Active Directory Problem - DFWstangs Forums
 
LinkBack Thread Tools Display Modes
post #1 of 27 (permalink) Old 12-10-2003, 05:48 PM Thread Starter
 
Join Date: Mar 2003
Posts: 1,394
Active Directory Problem

I get this message when trying to create a new user:



This is what my settings look like:



I was trying to set the password to: testing

Now last nite, I created two users...no problems. Left the computer on, went to work this morning. Got home this afternoon, went to add another user account and got cockblocked by my own computer
xtremcoder is offline  
Sponsored Links
Advertisement
 
post #2 of 27 (permalink) Old 12-11-2003, 09:56 AM
Time Served
 
Join Date: May 2003
Location: South of Heaven
Posts: 193
You need to make sure that the same settings are in the Local Security Polcy, (if this is a DC then check the following too) the Domain Security Policy and the Domain Controller Security Policy.

New Car;
2007 Shelby GT 500
Steeda CAI
SCT Tuner

Previous car;
2003 Black Cobra

Mods...
Diablo Predator
2.8 upper pully
Steeda Blower Belt Tensioner
AFT-CAT Bassani Exhaust Sytem
Bassani X
Kenne Bell CAI
MGW Shifter
NeoRaZor is offline  
post #3 of 27 (permalink) Old 12-11-2003, 11:47 AM Thread Starter
 
Join Date: Mar 2003
Posts: 1,394
thanks for the help -- ill try it when i get home. but why would it work one day, and the next (without making ANY changes) not work
xtremcoder is offline  
 
post #4 of 27 (permalink) Old 12-11-2003, 11:50 AM
\(_o)/
 
AbecX's Avatar
 
Join Date: Nov 2001
Location: Las Colinas
Posts: 25,373
Quote:
Originally posted by xtremcoder
why would it work one day, and the next (without making ANY changes) not work



Learn how to compress your screenshots! jesus f'ing christ!
AbecX is offline  
post #5 of 27 (permalink) Old 12-11-2003, 12:41 PM
 
Join Date: Sep 2001
Posts: 310
Re: Active Directory Problem

Quote:
Originally posted by xtremcoder
I was trying to set the password to: testing

Now last nite, I created two users...no problems. Left the computer on, went to work this morning. Got home this afternoon, went to add another user account and got cockblocked by my own computer

This is isn't an issue with AD rather the group policy is not being adhered too. Look at what the error message is telling you, "the password does not meet the password policy requirement." You have enabled "Passwords must meet complexity requirements" on the Domain, and regardless of the local security policy the domain-level policy settings override local policy settings. The password "testing" does not meet those requirments which are;

Can not contain all or part of the user's account name
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.



Techweb has all this info and more!!


Hope this helps.
CBurt is offline  
post #6 of 27 (permalink) Old 12-11-2003, 02:13 PM Thread Starter
 
Join Date: Mar 2003
Posts: 1,394
thanks for the info! ill check it out when i get home... i wasnt sure what the complexity reqs were, thanks!

i didnt resize the image for two reasons:
1) all i have is paint on the server and i dont know how to keep the ratio in paint

2) if i resized it, i wasnt sure youd be able to read the contents...
xtremcoder is offline  
post #7 of 27 (permalink) Old 12-11-2003, 02:29 PM
No Cerveza... No Trabajo
 
01WhiteCobra's Avatar
 
Join Date: Jun 2002
Location: Where's my beer?
Posts: 21,924
Quote:
Originally posted by xtremcoder
thanks for the info! ill check it out when i get home... i wasnt sure what the complexity reqs were, thanks!

i didnt resize the image for two reasons:
1) all i have is paint on the server and i dont know how to keep the ratio in paint
(800x600 for simplicity sake)

800x600

Ratio = 4 to 3

Ctrl+W

Stretch -> 50% horizontal, 50% vertical

400x300

Ratio = 4 to 3
01WhiteCobra is offline  
post #8 of 27 (permalink) Old 12-11-2003, 03:14 PM Thread Starter
 
Join Date: Mar 2003
Posts: 1,394
xtremcoder is offline  
post #9 of 27 (permalink) Old 12-11-2003, 03:40 PM
 
Join Date: Sep 2001
Posts: 490
I would agree, its the policy thats blocking the creation.
Saleen09 is offline  
post #10 of 27 (permalink) Old 12-11-2003, 03:43 PM
No Cerveza... No Trabajo
 
01WhiteCobra's Avatar
 
Join Date: Jun 2002
Location: Where's my beer?
Posts: 21,924
Quote:
Originally posted by xtremcoder
Don't be a smart ass. Same information.

