I would like to attack this problem from an AD point of view. Your domain
structure consists of an empty forest root domain with a child domain. This
structure allows you to make every DC in the child DC a GC without much
overhead. The information in the empty forest root should be relatively
Deano (and others)
From what I can see, setting the value of pwdLastSet to 0 has the effect of setting
the User must change password at next logon flag. In other words I think the user
would be prompted to change their password at next logon.
One thing I've noticed is that if you check the
See I knew the word challenge in the subject would bring you guys out... In
fact Challenge is the alternate spelling for MVP... :op Speaking of which,
did you notice that the AD list has doubled?
Correct, setting pwdLastSet to 0 will cause it to flag as expired (user must
change password on
I was thinking along the same lines only we don't have some critical
information to make the call... That being what does the replication pathing
look like and how big are these domains/how big will they be/how many
changes going through them. If the two domains are on opposite sides of a
very
Sounds like this needs to be in the next version of Robbie's book.
Toddler
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 7:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Password Policy - Challenge
See I knew the word challenge in the
Okay, bear with me here. Since everyone's agreed that the passwords
would expire by simply enabling the password policy, why are we having
discussions about these not-so-obvious ways of accomplishing the same
task? Or have we gone off the realm of Travis' original question and
into the realm of
Title: Message
Darren,
Ahhh...that is what 145 meant!
I couldn't find a lookup on that one anywhere. I am seeing these come from
maybe 30+ servers in a domain. I see a mix of error code #5 which
was access denied (this was due to a mistake in a policy setting and is fixed)
and then I see
Does the -1 setting tell the system it never expires?
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 4:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Password Policy - Challenge
See I knew the word challenge in the subject would bring
Title: Message
"I
want a chicken damnit." I am afraid the last NetPro chicken already has a home
;-)
(It is
proudly displayed with prior DEC nametags and books)
-Original Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 6:38
PMTo: [EMAIL
So the recommended method us to multi-select users, add the User must change
password at next login. Click apply. Then Uncheck the password must
change at next Login, then select Apply. Then apply account policy. And
your golden? Otherwise use a script, just watch out for large integers.
I think the issue is how to enforce the password policy but provide a lag
time before the users get prompted for expired passwords - basically prevent
a rash of help desk calls because people are locked out.
--
Roger D. Seielstad - MTS
Title: Message
On my
projects I hand out "Ship it" Hockey Pucks. People are honored in two
ways. Those that did well on the project get the puck handed to
them. Those who were "challenged" on the project, get them thrown at
them. So Dan, I have an extra puck here, I can put chicken on it.
Not really. If I remember the schema correctly, it is simply a flag as to
whether or not the password has expired. The never expires attribute is
part of a separate bit flag field, I believe.
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr.
In this case, MS says it isn't a bug because it would be extremely
difficult to fix.
I think the bug Joe is referring to is that Outlook can no longer manage
distribution lists under some circumstances. Here's the reason:
Outlook talks to GCs for all of it's directory operations (including DL
I also vote that the Fall DEC be in the Virgin Islands or some tropical destination.
Having just been brutalized up here (Halifax NS) by hurricane Juan and given that fall is hurricane season in the Caribbean, I would think that might not be the best choice :-/
Michael Parent MCSE MCT
Analyst I
As Joe pointed out, the attribute is owned by the system (the SAM I believe)
and subsequently logic is in force when submitting values against it. In the
case of pwdLastSet the only permissible values are 0 and -1. 0 forces
an immediate password expiry while -1 (in my opinion should NOT be
Title: Message
Hang
on to it. I will see if I can rise to the "challenge" and get on via low
speed delivery as apposed to ducking :-)
-Original Message-From: Myrick, Todd
(NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Friday, October 03,
2003 7:40 AMTo: '[EMAIL
Todd,
I was curious about your double-counting statement below and tried to test
this in our lab. I wanted to make sure we set our account lockout policy
properly when we implement and had not heard about this double-counting
before. We're running Server 2003 and the domain's in server 2003
Thanks to all for the help! I'm well on my way!
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Can someone please tell me how to get the ADUC snap-in
without installing the complete set of Admin Tools?
Hopefully a dumb and easy to answer question!
Thanks!
Have a good weekend everyone!
Joe
Pelle
Systems Analyst
Information Technology
Valassis / Targeted Print
Correct never expires is part of the userAccountControl bitflags attribute.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Friday, October 03, 2003 10:41 AM
To: '[EMAIL PROTECTED]'
Not really. If I remember the schema correctly,
Thanks Dean!
Now why exactly did you document this process for a customer? What bad
things are you having them do?
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, October 03, 2003 10:12 AM
To: AD mailing list (Send)
It
That is what I was shooting at.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Friday, October 03, 2003 10:39 AM
To: '[EMAIL PROTECTED]'
I think the issue is how to enforce the password policy but provide a lag
time
However, you must write the 0 before you write the -1, that is the little
secret. Otherwise it doesn't do anything because it knows it is wrong...
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, October 03, 2003 11:12
I'm kind of wondering if being here Stuart will see it and go, shit. and
then some hotfix will all of a sudeen take it away. Look at what happened
when Robbie publicly documented how to delete schema objects...
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Try a net use connection with a bad password. That should generate the
double bad. Also if you have any Win9x, they can do up to three bad auths
during interactive logons for every single attempt.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
That is exactly the problem. The issue from MS is that Outlook uses NSAPI (I
think?) to do the DL management and it doesn't deal with referrals. So of
course my next response was, well O2K3 just came out so of course you fixed
this right? Ummm no, we don't consider it a bug... It is how it
LOL! Not me, at least not this time.
The admins. inadvertently re-ACL'd the entire sysvol hierarchy (and much of
AD) and managed to deny each and every security principal any permission to
perform any action. After a series of reboots (the customer's generic means
of fixing anything, one which
28 matches
Mail list logo
