thursday, September 07, 2006 11:35 AM





Subject: RE: [ActiveDir] Strange password
issue









UAC bitmask is 32. A normal user then gets UAC = 544. 

Try doing a ldap query for
((objectClas=user)(useraccountcontrol=544)) 

You could then modify the attribute to 512 on these users either
with adsiedit or in a nice tool such as ADModify.net.



Note: if the option password not required is set. Then you can
either have a blank password or comply with the password policy in defdom GPO.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: den 6 september 2006 21:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue

Pressed send before I finished typing! : (



Following on from the last mail



You can, however, modify the policy so that you can have shorter
passwords, create the user, and then change the password policy back.
Perhaps someone did this?



If you test this, when you set the policy to zero it says no
password required (in the Window).





--Paul













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue





From what
I recall, if the password is not required, then there's no need to check the
minimum length. Since it would be overridden at the user object level,
that does not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment. I'll take your word that the password not required is true for
this user. 

If you remove that setting (i.e. require the user to have a password) then that
password would, by policy, have to be at least 6 chars in length. 





On 9/6/06, Tom
Kern [EMAIL PROTECTED] wrote:





This is a domain account.











To rehash-











The Default Domain Policy is set to min
password length- 6 charcters.





This was created 2 years ago and never
changed.





User account is a domain account created a
month ago.





It was bought to my attention that the user
can log in with no password.





I confirmed.





The userAccountControl attribute of the
user object was set to 512(not that i'm certain if setting the passwd_notreqd
overrides the DDP).





The domain/forest is at w2k3 FL.











Thanks

















On 9/6/06, Laura
A. Robinson [EMAIL PROTECTED]
 wrote: 







Impossible/irrelevant.If it's a domain account, the policy
applies regardless, because the account is stored in AD. If it's a local
account, then the policy doesn't apply regardless; domain account policies
don't apply to local accounts. Is this a local account or a domain account? 











Laura















From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Tom Kern





Sent:
Wednesday, September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange password issue













If you mean before the policy was set up,

RE: [ActiveDir] Is a Global Security group being used?

[Laura A. Robinson]

I didn't say you were insane, just that this might not be the best idea. :-) I 
won't comment on what we say at TechEd. ;-)

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Thursday, September 07, 2006 11:41 AM
 To: ActiveDir.org
 Subject: Re: [ActiveDir] Is a Global Security group being used?
 
 The question was a way - not the best way. This method 
 was actually suggested by MS at TechED one year, so I am not 
 totally insane.
 -Original Message-
 From: Laura A. Robinson [EMAIL PROTECTED]
 Date: Wed, 06 Sep 2006 13:44:53
 To:ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is a Global Security group being used?
 
 While that's an interesting approach, unless this is a very 
 small environment (as in, there's no help desk that's going 
 to be baffled by the screaming and no multi-gazillionaire 
 CXOs who are going to be doing the screaming), that might not 
 be such a good idea. ;-)
 
 Laura 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
  Sent: Wednesday, September 06, 2006 1:18 PM
  To: ActiveDir.org
  Subject: Re: [ActiveDir] Is a Global Security group being used?
  
  Change it to a Distribution Group and see who screams - if 
 anyone does 
  change it back to a security group again.
  
  M.
  
  -Original Message-
  From: Figueroa, Johnny [EMAIL PROTECTED]
  Date: Wed, 6 Sep 2006 09:43:58
  To:ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Is a Global Security group being used?
  
  Does anyone have a way to determine if a domain global 
 group is being 
  used?. Will auditing on the DCs tell me this?

  Thanks in advance. 

  Johnny Figueroa
  
  .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§Ã¶v®—­±
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 
 .+w֧B+v*
rz+v*汫

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Derek Harris]

Did someone put that account into one of the protected 
groups? "Print operators" caused us a lot of grief a while 
ago.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
DannySent: Thursday, September 07, 2006 9:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD object (User 
accounts) Permissions dissappearing
Environment: Windows Server 2003 R2 and 2000 mixed AD forest with 
Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) 
server.Scenario: Existing AD account with full Exchange mailbox and 
provisioned BES user. Out of the blue the user is unable to send from their 
BlackBerry. Permissions are checked in ADUC, and the required SendAs permission 
granted to the BES account have disappeared. This has happened to new and 
existing users. I do not know where to start. I am reviewing a dcdiag /e 
/v to see if there are any potentially related 
problems.Thanks,...D

RE: [ActiveDir] OT: uptime.exe in a 2003/sp1 world - problem

[Free, Bob]

I've had some problems with the NT 4 RK version (1.x), are you using the
2000 RK version(2.0)? It was a fairly significant update IIRC. 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, September 07, 2006 8:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: uptime.exe in a 2003/sp1 world - problem



Hi,

   I have moved a job that employs uptime.exe (in a loop using the FOR
command) from a Windows 2000/SP4 server to a Windows 2003/SP1 server.
Now part way through the job, I get:

 

Event Type:   Information

Event Source:Application Popup

Event Category: None

Event ID:   26

Date:9/7/2006

Time:9:29:36 AM

User:N/A

Computer: ODDJOB221

Description:

Application popup: UPTIME.EXE - Application Error : The instruction at
0x7c837cf5 referenced memory at 0xfffd. The memory could not be
read.

