Silver23

Forum Replies Created

Viewing 19 posts - 61 through 79 (of 79 total)
  • Author
    Posts
  • Avatar
    Silver23
    Member

    Re: Folder Redirection Problem with Vista Client and Server 2003 Domain

    Hi,

    Had some issues with this myself, but the following link should supply you with many answers.
    And NO the XP and Vista profiles are definitly not the same. But they can be made to be exchangable. Good luck

    http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx

    Avatar
    Silver23
    Member
    in reply to: Domain Password not reset #292224

    Re: Domain Password not reset

    Try ERD commander, it will do the exact steps with services as described in Petri’s tutorial. It adds a service and will reset your Domain password.

    But it is much easier to use

    Avatar
    Silver23
    Member
    in reply to: Domain Password not reset #292223

    Re: Domain Password not reset

    I dont see the problem, if your local administrator account is disabld boot in safe mode and enable it. (it works)

    Also next you can login with your Local Administrator and do DOMAIN tasks, like resetting passwords or enabling user accounts, create new domain admins..

    To come back at biggles, yes there is a difference between these accounts, but not in rights.. But there will be though, look at Server 2008.

    If you cannot seem to get it right, tell us exactly what you are doing.

    Avatar
    Silver23
    Member
    in reply to: Domain Password not reset #292222

    Re: Domain Password not reset

    Afaik with local admin on a domain controller u can do all any domain admin can do, so create either a new domain admin account or reset someone’s password from the domain admins group…

    Sounds easy huh?
    Let me know if it works.

    Avatar
    Silver23
    Member
    in reply to: Changing user login names using a GPO or batch #292221

    Re: Changing user login names using a GPO or batch

    Could you be a bit more specific?

    If all the login names are to be generic you could use DSMOD. with a FOR statement perhaps ?

    Avatar
    Silver23
    Member
    in reply to: Wireless Network : Files Visible to Everyone #292220

    Re: Wireless Network : Files Visible to Everyone

    that is one solution, but as with MS we use the least amount of administrative effort =-)

    Just disable file and printing while in the network, just one mouse click and you are done…

    Avatar
    Silver23
    Member
    in reply to: Email Names #292219

    Re: Email Names

    @PCking very intresting. But exactly how does it help ?

    I think think the best way is too change disply name and eiter wait of force a refresh from exchange system manager

    Avatar
    Silver23
    Member
    in reply to: no access to sysvol on DC #292218

    Re: no access to sysvol on DC

    http://support.microsoft.com/kb/887429

    May have the same kind of problem, unfortunately I cant actually edit any GP anymore. I can however diable them so it seems. kind of hard to explain.

    The above link should help u if u, like me cant change the policy cause it has been grayed out.

    Avatar
    Silver23
    Member
    in reply to: Administrator Password changed #292217

    Re: Administrator Password changed

    Tuong;62355 wrote:
    Hi Rick and Rems,

    So, for the final update. I got the password and was able to log on and change the administrator’s password. Hopefully the password does not get changed again. If you are curious, the password that I got was “REMOVED BY MOD“. Thanks again for all you help.

    Thanks,
    Tuong

    Why was the password removed ? It’s not like he’s gonna keep using it. And I for one was CURIOUS.

    Since I thougt it might be some kind of standard password after a specific update or something like that.

    Avatar
    Silver23
    Member
    in reply to: Password problems with XP workstation #292216

    Re: Password problems with XP workstation

    jimbo67;61628 wrote:
    I run a small network for a doctors office….I have 13 workstations and a 2003 SBS server…One of the workstations in my network is from the original office and was setup with an admin account before it was joined to the current network.
    Ok…The problem….I do not know the admin password, so I can not change the local policys…The login account I have the password for was setup without the ability to install programs…I can’t even do a windows update…I need a way to either find the password or change the password on the admin account.
    I have done the password change from the server side and it does not change the admin password on the worstation…I aslo have a roaming admin account but it still denies me permission to add programs! Thanks for any help!
    Jim

    Have you read Petri’s excellent article on recovering/resetting passwords, if so you should already be done. If not u can tell us what u did wrong and we will help if possible.

    Avatar
    Silver23
    Member
    in reply to: open RDP port #292215

    Re: open RDP port

    daviddavis;58873 wrote:
    Yes, Paul is right, unencrypted RDP is a security risk and VPN would be more secure.

    Thanks

    AFAIK RDP can be encrypted. Even can be used with certificates so the source can be verified.

    So i dont agree that it is per definition a security risk.

