Joe, Hmmmmm. Apparently, we were typing about the same time. Question/topic comes about the same time as the response.
Ehhhh..... What the heck - maybe next time. ;) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, October 25, 2003 9:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] You guys amaze me! OK - here's a GOOD topic. Joe, can you explain some of the in's and out's of your password reset system (without, obviously - revealing sensitive issues) and how it works (again - same caveat applies). I'm most interested in how you approached and solved the security issues in how to absolutely and uniquely identify a user. Clearly, the implications are huge. If everyone is subject to such a system, can it be used as a DoS tool, if not - how did you mitigate? Natuarally, with a password policy in place the easiest way to DoS anyone is to just attempt to login with a bogus password until it locks the account. Obviously, many of us are getting more script aware, and this sounds like a cool application we all could use. The reason that I ask is two-fold: 1. Sounds like a perfect conversation topic now that we've beat the shit out of Exchange 2. I'm self-serving and tried to do this only to get shot down by our Sec Director Reasons why it got shot down are valid, but will come out during the discussion, so I won't taint it up front. What say you, Mr. Richards? Are you game? Or, just gamey? ;p Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, October 25, 2003 12:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] You guys amaze me! Right up front, the domain rename scares me. Everyone seems to say, yeah it is there but.... Before I answer anything else though, what kind of data do you have in AD? Is it the basic NOS stuff or have you deployed Exchange or other AD aware apps that have populated it? My guess is you aren't doing a lot with AD yet so most likely following option two doesn't lose much if any information that you can't export off into LDIFs and reimport after you are back to W2K DC's. Pay isn't bad. However, in relative terms you are probably doing better. 100 users per admin versus our ratio of something like 83000 users per admin and I would be lucky to be making 5x-10x what you make let alone 830x.... On the flip side though, you probably haven't put a provisioning system and auto password reset system into place - yet. :op joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, October 23, 2003 10:06 AM To: [EMAIL PROTECTED] I'm serious. Here is a question for you. As always, if you could offer any info, I would be very grateful. We're a small shop with only 2 Admins managing 200 users in 4 states and we don't have the firepower you guys do. Let's say you don't like your AD domain name and you want to change it. You have 4 DCs, 3 each W2K SP3 and 1 each NT4 SP6a, so you're still in mixed mode. You could move the NT DC to 2K, then move everyone to W2K3, then raise the Forest functionality level and then play Russian Roulette with Rendom. That's one option. Or could it be as simple as DCPromoing all 3 W2K3 servers down to Standalone servers, allowing the NT4 DC which still controls the pre-W2K subdomain name to take full control of the domain again, and then DCPromoing one of the 3 W2K DCs back up to W2K as the FSMO and renaming the domain to what you want? I would love to believe I could do it and get away with it. Thank you people. PS: I don't envy you Joe. I hope you're being paid well! RH ------------------------------------------------- Rocky Habeeb Microsoft Systems Administrator ------------------------------------------------- James W. Sewall Company Old Town, Maine ------------------------------------------------- 207.827.4456 habr @ jws.com www.jws.com ------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