 

Click on OK to terminate the program

Click on CANCEL to debug the program

 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

Any thoughts?  TIA!

 

Mike Thommes

 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Williams, Robert]

Maybe AdminSDHolder is biting you?



Heres an article that talks about
the Send-As specifically, but its more than just that:

http://support.microsoft.com/kb/907434/



If the user in question is a member of any
of the following groups, then you could be seeing this:



The following list describes the protected groups in
Windows 2000: 


 
  
  
  
  
  Enterprise Admins
  
 
 
  
  
  
  
  Schema Admins
  
 
 
  
  
  
  
  Domain Admins
  
 
 
  
  
  
  
  Administrators
  
 



The following list describes the protected groups in Windows Server 2003 and in
Windows 2000 after you apply the 327825 hotfix or you install Windows 2000
Service Pack 4: 


 
  
  
  
  
  Administrators
  
 
 
  
  
  
  
  Account Operators
  
 
 
  
  
  
  
  Server Operators
  
 
 
  
  
  
  
  Print Operators
  
 
 
  
  
  
  
  Backup Operators
  
 
 
  
  
  
  
  Domain Admins
  
 
 
  
  
  
  
  Schema Admins
  
 
 
  
  
  
  
  Enterprise Admins
  
 
 
  
  
  
  
  Cert Publishers
  
 


Additionally the following users are also considered
protected: 


 
  
  
  
  
  Administrator
  
 
 
  
  
  
  
  Krbtgt
  
 


The above was taken from: http://support.microsoft.com/kb/817433/



Robert Williams 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Thursday, September 07, 2006
10:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD object
(User accounts) Permissions dissappearing





Environment: Windows Server 2003 R2 and 2000 mixed AD forest with
Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.

Scenario: Existing AD account with full Exchange mailbox and provisioned BES
user. Out of the blue the user is unable to send from their BlackBerry.
Permissions are checked in ADUC, and the required SendAs permission granted to
the BES account have disappeared. This has happened to new and existing users. 

I do not know where to start. I am reviewing a dcdiag /e /v to see if there are
any potentially related problems.

Thanks,

...D




2006-09-07, 13:03:30
The information contained in this e-mail message and any attachments may be privileged and confidential.  If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.

Re: [ActiveDir] Strange password issue

[Paul Williams]

Yeah, I think I saw your post last 
night. Mail was taking 70 minutes to come through last night.

It's not really academic or obsolete, as 
this proves that it couldn't have been 544 and set back to 512. Which 
means that it is more than likely the password, or lack of, was set when the 
policy wasn't in place.


--Paul

  - Original Message - 
  From: 
  Laura A. Robinson 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 4:56 
  PM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  Since the OP has said that the accounts' UAC flags are 512, not 544, 
  the entire discussion around this is moot.
  
  BTW, 
  did anybody notice if my post about the 512/544 value hit the list yesterday? 
  I don't remember seeing it and am wondering if I actually sent it. 
  :-)
  
  Thanks,
  
  Laura
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: Thursday, September 07, 2006 7:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
password issue

But you cannot set UAC to 512 if the 
password is blank, as it doesn't comply with the password policy. Try 
it. The other half of my post shows the error. I also tried it 
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although 
less specific) and it said it wasn't compliant with the security policy, so 
it is checking the password when you do this.

p.s. your query, while illustrating 
the point, isn't really appropriate. The following is how you should 
be looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, 
objectClass isn't indexed and although UAC is, this also applies to 
non-people objects, e.g. computers.


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 
  11:35 AM
  Subject: RE: [ActiveDir] Strange 
  password issue
  
  UAC bitmask is 32. A normal user then gets UAC = 
  544. 
  Try doing a ldap query for 
  ((objectClas=user)(useraccountcontrol=544)) 
  You could then modify the attribute to 512 on 
  these users either with adsiedit or in a nice tool such as 
  ADModify.net.
  
  Note: if the option password not required is set. 
  Then you can either have a blank password or comply with the password 
  policy in defdom GPO.
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: den 6 september 2006 21:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  Pressed send 
  before I finished typing! : (
  
  Following on 
  from the last mail…
  
  You can, 
  however, modify the policy so that you can have shorter passwords, create 
  the user, and then change the password policy back. Perhaps someone 
  did this?
  
  If you test 
  this, when you set the policy to zero it says no password required (in the 
  Window).
  
  
  --Paul
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 
  19:28To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  From what 
  I recall, if the password is not required, then there's no need to check 
  the minimum length. Since it would be overridden at the user object 
  level, that does not affect the domain. I don't recall the UAC 
  bitmask, and I'm not going to figure it out at the moment. I'll take 
  your word that the password not required is true for this user. If 
  you remove that setting (i.e. require the user to have a password) then 
  that password would, by policy, have to be at least 6 chars in length. 
  