    Avatar
    Silver23
    Member
    in reply to: Administrator password has been changed #292214

    Re: Administrator password has been changed

    rvalstar;60204 wrote:
    You really need to get some outside security professionals in there to assess. I would have done that immediately had I appreciated the extent of the sabotage and the likelyhood of monetary claims.

    You’ll need a compatible driver for whatever OS you boot. If you use something like a BartPE, then your existing windows driver should do the trick.

    So if I would have a let’s say a HP RAID whatever, and I would like to use a linuxdisk to change the PW for non domain-admin, I would need a specific linux driver, to mount the drive. Sounds logical, now i come to think of it.

    About hiring security prof’s. Maybe I should have done that, but we are an external company, so we could only advise such a thing to the actual company owner. But i would expect longer downtime.

    And since the personnel couldnt get any work done without an accessible server/internet/e-mail, our primary goal was to get it up and running as fast as possible.

    I would have made a ghost image of the drive of some kind, including forensic data, so that i would be able to recover deleted event logs. Unfortunately I was informed about the cause of downtime, some time after i started trying to get it back online, Though it may still be possible, it is already less reliable as there is constantly data written to the HDD

    Avatar
    Silver23
    Member
    in reply to: Network spying… #292213

    Re: Network spying…

    There IS actually a way to view (RDP) a users session in windows XP. Though already possible for Terminal services on 2003.

    I will not post a how-to, i just wanted to state the fact that it is really possible(although only on xp professional AFAIK), the reason for not posting this info, is that it is simply a hack, just like bypassing windows activation, which is also not legally allowed.

    Avatar
    Silver23
    Member
    in reply to: Administrator password has been changed #292212

    Re: Administrator password has been changed

    rvalstar;59905 wrote:
    AFAIK, the “Application” string must be an EXE like

    The “AppParameters” would then be

    Thx for the info(points awarded), i’m sure this wont be my last server with an unknown password, as a matter of fact, i had another one today(same administrator, different location)

    offtopic:
    what kind of selfrespecting admin would sabotage a network ? (in this case more then one company was disrupted for about 2 days.!!)
    /offtopic

    I usually like doing stuff the manual way, keeps me sharp. but i must admit, in this case i used winternals anyway to save me some time.

    Works great for this kind of thing, but man is it unstable. It will hang, it is just a matter of how many minutes. ( i have test tried it on many computers/servers) so i know what im talking about.

    Now at the risk of going further offtopic, any idea’s on how to prove someone sabotaged the network/servers ? There were 2 cisco routers(both reset to default configuration they were in vpn, and 2 servers win2k and a win2003 server, event logs were all erased.) There will be claims concerning damage to the concerning company’s.

    Any help in this will be appreciated !!

    Back on-topic, if u want to manually reset the passwords on a win2003 server, i usually use nt-renew or something similar. As it usually happen, servers arent installed on basic HDD’s. so most of the time u will need 3rd party drivers.

    My question, if i have a (RAID)driver that works for let’s say the windows installation, will this driver also work for resetting the local admin password via a linux boot cd/disk/usb stick) ?

    Avatar
    Silver23
    Member
    in reply to: Administrator password has been changed #292211

    Re: Administrator password has been changed

    rvalstar;59833 wrote:
    Glad it worked out.

    Just for my info, I take it this was the domain admin password and the srvany bit you refer to was from here?:

    http://www.petri.com/reset_domain_admin_password_in_windows_server_2003_ad.htm

    Did you try it specifically or use Winternals (per your reference)?

    Reason I ask is I find the service back door to be one of the best ways to take control and I’m wondering where did it fail for you? I’m not a big ERD fan as it appears to fail at least as often as it works. I usually set up the service by tweaking the registry by loading the hive in BartPE or mounting the disk as a slave on another machine.

    Would appreciate a post mortem so others can learn.

    Thx for the reply, yes this is about a domain admin password. And yes most of my info came from Daniel’s website. (very helpful and a great resource)

    I used winternals and also tried it manually when winternals failed at first. I really dont know why it failed so many times (also by tweaking the registry as well as with winternals, im pretty good with registry hacks and tweaking, but it is still possible to make mistakes).

    In this case it took about 20!! minutes to start the d**mn server every boot, so u can imagine it was a drag and i was VERY carefull making sure i had it right.

    Anyway I almost had given up hope that i would be able to reset the password, and i decided to give winternals another try, and whatdayaknow it worked the 3rd time…

    Concerning the registry edit, i also tried creating a new user with admin right, unfortunaltely, that didnt work as i had hoped either.