01WhiteCobra is offline  
post #11 of 27 (permalink) Old 12-11-2003, 03:50 PM Thread Starter
 
Join Date: Mar 2003
Posts: 1,394
doh! i wasnt trying to be a smart ass... sorry! i was just testing out what you told me! sorry about that!
xtremcoder is offline  
post #12 of 27 (permalink) Old 12-11-2003, 05:01 PM
\(_o)/
 
AbecX's Avatar
 
Join Date: Nov 2001
Location: Las Colinas
Posts: 25,373
Just compress the image, I'm not talking about physical size, them bitches were like 1.4mb and 265k which is just stupid!
AbecX is offline  
post #13 of 27 (permalink) Old 12-11-2003, 05:29 PM Thread Starter
 
Join Date: Mar 2003
Posts: 1,394
gotcha - i noticed at work i created an image (once again in Paint) and when i saved it as "wow.jpg" with the "" it was like 500kb then i changed the save as type to .jpg and it went to like 50kb

well, anyways... the problem was fixed. i changed all settings to match 01WhiteCobra's (which is what I originally had before i started messing w/ it last nite when i got the error) and it worked. now the users cant login, unless they are admins. but thats a different story. gotta find out how to allow users to login now
xtremcoder is offline  
post #14 of 27 (permalink) Old 12-11-2003, 05:49 PM Thread Starter
 
Join Date: Mar 2003
Posts: 1,394
alright, so my users CAN in fact log on. just not on the DC. i went to another machine and got all of the users to log in. hmmmm...
xtremcoder is offline  
post #15 of 27 (permalink) Old 12-11-2003, 06:51 PM
No Cerveza... No Trabajo
 
01WhiteCobra's Avatar
 
Join Date: Jun 2002
Location: Where's my beer?
Posts: 21,924
Quote:
Originally posted by xtremcoder
well, anyways... the problem was fixed. i changed all settings to match 01WhiteCobra's (which is what I originally had before i started messing w/ it last nite when i got the error) and it worked. now the users cant login, unless they are admins. but thats a different story. gotta find out how to allow users to login now
DOH! Sorry about that.

I didn't mean to copy my settings! That is a development machine well entrenched behind firewalls with only one user account on it and not tied to a domain.

I just meant to illustrate a "smaller screen shot" with the same (but different) info on it.

Sorry.
01WhiteCobra is offline  
post #16 of 27 (permalink) Old 12-12-2003, 08:46 AM
Lifer
 
HiTechRedneck's Avatar
 
Join Date: Jul 2003
Posts: 1,063
Quote:
Originally posted by xtremcoder
alright, so my users CAN in fact log on. just not on the DC. i went to another machine and got all of the users to log in. hmmmm...
Ok I have been highly medicaded the last few days but I believe you are trying to get your users to login physically to the DC (Logon Locally)? I'm guessing you are doing this on a test DC and you already know this is a major security problem. [SoapBox]But then again you shouldn't start out learning the wrong way [/SoapBox].

Create a new GPO closer to the object than any other GPO(as long as you dont have the 'No Override' selected on a GPO that negates what your trying to do here) and navigate to
Computer Settings
Security Settings
User Rights Assignment
Now click on the Log on Locally box in the right pane and add your users. Make sure to allways ad Domain Admins unless you want to piss off your Domain Admin.

See picture for your enjoyment.

Last edited by SYN/ACK; 12-12-2003 at 08:49 AM.
HiTechRedneck is offline  
post #17 of 27 (permalink) Old 12-12-2003, 10:15 AM Thread Starter
 
Join Date: Mar 2003
Posts: 1,394
Syn/Ack, yes I was trying to get the users to logon locally (on the DC). Now when I say users I mean... Me logging on w/ the user accounts (which are only one for my mom and one for my dad [this is at home]). I was just making sure that they could in fact login so that when they joined the domain they wouldnt have any problems. Well, when they joined they were able to login...after a really really long time of waiting. Its weird. At work when I log in, it doesnt take nearly as long. I guess its all about tweaking the settings now. Dont exactly know where to start though, which is why I installed AD in the first place - to learn. I'll try out what you are suggesting later today when I get home. Thanks!
xtremcoder is offline  
post #18 of 27 (permalink) Old 12-12-2003, 10:31 AM
Lifer
 