  
  On 9/6/06, Tom Kern [EMAIL PROTECTED] 
  wrote:
  
  
  This is a domain 
  account.
  
  
  
  To rehash-
  
  
  
  The Default Domain Policy is set to min password 
  length- 6 charcters.
  
  This was created 2 years ago and never 
  changed.
  
  User account is a domain account created a month 
  ago.
  
  It was bought to my attention that the user can 
  log in with no password.
  
  I confirmed.
  
  The userAccountControl attribute of the user 
  object was set to 512(not that i'm certain if setting the passwd_notreqd 
  overrides the DDP).
  
  The domain/forest is at w2k3 
  FL.
  
  
  
  Thanks
  
  
  
  
  On 

Re: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Paul Williams]

If the permissions are being reset it is 
the result of DSPROP. Google adminSDHolder or look at this:
-- http://www.msresource.net/content/view/38/46/


The reason this is happening is because 
these users are members (directly or indirectly) of groups considered protected, 
e.g. administrators, backup operators, etc.


--Paul

  - Original Message - 
  From: 
  Danny 

  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 4:48 
  PM
  Subject: [ActiveDir] AD object (User 
  accounts) Permissions dissappearing
  Environment: Windows Server 2003 R2 and 2000 mixed AD forest 
  with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) 
  server.Scenario: Existing AD account with full Exchange mailbox and 
  provisioned BES user. Out of the blue the user is unable to send from their 
  BlackBerry. Permissions are checked in ADUC, and the required SendAs 
  permission granted to the BES account have disappeared. This has happened to 
  new and existing users. I do not know where to start. I am reviewing a 
  dcdiag /e /v to see if there are any potentially related 
  problems.Thanks,...D

Re: [ActiveDir] Is a Global Security group being used?

[Mark Parris]

Artistic license on my part.

M.
-Original Message-
From: Laura A. Robinson [EMAIL PROTECTED]
Date: Thu, 07 Sep 2006 12:32:50 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is a Global Security group being used?

I didn't say you were insane, just that this might not be the best idea. :-) I 
won't comment on what we say at TechEd. ;-)

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Thursday, September 07, 2006 11:41 AM
 To: ActiveDir.org
 Subject: Re: [ActiveDir] Is a Global Security group being used?
 
 The question was a way - not the best way. This method 
 was actually suggested by MS at TechED one year, so I am not 
 totally insane.
 -Original Message-
 From: Laura A. Robinson [EMAIL PROTECTED]
 Date: Wed, 06 Sep 2006 13:44:53
 To:ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is a Global Security group being used?
 
 While that's an interesting approach, unless this is a very 
 small environment (as in, there's no help desk that's going 
 to be baffled by the screaming and no multi-gazillionaire 
 CXOs who are going to be doing the screaming), that might not 
 be such a good idea. ;-)
 
 Laura 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
  Sent: Wednesday, September 06, 2006 1:18 PM
  To: ActiveDir.org
  Subject: Re: [ActiveDir] Is a Global Security group being used?
  
  Change it to a Distribution Group and see who screams - if 
 anyone does 
  change it back to a security group again.
  
  M.
  
  -Original Message-
  From: Figueroa, Johnny [EMAIL PROTECTED]
  Date: Wed, 6 Sep 2006 09:43:58
  To:ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Is a Global Security group being used?
  
  Does anyone have a way to determine if a domain global 
 group is being 
  used?. Will auditing on the DCs tell me this?

  Thanks in advance. 

  Johnny Figueroa
  
  .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§Ã¶v®—­±
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 
 .+w֧B+v*
rz+v*汫

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[EMAIL PROTECTED])

RE: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Laura A. Robinson]

Can 
you elaborate? What do you mean by "protected groups", and how did modifying the 
membership of the Print Operators group cause you grief? 

Thanks!

Laura


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Derek 
  HarrisSent: Thursday, September 07, 2006 12:36 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD object 
  (User accounts) Permissions dissappearing
  
  Did someone put that account into one of the protected 
  groups? "Print operators" caused us a lot of grief a while 
  ago.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  DannySent: Thursday, September 07, 2006 9:49 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD object (User 
  accounts) Permissions dissappearing
  Environment: Windows Server 2003 R2 and 2000 mixed AD forest with 
  Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) 
  server.Scenario: Existing AD account with full Exchange mailbox and 
  provisioned BES user. Out of the blue the user is unable to send from their 
  BlackBerry. Permissions are checked in ADUC, and the required SendAs 
  permission granted to the BES account have disappeared. This has happened to 
  new and existing users. I do not know where to start. I am reviewing a 
  dcdiag /e /v to see if there are any potentially related 
  problems.Thanks,...D

RE: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Brian Desmond]

This user isnt a domain admin or enterprise admin is he/she?



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Danny
Sent: Thursday, September 07, 2006 11:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing







Environment: Windows Server 2003 R2 and 2000 mixed AD forest
with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server)
server.