    In the “Application” string i had it saying c:tmpscript.cmd
    the cmd was created to first make a new user and a second line to make it member of the admin group, my guess is it should have worked that way, but there could be a limitation to starting a program by using a service.

    If u’d like to know more, let me know, ill tell u

    Avatar
    Silver23
    Member
    in reply to: Re-adding a computer back into AD #292210

    Re: Re-adding a computer back into AD

    Deland01;55970 wrote:
    I deleted an old computer from AD and added a new computer to the domain and gave it the same name(THIS WAS THE COMPUTERS REPLACEMENT). Now I need to re-add the old computer again. When I do it doesn’t pick up any of the details for the old pc again.
    To add to the problems I cant access the laptop with the local account as it wont allow me to connect to it & so I cant reset the password???

    Any suggestions how I can add this pc back onto the domain?

    Make it a member of the workgroup reboot, make it a member of the domain again.

    If the above doesnt solve your problem, maybe u need explain better..

    Avatar
    Silver23
    Member
    in reply to: Windows 2003 Server not saving Active Directory #292209

    Re: Windows 2003 Server not saving Active Directory

    leoh;55926 wrote:
    Then how do I make them both GC’s?

    Open “Active Directory Sites and Services” from administrative tools menu

    Follow tree Default-first-site etc all down. u will see your servers here.

    Select the server u want to make GC and right click it’s NTDS settings. check the checkbox and voila. It will take a while depending on the amount of users, to replicate.

    Avatar
    Silver23
    Member
    in reply to: Replacing W2K DC with new W2K3 DC #292208

    Re: Replacing W2K DC with new W2K3 DC

    jkhan;53672 wrote:
    Thanks for your reply, reading through your steps its pretty similar to mine. You might want to look at the FSMT Toolkit which is offered by Microsoft to transfer all your profile and share config to new server.

    I guess your environment is a bit smaller so you could manually recreate shares, printers etc..

    If I intend to upgrade the old server to a win2k3 dc also do I even need to transfer FSMO roles? I take it these get replicated onto new DC once I run dcpromo?

    I also noticed that you are disabling the GC and then enabling on new DC, is this something I would to have to do?

    Thanks for your reply again.

    Thank you for your comments and i hope u find mine usefull as well.

    My luck i get to start with a small environment, especially since this will be the 1st time i do this in a production environment. (Well i have been working with virtual servers in my own setup, complete with important shares and GPO) and so far everything is going just fine.

    You should enable GC on the new domain as soon as it’s a member AD server. that way it can start replicating the catalog. Enabling the GC also makes sure your clients can authenticate through this server.

    I will disable it on the old server since it will be decommisioned, you could leave it on so the authentication (if a lot) will be faster. Otherwise you should disable it to conserve network bandwidth.

    On my earlier comment, It’s generally recommended to *not* put GC and the infrastructure FSMO on one server unless it’s the only DC in the domain. something about it not updating if they are on the same server.(I’ve read a lot the last few days, so i might not have this entirely correct))

    Avatar
    Silver23
    Member
    in reply to: Replacing W2K DC with new W2K3 DC #292207

    Re: Replacing W2K DC with new W2K3 DC

    I’m kind of new at this myself, and i’m planning on doing the exact same thing.

    My planning is as follows.

    win2k server must have at least SP2 !
    – ADprep /forestprep on the schema master
    – ADprep /domainprep on the Infrastructure master

    – Placing the new server
    – Make it a member server
    – Install AD on the new server no other services yet. If i’m correct all the users will be transported, together with all GP.

    – Make it a GC server
    – Disable old GC < had this in but i guess i can do that in a later step.

    – install DNS will be secondary.
    – Install DHCP (Not authorise yet)
    – Check DHCP configuration and if necessary improve.
    – disable the old DHCP and authorize the new one. Can this be done around without confliction !?

    – switch FSMO roles to new server, i think this can be done earlier.

    After 16:00 people stop working at this articular day so i can do the last things.

    – Transfer user profiles, set rights and shares
    – Make changes in AD, can this be done with some tool ? lucky for me i only need to do 5 users i think. but i can imagine more then 100 users. Setting profile locations for that might take a while by hand..

    – Move production data

    I hope this helps u, and maybe u have a suggestion for me too.

    edit:

    Quote:
    The setup will now have 2 DC’s on a win2k3 domain and all roles transfered to the new DC

    Do you mean the old server will keep running ? If so it might be a good practice to keep some of the FSMO’s on the original server.

Viewing 19 posts - 61 through 79 (of 79 total)