HiTechRedneck's Avatar
 
Join Date: Jul 2003
Posts: 1,063
Quote:
Originally posted by xtremcoder
Syn/Ack, yes I was trying to get the users to logon locally (on the DC). Now when I say users I mean... Me logging on w/ the user accounts (which are only one for my mom and one for my dad [this is at home]). I was just making sure that they could in fact login so that when they joined the domain they wouldnt have any problems. Well, when they joined they were able to login...after a really really long time of waiting. Its weird. At work when I log in, it doesnt take nearly as long. I guess its all about tweaking the settings now. Dont exactly know where to start though, which is why I installed AD in the first place - to learn. I'll try out what you are suggesting later today when I get home. Thanks!
*WARNING Syn/Ack is riding the NyQuil Train*

Loging on to the domain from a workstation is totally different from physically loging on the DC. Once the workstation joins the domain (with non-restrictive general settings) they should be able to use any username/password on their machine as long as they know the username/password combination. Physically loging on the DC should only be givin to the Domain Admin and very few if any other user(s). Because if they can login to the DC they can do what ever they want. But you say no, momma's not gonna screw with my AD. So she logs on to my website one day and since she has AcitveX setup to execute no matter what(thanks micro$uck) I now have access to your DC. The next day you nor your momma cant logon to the DC thanks to me.

Security is a good thing, use linux.
HiTechRedneck is offline  
post #19 of 27 (permalink) Old 12-12-2003, 01:46 PM
 
Join Date: Sep 2001
Posts: 310
Quote:
Originally posted by SYN/ACK
So she logs on to my website one day and since she has AcitveX setup to execute no matter what(thanks micro$uck) I now have access to your DC. The next day you nor your momma cant logon to the DC thanks to me.

Security is a good thing, use linux.

To keep that from happening, keep your shit patched and Create an OU call it "Dumb Users" and with GP deny ActiveX.
CBurt is offline  
post #20 of 27 (permalink) Old 12-12-2003, 05:47 PM
\(_o)/
 
AbecX's Avatar
 
Join Date: Nov 2001
Location: Las Colinas
Posts: 25,373
Quote:
Originally posted by CBurt
To keep that from happening, keep your shit patched and Create an OU call it "Dumb Users" and with GP deny ActiveX.
With Microsoft only putting out updates once a month now, its a better time than ever to move to linux.

There is over 6 known exploits out for windows that did not get patched this month and probably won't be patched till the middle of next month. Trustworthy computing at its best.
AbecX is offline  
post #21 of 27 (permalink) Old 12-12-2003, 07:37 PM
 
Join Date: Sep 2001
Posts: 310
Sure the Windoz OS has more holes than a spaghetti strainer, but I can't help but wonder if the open source alternative was the insudtry standard, what the digtial landscape would look like? As it is right now, What's the point of attacking a niche market? No one will notice! No news coverage, nothing! The virus pukes go for the grandstand, see their work on the local and national news, and the media eats that shit up!

The bottom line is no OS is perfect, just yesterday I was reading about the discovery of a significant security hole in the Jaguar and Panther OS's, and that Mozilla is partially vulnerable to the recently announced URL spoofing security hole in Internet Explorer.

What someone can put together, somebody else can take apart, that holds too for everything.

.02


PS Besides I make alot of money off of Micr$oft
CBurt is offline  
post #22 of 27 (permalink) Old 12-12-2003, 10:06 PM
No Cerveza... No Trabajo
 
01WhiteCobra's Avatar
 
Join Date: Jun 2002
Location: Where's my beer?
Posts: 21,924
Quote:
Originally posted by CBurt

PS Besides I make alot of money off of Micr$oft
And that is why, for the last 20 years, I've programmed specifically for M$.
01WhiteCobra is offline  
post #23 of 27 (permalink) Old 12-12-2003, 11:29 PM
\(_o)/
 
AbecX's Avatar
 
Join Date: Nov 2001
Location: Las Colinas
Posts: 25,373
Quote:
Originally posted by CBurt
The bottom line is no OS is perfect, just yesterday I was reading about the discovery of a significant security hole in the Jaguar and Panther OS's, and that Mozilla is partially vulnerable to the recently announced URL spoofing security hole in Internet Explorer.
Agreed, but I'd rather have an exploit known one day and fixed the next, than fixed whenever, I dont have to isntall many updates at all, and a little known fact to most of you guys, OpenBSD has like maybe 2 updates a year. Panther, and Jaguar are mainly Desktop OS's, and Mozilla really wouldnt belong on a server, which is mainly what I'm talking about. I just dont like the idea of single grouped monthly patches, its a retarded idea.

