True enough, Roger. I won't in any way disagree that this was the case.
But, there have been some changes - rhetoric or not, I can't say. But, we
were told in what is now a public transcript that the future database
technology that would be first introduced in Yukon would be pervasive
throughout
Darn that Bill... I guess he didn't sign the NDA...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, August 26, 2003 2:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin
grou p
Brent,
I don't think it's a good idea to store reversibly encrypted passwords
in AD, especially since they get replicated to DCs which you not be able
to physically secure.
However, you can use the password filter DLL to intercept password changes,
and dynamically store the new passwords away
Title: Message
Thanks joe for suggestions.
The machine had stored the previous connection
session inregistry as it restores the share connection when you log in
again, i simply disconnected the share and logged the machine again with new
user/pass it worked.
Thanks
regards,
Sunil Shetty
Title: Message
Basically you can do searches in LDP using
a DN, GUID or SID as the Base DN (GUIDs and SIDs need to be surrounded by
GUID=. or SID= as in Joes example below)
really useful in Account Unknown scenarios in the ACL Editor to
translate the SID shown to an actual group or user
Its absolutely going to be a fun ride, that's for sure.
I'm VERY interested in seeing how they choose to overcome the inherent
limitations in the structured vs. unstructuctured debate. I'm starting to be
of the opinion that structured data storage is going the way of the dodo -
again because of
Title: Message
Well,
Win2k and later include the Internet Authentication Service, which IS RADIUS for
Windows using AD as the database. I believe RADIUS servers can be chained (a la
LDAP referrals) as well.
--
Roger D. Seielstad
Title: Message
You're not looking under the right rocks for the Exchange talent then ;)
There is a significant percentage of "Exchange admins" out there that don't
understand it, but there are some really, really sharp ones who understand it
quitewell.
Roger
Tony, I believe that the 1000 SID limit is only relevant for NTLM
authentication - the Kerberos ticket excepts a far smaller number of SIDs in
the Token by default (roughly 120).
With the number of group-memberships that you have (likely more than 120),
it sounds like you'll have to increase the
Title: Message
If you
are using a non-Windows RADIUS client with IAS, or the client software only
supports PAP orCHAP the passwords for the users must be stored reversibly
encrypted.
It's
also required if a Macintosh is using remote access.
-Original Message-From: Roger
Title: Message
We
have MCS and MSPSS Alliance Premier. I realize we have a largeunusual
non-homogenius environment but we have encountered many who say it isn't a
problem until they get into it and then realize the questions we ask aren't
questions normally asked and that we don't just give
By extension, if you're got nested groups that carry SID-history baggage,
does that mean that you're further limited? In other words, a nested group
pair, where both groups have SID history defined, takes 4 token slots?
Roger
--
Roger D.
I agree on the cleanup the sid history's. Also the number of groups you
are in before you break can vary greatly based on where in the forest
the groups are located at. One of the fixes implemented changes how the
group information is stored in the token, if the groups are all local to
the domain
You should even be able to restore a single GPO without an authoritative
restore of the whole database (very bad idea to do this, if you don't
absolutely need to) - but your problem will be documentation: you will need
the GUID of the GPO to address it's GPC in the Sytem\Policies container
during
I have heard mixed opinions on whether
or not installing Win2k SP4 breaks the MS03-026 patch. Does anyone have
any links to docs form MS about this subject. NTBUGTRAQ posted some
reports from people that SP4 did break the patch, but later found it to
be untrue.
Thanks
Jon
Hicks | KEMET
Thanks Joe and Guido
All the groups are in the same domain. No SIDHistory with either the user account or
the groups.
We have tried changing the MaxTokenSize value on the member server before the join,
but it doesn't appear to make any difference.
The really strange thing is that the joins
which one came out first
chronologically?
From: Jon Hicks/MIS/HQ/KEMET/US
[mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:03
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SP4
question
I have heard mixed opinions on
whether or not installing Win2k SP4 breaks the MS03-026 patch.