Scenario: Existing AD account with full Exchange mailbox and provisioned BES
user. Out of the blue the user is unable to send from their BlackBerry.
Permissions are checked in ADUC, and the required SendAs permission granted to
the BES account have disappeared. This has happened to new and existing users. 

I do not know where to start. I am reviewing a dcdiag /e /v to see if there are
any potentially related problems.

Thanks,

...D

Re: [ActiveDir] Strange password issue

[Al Mulnick]

I saw it this morning. Not sure if it was last night, today, yesterday...

curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. 

Tom, how about some more details? 

What clued you into the user having a blank password? 
What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? 

I think some history of the issue and how the user came to be configured this way is needed. 
Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? 

Al
On 9/7/06, Laura A. Robinson [EMAIL PROTECTED] wrote:



Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot.

BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-)


Thanks,

Laura



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Strange password issue



But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this.


p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers.


--Paul

- Original Message - 
From: 
[EMAIL PROTECTED] 
To: ActiveDir@mail.activedir.org
 
Sent: Thursday, September 07, 2006 11:35 AM
Subject: RE: [ActiveDir] Strange password issue

UAC bitmask is 32. A normal user then gets UAC = 544. 
Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) 
You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net.

Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO.




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


Pressed send before I finished typing! : (

Following on from the last mail…

You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this?


If you test this, when you set the policy to zero it says no password required (in the Window).



--Paul






From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Strange password issue

From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. 
I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. 


On 9/6/06, Tom Kern 
[EMAIL PROTECTED] wrote:


This is a domain account.



To rehash-



The Default Domain Policy is set to min password length- 6 charcters.

This was created 2 years ago and never changed.

User account is a domain account created a month ago.

It was bought to my attention that the user can log in with no password.

I confirmed.

The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).


The domain/forest is at w2k3 FL.



Thanks




On 9/6/06, Laura A. Robinson 
[EMAIL PROTECTED]  wrote: 



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? 




Laura







From: 
[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] 
On Behalf Of Tom Kern

Sent: Wednesday, September 06, 2006 11:44 AMTo: 
ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange 

Re: [ActiveDir] OT: admin account in Vista

[Al Mulnick]

Write down your username and password and store it in a safe location.

That's an interesting departure from the usual recommendations. ;-)

On 9/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote:
Windows Vista Security : Built-in Administrator Account Disabled:
http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx--Letting your vendors set your risk analysis these days?http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...http://blogs.technet.com/sbsList info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Separate Administrator password policy

[Al Mulnick]

What would be the difference betweenthose solutionsand smart cards as you see it? You make me think I missed something in the previous conversations.

On 9/7/06, Laura A. Robinson [EMAIL PROTECTED] wrote:
Or use smartcards.Laura -Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]
 Sent: Thursday, September 07, 2006 6:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Separate Administrator password policy
 Why not use certificates or rsa for admin accounts? IF you have a pki environment that would be my suggestion. Then only then default administrator account would be insecure. But that can be mitigated with very long password.
 An other option is to put admin accounts in a separate child or top domain. /petter borling -Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]
 Sent: den 7 september 2006 05:54 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Separate Administrator password policy Hi Al,
 All good questions.I'll answer here, but if it starts to get hairy, lets take it offline (same as my post to Susan - I don't want this to become a deep discussion of our product on the list).
  Not to pick, but it occurs to me that you're trying to complicate the  problem.While I agree that changing the passwords every 24 hours  (whatever freq works is likely going to be fine), is not a
 bad idea,  it has the likely problem of being very problematic.This is similar  to a push vs. pull paradigm and if looked at that way, you have  similar issues such as connectivity and reliability.
i.e. how do you  ensure that the password change was successful if there's a network outage? Or just a network blip?  Is it important that you do so is assumed from the previous
  information to date. 100% reliability is mandatory in this kind of app.Funny that you raise push vs. pull, as we have two modes of operations, called push and pull. :-)We push passwords to server-class target systems
 (e.g., AD, mainframes, whatever), and pull password changes from workstations (i.e., the workstations push to the server).The handshake used ensures that password changes are 100% reliable - we abort if there isn't a connection,
 etc.; and password history is retained just in case something went wrong anyways.  A solution that scales up, down, or laterally is appropriate.  Something that allows an account to traverse the different sites,
  possibly into the hundreds or even thousands, and allows almost  instant revocation of the user account with administrative privileges  should that become necessary during the course of normal business.
 Scaling is easy enough - just arrange for different devices, of which there may be tens of thousands, to contact a central server at somewhat randomized times, and keep trying in case of powerdown, connection failures, etc. etc.This eliminates
 nasty traffic bursts. Traversing sites is easy too - use HTTPS to connect to the central server, and use whatever proxy settings are needed to get out. Instant revocation is another matter.Our approach provides
 for timed revocation on workstations (due to limitations fundamental to pull mode), and instant revocation on servers (since push allows for it).  Now, if only we had such an technology...
 We sell it, more or less as described.  Some suggestions that come to mind would be everything from a  toaster-like device placed at the client site to a certificate based
  credential system come to mind. Hybrid ideas also entertained. Plenty  of pros and cons for each, such as the ability to have something  tangible at the client site that can also be a
 multi-functional device  and can work semi-autonmously to monitor even if the WAN link goes  away (different issues can be monitored.) It can also provide the 8th  layer with a sense of investment and partnership.Downside is that
  it's more to manage and monitor. But that can be mitigated by allowing  it to be gasp sales person installable meaning that if something  goes wrong with the device, then you roll a salesperson to
 replace it.  That gives the salesperson reason to have more facetime with the client and gives a chance to sell more business. A service on each client device is probably cheaper than yet
 another machine at the client site, if you're managing lots of small-ish clients...Of course, you pointed to other, unrelated but quite useful functionality above, such as WAN link monitoring.
  The conversation could be longer, but I'm sure that a solution is  possible that fits many of the criteria defined.Because the original  problem scope is to remove the administrative access, using
 a hybrid  solution that relies on certificates and a toaster item would be more  likely.The details and pricing would need to be hammered out in such  a way that the final solution is reliable, inexpensive (drive
  adoption), and easy to use (dumb down the interface such that your  