Quote:
PS Besides I make alot of money off of Micr$oft
We can make a lot of money on both, but we like to do a project and get finished, and not have to worry about it again, with Windows you have to worry about keeping it maintained and updated, babysat etc... Windows has its place, but man oh man I wish people would stop using that junk as a server to host junk code because it really gives me a fucking headache when I have to unplug someones infected windows 'server' from the network because they dont know what they are doing. We never have that problems with our opensource guys.
AbecX is offline  
post #24 of 27 (permalink) Old 12-13-2003, 12:33 AM
[]D[][]\/[][]D
 
Blue88Coupe's Avatar
 
Join Date: Sep 2001
Location: Oak Cliff
Posts: 2,167
Quote:
Originally posted by AbecX
Agreed, but I'd rather have an exploit known one day and fixed the next, than fixed whenever, I dont have to isntall many updates at all, and a little known fact to most of you guys, OpenBSD has like maybe 2 updates a year. Panther, and Jaguar are mainly Desktop OS's, and Mozilla really wouldnt belong on a server, which is mainly what I'm talking about. I just dont like the idea of single grouped monthly patches, its a retarded idea.


We can make a lot of money on both, but we like to do a project and get finished, and not have to worry about it again, with Windows you have to worry about keeping it maintained and updated, babysat etc... Windows has its place, but man oh man I wish people would stop using that junk as a server to host junk code because it really gives me a fucking headache when I have to unplug someones infected windows 'server' from the network because they dont know what they are doing. We never have that problems with our opensource guys.
The baby sitters get paid well for baby sitting. Linux has had tons and tons of holes. They had root exploits up untill the 2.6 kernel came out. and it isnt even released yet, just some test kernels. and my bet is there arent any exploits for it yet because not many people are using it yet. OpenBSD has holes too just like everything else.(I dont even know why you brought it up like many people use it) Any box can be secure it just depends on the admin. Why not just set the windows boxes to autoget the updates then they are available. Just wait till the next buggy version on linux comes out... something like RedHat 6.2 was.
Blue88Coupe is offline  
post #25 of 27 (permalink) Old 12-13-2003, 01:03 AM
\(_o)/
 
AbecX's Avatar
 
Join Date: Nov 2001
Location: Las Colinas
Posts: 25,373
Quote:
Originally posted by Blue88Coupe
The baby sitters get paid well for baby sitting.
No question about that, but if you had your own company, would you go for a platform with proven stabilty and security, or with proven security flaws? Its similar to buying a old ass fairmont v6 with 200k miles for a daily driver, its just not smart.

Quote:
Linux has had tons and tons of holes. They had root exploits up untill the 2.6 kernel came out. and it isnt even released yet, just some test kernels. and my bet is there arent any exploits for it yet because not many people are using it yet.
I've never once said that it had no exploits, my argument was at least they come out with patches in ample time where as in windows world you get a single patch a month while exploits stay out in the open. For example, they didnt release a patch this month but had 6 known security holes that they couldnt fix. Those get put off for another month, leaving a open exploit out for 2 months which is just not acceptable. When was the last time there was a proven exploit out for linux that went unpatched for months?

Beside that, most of the linux exploits that I see out arent related to any recent kernels, most of them are local exploitable where you have an account on the box. Most of the other ones are FTP or sendmail exploits, and I dont see many apache, mysql, or qmail exploits.

Quote:
Why not just set the windows boxes to autoget the updates then they are available.

Perhaps you didnt hear the news about single monthly patches out for windows now. Its not the updating part thats the problem, its the lack of reliable fixes coming from the vendor. You also have to factor in downtime from reboots that you have to do to finish install said patch, and then the 'service pack' factor that could really fuck up a production box.

Quote:
Just wait till the next buggy version on linux comes out... something like RedHat 6.2 was.
Anyone who runs RH62 or something thats more that 3 years old for their server OS needs to be shot anyway. IMHO, redhat doesn't really belong on a server with all the crap they put in it from the factory. I'm not sure how the enterprise version runs so I cant talk about that, but I hope its good seeing as its pay software.
AbecX is offline  
post #26 of 27 (permalink) Old 12-13-2003, 01:30 AM
[]D[][]\/[][]D
 
Blue88Coupe's Avatar
 
Join Date: Sep 2001
Location: Oak Cliff
Posts: 2,167
Quote:
Originally posted by AbecX
No question about that, but if you had your own company, would you go for a platform with proven stabilty and security, or with proven security flaws? Its similar to buying a old ass fairmont v6 with 200k miles for a daily driver, its just not smart.
SCREW YOU My fairmont is cool! and other than one minor starter problem it has been perfect as a daily driver. whats up with your no working window, no windshield wiper, leaking rearend, no idling, door handles falling off Z28


Quote:
I've never once said that it had no exploits, my argument was at least they come out with patches in ample time where as in windows world you get a single patch a month while exploits stay out in the open. For example, they didnt release a patch this month but had 6 known security holes that they couldnt fix. Those get put off for another month, leaving a open exploit out for 2 months which is just not acceptable. When was the last time there was a proven exploit out for linux that went unpatched for months?.
Uhhh linux went all the way till this new kernel with a root exploit (but yeah they had a patch out for it in a few months, but why the hell did they wait a whole release to actually fix it???)