Title: Terminal Services and domain credentials Win2k3-Win2k
This maybe slightly off-topic but we are seeing something odd in our environment where when we try to connect via terminal service (any client) to a host in a Windows 2000 (SP4) Active Directory domain with an account from a W2003
John,
Show him the statement from TruSecure. Microsoft is
not going to repond to it, as they denied that it was a problem from day
one. Russ so much as sadmits this and the problem is now history. If
your boss will not accept Russ Cooper's retraction as stated, then I doubt that
a
Rod,
With all due respect, did I somehow indicate
otherwise? If Imiscommunicated the message, I'd appreciate guidance
on how to better answer a question of this type.
-rtk
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rod
TrentSent: Wednesday, August 27, 2003 9:10 AMTo:
Brent,
I can't even imagine why your Network Engineer would think
that you need to enable Reverse Encryption for SBR to work. Your first
question should be 'Do you REALLY know what you're doing?" SBR does NOT
require this setting - at least the current version(s), including the past
couple
Well isn't NTFS or really any file system really a simple database?
The way it is looking to me is not so much SQL everywhere! but WinFS
everywhere!. And WinFS has borrowed heavily from SQL technology.
Not sure I am using WinFS right here maybe... WinFS is just the
CIFS/SMB/drive letter
Hi,
We have a pretty complex IP structure with various types of access. As we develop
AD sites for low bandwidth connected remote offices, I was wondering how AD handles
site subnet definitions that might overlap one another. For example:
10.10.0.0/16 = Site 1
10.10.88.0/25 = Site 2
The
Sounds identical to some problems that Shell has experienced recently.
John Peck
Shell Information Technology International
IT Infrastructure Projects
(Phone) 713-245-2183
(Office) IC - 5S06
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
-Original
:) Sorry...I only highlighted the words because
that's the statement from MS, and to thumbtack the issue. It caught my eye
only after your post, but I was responding to the general
thread.
I've seen this issue floating around due to BugTraq's
report. BugTraq provides a good service, but
yeap.
Which doesn't mean that you should now hurry and simply perform SID-History
cleanup in your environment without doing the necessary investigations.
Your environment might still heavily rely on SID-History without you
realizing it...
Even if you've done your re-acling on all existing
I agree completely. It is funny, after
I sent my boss all the info I have found about the issue and performed
my own tests here, which came back negative for the SP rolloing back the
hotfix, they still emailed our MS TAM about the issue and here is what
was sent back The patch is
post-sp4
Title: Message
Check
out this article from Paula Sharick @ Windows 2000 mag - there are a few low
level security changes made in SP4 that might cause some issues, both with
certain applications using SeImpersonate but also with Terminal
Services:
That's kinda where I was going with all this - although my personal belief
is that there should be 2 underlying storage schemes (which I've referred to
as structured and unstructured), I can see where one makes sense.
I am waiting, however, for the SQL style front end to Exchange and my file
Jon, if you wouldn't mind, send your TAM's
nameoffline.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jon
Hicks/MIS/HQ/KEMET/USSent: Wednesday, August 27, 2003 11:33
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
SP4 question
I agree completely. It is funny,
after I
NP, Rod - this is what I suspected. I only replied
because if I misconstrued something, I wanted to be correct. Thanks for
clearing it up for me - and hopefully for others.
Rick
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rod
TrentSent: Wednesday, August 27, 2003 10:33
Rick,
Thanks for the info, I will look into it
ASAP.
Brent
-Original Message-
From: Rick Kingslan
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 27, 2003
9:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] - reverse
encryption of ad passwords
Brent,
I can't
At least. If you have multiple sids in the token history you could use
even more space. Say the case that you moved a group between domains
multiple times, you would have a SID for every move + the final domain
sid which was current.
Joe
-Original Message-
From: [EMAIL PROTECTED]
This is fine. We actually have a couple of class A subnets defined and
the subdefine those to more specific sites.
I.E. Class A points to an overall company site. Many 24 bit mask or 23
bit mask subnets are then defined to further refine the site the clients
should use. The clients will chase
Hi
It should work; based on my experience AD selects the smallest subnet
that covers the IP address
IP addresses 10.10.0.1 - 10.10.255.254 is site 1 except for 10.10.88.1 -
126 that is in site 2 in your example
Have anybody seen any documentation about this?
//Best Regards Lars
-Original
35 matches
Mail list logo