RE: [ActiveDir] Distribution list Maintenance. Policy dilemma

[Passo, Larry]

I would make the manager that wants the DL
maintain it.

First, make sure that there is a written
policy (approved by a higher management level) that specifies that the manager
is responsible for updates. Then after you create each DL, set the Managed
By attribute to be the appropriate manager and give them permission to
make changes to it. 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Tuesday, September 05, 2006
9:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Distribution
list Maintenance. Policy dilemma





Hi,



I have Department managers asking me to
create DL in exchange of people who dont work in the company



There is not technical problem to do that,
but I am finding out, that the previous guy was doing that via contacts in AD.
The problem is that in this business, a consultant will work one day for you
and next to your competitor.



My question is, what is the common
practice in terms DL. Does anyone know a good way of maintaining them? Most of
the time, I dont get notified when we no longer work with a consultant.



How do you guys deal with DL maintenance?
.Any suggestion?

RE: [ActiveDir] nslookup. AD beginer question

[Passo, Larry]

Using the version of DCDIAG that comes
with the 2003 SP1 support tools:



Type: dcdiag /test:dns /e /v 



That will tell you what shape your DNS
system is in.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Monday, August 28, 2006
11:15 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] nslookup. AD
beginer question





Hi Everyone,



When I do a nslookup domain.com, being
domain.com my AD domain, what should I see? A list of the dns server in my
domain? A list of the DC? 



The fact is that I am doing nslookup and I
am getting, domain controllers but also a users computer



Thanks

Re: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Danny]

You are right! Thanks!On 9/7/06, Williams, Robert [EMAIL PROTECTED] wrote:

















Maybe AdminSDHolder is biting you?



Here's an article that talks about
the Send-As specifically, but it's more than just that:


http://support.microsoft.com/kb/907434/



If the user in question is a member of any
of the following groups, then you could be seeing this:



The following list describes the protected groups in
Windows 2000: 


 
  
  •
  
  
  Enterprise Admins

  
 
 
  
  •
  
  
  Schema Admins
  
 
 
  
  •
  
  
  Domain Admins
  
 
 
  
  •
  
  
  Administrators
  
 



The following list describes the protected groups in Windows Server 2003 and in
Windows 2000 after you apply the 327825 hotfix or you install Windows 2000
Service Pack 4: 


 
  
  •
  
  
  Administrators
  
 
 
  
  •
  
  
  Account Operators
  
 
 
  
  •
  
  
  Server Operators
  
 
 
  
  •
  
  
  Print Operators
  
 
 
  
  •
  
  
  Backup Operators
  
 
 
  
  •
  
  
  Domain Admins
  
 
 
  
  •
  
  
  Schema Admins
  
 
 
  
  •
  
  
  Enterprise Admins

  
 
 
  
  •
  
  
  Cert Publishers
  
 


Additionally the following users are also considered
protected: 


 
  
  •
  
  
  Administrator
  
 
 
  
  •
  
  
  Krbtgt
  
 


The above was taken from: 
http://support.microsoft.com/kb/817433/



Robert Williams 











From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Danny
Sent: Thursday, September 07, 2006
10:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD object
(User accounts) Permissions dissappearing





Environment: Windows Server 2003 R2 and 2000 mixed AD forest with
Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.

Scenario: Existing AD account with full Exchange mailbox and provisioned BES
user. Out of the blue the user is unable to send from their BlackBerry.
Permissions are checked in ADUC, and the required SendAs permission granted to
the BES account have disappeared. This has happened to new and existing users. 

I do not know where to start. I am reviewing a dcdiag /e /v to see if there are
any potentially related problems.

Thanks,

...D




2006-09-07, 13:03:30
The information contained in this e-mail message and any attachments may be privileged and confidential.  If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.