Quote:
Beside that, most of the linux exploits that I see out arent related to any recent kernels, most of them are local exploitable where you have an account on the box. Most of the other ones are FTP or sendmail exploits, and I dont see many apache, mysql, or qmail exploits.
Not related to any recent kernels?!?!?! are you feeling alright tonight? 2.4.* they JUST made a 2.6 test kernel. 2.2 had holes also. so where do you not see the recentness?
I had to re-read this and what you said dosent make alot of sense... "most of the linux exploits that I see out arent related to any recent kernels, most of them are local exploitable where you have an account on the box" this is just stupid, can you say PTRACE? and most kernel exploits are ones that you have to be local...(for that matter name a exploit that was out that you could remotely exploit a kernel...)

Quote:
Perhaps you didnt hear the news about single monthly patches out for windows now. Its not the updating part thats the problem, its the lack of reliable fixes coming from the vendor. You also have to factor in downtime from reboots that you have to do to finish install said patch, and then the 'service pack' factor that could really fuck up a production box. .
I updated my windows machines when I installed them and havent had any problems "yet". of course it took me a couple times to actually get them updated because I kept getting a virus when I connected to update

Quote:
Anyone who runs RH62 or something thats more that 3 years old for their server OS needs to be shot anyway. IMHO, redhat doesn't really belong on a server with all the crap they put in it from the factory. I'm not sure how the enterprise version runs so I cant talk about that, but I hope its good seeing as its pay software.
Im not saying people run it now. but back around 6.2 times(you might not have started using linux that early, you might have been because I remember busting root on your box quite a few times) the exploits were rampant. for months. bind, ftp, kernel, they might have had holes for about 6 or 7 months.

Last edited by Blue88Coupe; 12-13-2003 at 01:41 AM.
Blue88Coupe is offline  
post #27 of 27 (permalink) Old 12-13-2003, 01:45 AM
\(_o)/
 
AbecX's Avatar
 
Join Date: Nov 2001
Location: Las Colinas
Posts: 25,373
Quote:
Originally posted by Blue88Coupe
SCREW YOU My fairmont is cool! and other than one minor starter problem it has been perfect as a daily driver. whats up with your no working window, no windshield wiper, leaking rearend, no idling, door handles falling off Z28
Those are uhh security enhancements, they allow me not to be open to hacks

Besides, all that horsepower I got is bound to break some things, but you wouldnt know about all that.
Quote:
Uhhh linux went all the way till this new kernel with a root exploit (but yeah they had a patch out for it in a few months, but why the hell did they wait a whole release to actually fix it???)

Because it was a unknown patch that took one mad hacker to find it. If it was a known expoit, that shit would've been patched in hours, of which that exploit I was referring to was patched with 12 hours from its conception/public knowledge I believe.

Quote:
Not related to any recent kernels?!?!?! are you feeling alright tonight? 2.4.* they JUST made a 2.6 test kernel. 2.2 had holes also. so where do you not see the recentness?
I had to re-read this and what you said dosent make alot of sense... "most of the linux exploits that I see out arent related to any recent kernels, most of them are local exploitable where you have an account on the box" this is just stupid, can you say PTRACE? and most kernel exploits are ones that you have to be local...(for that matter name a exploit that was out that you could remotely exploit a kernel...)

Just made a 2.6 kernel? You really are out of the loop my friend, 2.6 has been out almost a year now. 2.2 was a very early kernel, I mean come on linux was just started to get big, of course its going to have vunerbilities out. Your arguements about the old fucking kernels really have no merit as I wasnt talking about out of box security, I was referring to security patches and they quickness that linux ones come out compared to the slow and inability to trust a ms patch.

Quote:
Im not saying people run it now. but back around 6.2 times(you might not have started using linux that early the exploits were rampant. for months. bind, ftp, kernel, they might have had holes for about 6 or 7 months.
Yeah, but this was back in '99 when there wasnt anywhere near as many people in the open source world. Nowadays if something is exploited shit is usually patched within days. Why do you keep bringing up the past infancy of Linux when any script kiddie could exploit wuftp and get fired from their job?
AbecX is offline  
Sponsored Links
Advertisement
 
Reply

Bookmarks

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the DFWstangs Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome