RE: [ActiveDir] WASTING RIDs

[joe]

Title: WASTING RIDs

I know the problem, I am not necessarily seriously concerned with it. Most likely you will catch something like this in a one off environment with an admin in a gui but anything using an automated system will most likely choose a password that is known to be within the proper rule set. I do recall the first time I saw it and thought, that is wasteful, but on further reflection for the reason above and others, I chose not to really worry about it as it is small fries in the world with the other issues that exist. I have hundreds of thousands of user/computer/group objects in a domain with hundreds of thousands (if not millions) that have been deleted and haven't had any issues as yet in the 7 or so years we have been doing Windows total and specifically the 4 years of Windows 2000 in which that problem has existed since.

 

Note you can see this functionality by calling the NET API calls as well via say NET USER.

 

I guess overall if my opinion wasn't clear, yes it is wasteful, but not harmfully so from what I can see for most any installation and think there are far more critical issues I would like to see the Diriectory Team tackling with their limited resources. Obviously you can contrive a scenario in which this could *possibly* cause issue, but you can do that with a great many things some of which would destroy your forest utterly to the point that nothing works and you can't restore from tape even. No I absolutely will not clarify that.

 

 

  joe

 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, April 07, 2004 2:33 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] WASTING RIDs

Hi Everyone,

A few days ago I experienced the following:
I was playing with RID pools, tombstones (deleted objects) en the new "reanimate tombstone API" and the following came to my attention:

Lets say a certain AD environment (W2K3, I think the same happens in W2K) has certain password policy that passwords need to comply with. When trying to create a user with a password that does not comply with the password policy the following happens: the system creates the user with the next RID to be used and after that it checks the password. If the password does not comply, the user with the RID used is deleted (tombtstoned) and the system generates an error stating the password does not comply. Clicking BACK and using a password that complies with the policy creates the user again with the following RID. In this situation TWO RIDs were used to create one user (this of course depends on the incorrect passwords that are used when creating the user)

How to reproduce this:
* Create a user that has never existed before in W2K3 AD with an empty password until the error is generated (do not click OK)

* Check that user that was just created but is disabled (using another instance of DSA.MSC)
* Check the RID value (last value of the SID after the - ) of that user account with LDP
* Click OK on the error within the first instance of DSA.MSC
* Check with LDP the deleted objects container (use MS-KBQ258310: Viewing Deleted Objects in Active Directory) for the first user created and compare the RID value with the previous value

* Correct the password and continu creating the user
* Check the RID value (last value of the SID after the - ) of "new" user account with LDP and check that it was incremented with 1 comparing with the previous RID value

Apparently the system can only check if the password complies with the policy when it is written to the user account AFTER the user is created.

Maybe I'm mistaken, but shouldn't the system FIRST check if the password complies with the policy and if it does, then create the user and write the password to the account. Personally I think this is an unnecessary waste of RIDs within a certain domain.

Do you guys agree with me and should this changed by Microsoft?
 
Regards,
Jorge

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto
Infrastructure Consultant
__________________________________________

<<...OLE_Obj...>>

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T)
Kennedyplein 248, 5611 ZT, Eindhoven
.       Postbus 7089
        5605 JB Eindhoven
(       Tel             : +31-(0)40-2957777
2       Fax     : +31-(0)40-2957709
(       Mobile  : +31-(0)6-29067977
*       E-mail  : [EMAIL PROTECTED]
"       <http://www.logicacmg.com/> - Solutions that matter -

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.