-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

Re: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Danny]

No, but the user is part of a group that is part of a group that has Admin-type permissions on an OU for their site.On 9/7/06, Brian Desmond 
[EMAIL PROTECTED] wrote:












This user isn't a domain admin or enterprise admin is he/she?



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Danny
Sent: Thursday, September 07, 2006 11:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing







Environment: Windows Server 2003 R2 and 2000 mixed AD forest
with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server)
server.

Scenario: Existing AD account with full Exchange mailbox and provisioned BES
user. Out of the blue the user is unable to send from their BlackBerry.
Permissions are checked in ADUC, and the required SendAs permission granted to
the BES account have disappeared. This has happened to new and existing users. 

I do not know where to start. I am reviewing a dcdiag /e /v to see if there are
any potentially related problems.

Thanks,

...D









-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

[ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139

[Yann]

Hello all,Ihave 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes),Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders from both sites.  I have Two-way replication. But replication from AD to Exchange 5.5 does not work. When I do a full replicationbetween AD and 5.5 from the ADC, every object throws the following warning event 8139 in the app log:The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after the source object 'cn=yann,o=mycompany.com' Consequently, the following set of updates will not be applied to the target object. If this warning persists, make sure that the time is correctly set on both the source and target servers.dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=com   changetype: modifyreplicationsignature:E1EB509F06C5614FB3BF6066ACFCF531userAccountControl::msExchMailboxGuid::-(Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254)For more information, click [url]http://www.microsoft.com/contentredirect.asp.[/url]I have verified time synch/time zone on all DCs and 5.5 servers. I have not found any solution to my issue. Next step will be a support call to PSS.   
 Anyone with any insight into this would be greatly apprecieated.Thanks,Yann 
		 
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! 
Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. 

RE: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Derek Harris]

Print 
operators is a protected group in 2k3. 
Robert Williams' post included a full list of the protected groups in 2k  
2k3. The AdminSDHolder attribute is set to 1 for members of protected 
groups. Another admin thought that several users needed to be in the print 
operators group to manage print jobs.


Here's Robert's 
post:Maybe 
AdminSDHolder is biting you?
Heres an article that 
talks about the Send-As specifically, but its more than just 
that:
http://support.microsoft.com/kb/907434/

If the user in question 
is a member of any of the following groups, then you could be seeing 
this:

The following list describes the 
protected groups in Windows 2000: 

  
  

  

  Enterprise 
  Admins
  

  

  Schema 
  Admins
  

  

  Domain 
  Admins
  

  

  Administrators
The following list describes 
the protected groups in Windows Server 2003 and in Windows 2000 after you apply 
the 327825 hotfix or you install Windows 2000 Service Pack 4: 


  
  

  

  Administrators
  

  

  Account 
  Operators
  

  

  Server 
  Operators
  

  

  Print 
  Operators
  

  

  Backup 
  Operators
  

  

  Domain 
  Admins
  

  

  Schema 
  Admins
  

  

  Enterprise 
  Admins
  

  

  Cert 
  Publishers
Additionally the following users 
are also considered protected: 

  
  

  

  Administrator
  

  

  Krbtgt
The above was taken from: http://support.microsoft.com/kb/817433/

Robert 
Williams 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
RobinsonSent: Thursday, September 07, 2006 11:19 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD object (User 
accounts) Permissions dissappearing

Can 
you elaborate? What do you mean by "protected groups", and how did modifying the 
membership of the Print Operators group cause you grief? 

Thanks!

Laura


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Derek 
  HarrisSent: Thursday, September 07, 2006 12:36 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD object 
  (User accounts) Permissions dissappearing
  
  Did someone put that account into one of the protected 
  groups? "Print operators" caused us a lot of grief a while 
  ago.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  DannySent: Thursday, September 07, 2006 9:49 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD object (User 
  accounts) Permissions dissappearing
  Environment: Windows Server 2003 R2 and 2000 mixed AD forest with 
  Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) 
  server.Scenario: Existing AD account with full Exchange mailbox and 
  provisioned BES user. Out of the blue the user is unable to send from their 
  BlackBerry. Permissions are checked in ADUC, and the required SendAs 
  permission granted to the BES account have disappeared. This has happened to 
  new and existing users. I do not know where to start. I am reviewing a 
  dcdiag /e /v to see if there are any potentially related 
  problems.Thanks,...D

Re: [ActiveDir] Strange password issue

[Tom Kern]

Sorry, I was distracted by other stuff here.


We are in a migration state with 2 Forests.
Source forest is win2k native and target forest is win2k3 FFL/DFL.
Both Forests have same password policy

Using Quest AD Migration Manager.

The user was created in the source and then migrated about a month ago.

The way this was discovered was, the user's password no longer worked and user claimed to be able to log on with no password(confirmed by help desk staff).
Apparently,according to the user and help desk, he was able to log in with his old password for a month until last week whenthe system would no longer accept his password and then he tried the null password route and it worked.

Then, i tried logging in as that user with a null password and confirmed it.

When i said UAC was 512, I meant just that- the user was a normal enabled user without the password_notreqd bit set.

When I looked in the history in the Quest console, I saw the user was migrated with copy password set to true.


A seperate provisioning group creates users. They have been delegated that right through AD.
We only have 2 EA/DA's here and i'm one of them.
I delegated the Quest util to allow this same group to migrate users.
Once migrated, the user can no longer log into the source forest.
We have no other directory servers.
At the moment,users can only change their passwords when they expire and windows prompts them.
The Change Password button on the gina has been disabled via GPO.


This probably sounds more convoluted than it is, so I apologize and we can just drop this thread if you feel there are way too many unknown variables.
Thanks for all your help and interest,guys.




On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote:


I saw it this morning. Not sure if it was last night, today, yesterday...

curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. 

Tom, how about some more details? 

What clued you into the user having a blank password? 
What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? 

I think some history of the issue and how the user came to be configured this way is needed. 
Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? 


Al

On 9/7/06, Laura A. Robinson [EMAIL PROTECTED]
 wrote: 



Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot.

BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-)
 

Thanks,

Laura



From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue




But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. 


p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers.


--Paul

- Original Message - 
From: 
[EMAIL PROTECTED] 
To: ActiveDir@mail.activedir.org 

Sent: Thursday, September 07, 2006 11:35 AM
Subject: RE: [ActiveDir] Strange password issue

UAC bitmask is 32. A normal user then gets UAC = 544. 
Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) 
You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net.

Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO.
 



From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


Pressed send before I finished typing! : (

Following on from the last mail…

You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? 


If you test this, when you set the policy to zero it says no password required (in the Window).
 


--Paul






From:
 [EMAIL PROTECTED] [mailto:
 [EMAIL 

Re: [ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139

[Tony Murray]

Yann

Did you see this?:

http://www.mcse.ms/message568787.html

Tony
-- Original Message --
From: Yann [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 7 Sep 2006 20:25:02 +0200 (CEST)

Hello all,

  I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a 
with latest hotfixes),
Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).
MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders 
from both sites.

  I have Two-way replication. But replication from AD to Exchange 5.5 does not 
work. When I do a full replication
between AD and 5.5 from the ADC, every object throws the following warning 
event 8139 in the app log:

  The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after 
the source object 'cn=yann,o=mycompany.com' Consequently, the following set of 
updates will not be applied to the target obje
ct. If this warning persists, make sure that the time is correctly set on both 
the source and target servers.
dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=com
  changetype: modify
replicationsignature:E1EB509F06C5614FB3BF6066ACFCF531
userAccountControl:
:
msExchMailboxGuid:
:
-
(Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254)

For more information, click 
[url]http://www.microsoft.com/contentredirect.asp.[/url]

  I have verified time synch/time zone on all DCs and 5.5 servers. I have not 
found any solution to my issue. Next step will be a support call to PSS.

  Anyone with any insight into this would be greatly apprecieated.

Thanks,

  Yann



-
 Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet 
! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et 
vos expériences. Cliquez ici.







Sent via the WebMail system at mail.activedir.org





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Latest hotifixes... does that mean you pay for NT4 patches or  
latest hotfixes when that OS was supported?


As that could mean two different things

Tony Murray wrote:

Yann

Did you see this?:

http://www.mcse.ms/message568787.html

Tony
-- Original Message --
From: Yann [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 7 Sep 2006 20:25:02 +0200 (CEST)

Hello all,
   
  I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes),

Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).
MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders 
from both sites.

  I have Two-way replication. But replication from AD to Exchange 5.5 does not 
work. When I do a full replication
between AD and 5.5 from the ADC, every object throws the following warning 
event 8139 in the app log:
   
  The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after the source object 'cn=yann,o=mycompany.com' Consequently, the following set of updates will not be applied to the target obje

ct. If this warning persists, make sure that the time is correctly set on both 
the source and target servers.
dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=com 
  changetype: modify

replicationsignature:E1EB509F06C5614FB3BF6066ACFCF531
userAccountControl:
:
msExchMailboxGuid:
:
-
(Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254)

For more information, click 
[url]http://www.microsoft.com/contentredirect.asp.[/url]
   
  I have verified time synch/time zone on all DCs and 5.5 servers. I have not found any solution to my issue. Next step will be a support call to PSS.
   
  Anyone with any insight into this would be greatly apprecieated.


Thanks,
   
  Yann




-
 Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. 

 






Sent via the WebMail system at mail.activedir.org


 
   


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

  


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: admin account in Vista

[Darren Mar-Elia]

safe location == post-it note on the side of 
CPU


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Thursday, September 07, 2006 10:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: admin 
account in Vista

"Write down your username and password and store it in a safe 
location."

That's an interesting departure from the usual recommendations. 
;-)

On 9/6/06, Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: 
Windows 
  Vista Security : Built-in Administrator Account Disabled:http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx--Letting 
  your vendors set your risk analysis these days?http://www.threatcode.com If you 
  are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you 
  down...http://blogs.technet.com/sbsList 
  info : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.activedir.org/ml/threads.aspx 
  

RE: [ActiveDir] OT: admin account in Vista

[Brian Desmond]

My favorite was the user I had who stored them all under P in
his cardfile. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Darren Mar-Elia
Sent: Thursday, September 07, 2006 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: admin account in Vista







safe location == post-it note on the side of CPU









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Thursday, September 07, 2006 10:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: admin account in Vista



Write down your
username and password and store it in a safe location.





That's an interesting departure from the
usual recommendations. ;-)











On 9/6/06, Susan Bradley, CPA aka
Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED]
wrote: 

Windows Vista Security : Built-in Administrator Account
Disabled:
http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx

--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com 

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt
you down...
http://blogs.technet.com/sbs

List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE : Re: [ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139

[Yann]

Hello Tony,Yes, i saw it and i mailed to Scott Anderson who is the author. Headviced meto check that my CAs arewell configured, that was i did.  Its pb was exactly the same as mine except that replication from AD - Exch 5.5 does not work.I set diag logging on my ADC to maximum,added a value to an AD mailbox enabled userattribute (description)andforced a full replication.  An event ID 8139 appears and i see no modification on my Exchange 5.5 mailbox user.The time is correctly set on my exchange 55, my ADC server and my Global Catalog.Thanks,YannTony Murray [EMAIL PROTECTED] a écrit:  YannDid
 you see this?:http://www.mcse.ms/message568787.htmlTony-- Original Message --From: Yann <[EMAIL PROTECTED]>Reply-To: ActiveDir@mail.activedir.orgDate: Thu, 7 Sep 2006 20:25:02 +0200 (CEST)Hello all,I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes),Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders from both sites.I have Two-way replication. But replication from AD to Exchange 5.5 does not work. When I do a full replicationbetween AD and 5.5 from the ADC, every object throws the following warning event 8139 in the app log:The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after the source object 'cn=yann,o=mycompany.com' Consequently, the following set of updates will not be applied to the target
 object. If this warning persists, make sure that the time is correctly set on both the source and target servers.dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=comchangetype: modifyreplicationsignature:E1EB509F06C5614FB3BF6066ACFCF531userAccountControl::msExchMailboxGuid::-(Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254)For more information, click [url]http://www.microsoft.com/contentredirect.asp.[/url]I have verified time synch/time zone on all DCs and 5.5 servers. I have not found any solution to my issue. Next step will be a support call to PSS.Anyone with any insight into this would be greatly apprecieated.Thanks,Yann-Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez
 ici.Sent via the WebMail system at mail.activedir.orgList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx 
		 
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! 
Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. 

[ActiveDir] Moving Users Between Domains

[HBooGz]

I'd like to move an object from the parent domain to the child domain in a pure windows 2003 R2 AD environment.I've done this with the Movetree command back when AD was 2000 - do i still use the same command or is there a different method/possibility ?
For informational purposes, I'd like to know how to the vice versa as well ( move from child domain to parent domain )This all within one forest and same tree.Thanks,-- HBooGz:\

Re: [ActiveDir] Moving Users Between Domains

[Tony Murray]

ADMT should be used for moving objects between domains. 

Movetree should now only used for objects that cannot be moved using ADMT (e.g. 
Contacts)

Tony
-- Original Message --
From: HBooGz [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 7 Sep 2006 18:50:29 -0400

I'd like to move an object from the parent domain to the child domain in a
pure windows 2003 R2 AD environment.

I've done this with the Movetree command back when AD was 2000 - do i still
use the same command or is there a different method/possibility ?

For informational purposes, I'd like to know how to the vice versa as well (
move from child domain to parent domain )

This all within one forest and same tree.

Thanks,

-- 
HBooGz:\


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DNS Entries --Laptop Users--

[Ravi Dogra]

Jolly,

I was not sure abt how VPN Box was configured and as i had a word with
Prashant boss, it is not configured for updating records to our DNS.

I will talk to Prashant boss abt ths.

But the thing is i can see 2 DNS records for one host. One is for VPN
and the other one is for Wireless IP Address for the Host.

Al,

It is letting the device update their own record to DNS.

Thanks
Ravi Dogra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Moving Users Between Domains

[HBooGz]

which version ?what about the moveuser.exe app ?On 9/7/06, Tony Murray [EMAIL PROTECTED] wrote:
ADMT should be used for moving objects between domains.Movetree should now only used for objects that cannot be moved using ADMT (
e.g. Contacts)Tony-- Original Message --From: HBooGz [EMAIL PROTECTED]Reply-To: 
ActiveDir@mail.activedir.orgDate:Thu, 7 Sep 2006 18:50:29 -0400I'd like to move an object from the parent domain to the child domain in apure windows 2003 R2 AD environment.I've done this with the Movetree command back when AD was 2000 - do i still
use the same command or is there a different method/possibility ?For informational purposes, I'd like to know how to the vice versa as well (move from child domain to parent domain )This all within one forest and same tree.
Thanks,--HBooGz:\Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx-- HBooGz:\