I am one of the few people using Safari next to IE(7/8) as their standard browser during day to day internet surfing. Many try to get me into Firefox with all the new applets and plugins like password and URL sync between hosts.. but nothing beats the new Safari 4.0 is my humble opinon… finally […]
When you have servers in the DMZ that are members of your internal AD (not best practice ok.. ) .. you find yourself shooting holes in the firewall to allow RPC, SMB and other protocols. In that case perhaps an IPSEC tunnel can help you out.. when you use a tunnel between your internal and DMZ hosts, the firewall only has to allow UDP 500 and ESP protocol (protocol 50). No high ports required. To set it up use the following guide.
When you use Windows 7, Windows 2008 R2 or Vista / Windows 2008 you almost always have to type the domain name during logon.. eg Type your username as ROOTDOMAINUser… annoying: yes.. go to the following group policy to specify the default domain logon: ComputerAdministrative TemplatesSystemLogonAssign a default domain for logon and set your default logon […]
Organizing a free training can give your business new customers, thats probably the idea behind free trainings seminars from Twice IT; you can follow a short course in exchange for some feedback on a blog.. So out of curiosity I attended the 3 hour Powershell course, and here’s my feedback ..
Many of you use RSS feeds, to subscribe to a feed from this website, hoover over the category you are interested in and select RSS for the feed. If you would like to subscribe to all of the posts I’ve made, use the .All Posts Category.. or use the direct link: feed://blog.studiographic.nl/?feed=rss2 _R
So we have deployed the Managed Service Accounts, and now we want a password policy set on them.. usually the service accounts have a different password policy set, so most of you will probably use PSO’s (Password Setting Object). In my demo I’ve set a new policy stating that the max age of a password is only 10 minutes ( msDS-MaximumPasswordAge: 0:00:10:00). I’ve set the PSO’s msDS-PSOAppliesTo attribute to be the Active Directory Group “Service Accounts” so that all managed service accounts that are member of this group MUST change their password every 10 minutes. For the sanity check, I’ve also created a simple useraccount and added that to the group also. Now we only needed to wait 10 minutes.. When logging in as the user onto the SQL box, I indeed got the message that I needed to change my password. My demo users’ pwdLastSet attribute indeed jumped from : 2/4/2009 4:58:20 PM W. Europe Standard Time; to pwdLastSet: 2/4/2009 5:28:05 PM W. Europe Standard Time;
Password policies can help administrators secure their environment, letting users change their passwords on regular basis makes it harder for hackers to get in to a system by guessing a password. There is one group of accounts though that usually do not have the password policy applied to.. they almost never change their password and when they do.. it is a load of work for the admin, there is service downtime involved.. and after the password has been changed.. it will be not be changed for a long time.. Yes, I’m talking about Service Account.. the accounts administrators usually apply the “Password Never Expires” option to. These accounts usually have more rights to systems, perhaps even local Administrator access to machines (like SQL or mail) or even worse (Don’t tell me you have these in place) Domain Admin rights. Changing passwords for these accounts is crucial to the security of your environment. To make life easier Windows 2008 R2 introduces the Managed Service Accounts, with these, you can easily change the password of an account, and the client computers where these service accounts are operational will change the password in the service configuration.
The strength new media is best showed when it’s simplified and usable by anyone.. take google maps, most people know about it, use it on their computer but if you’re on the go.. they prefer a Tom Tom or other simple device during the trip..
Some of you might be using Windows 7 already and have noticed that the Wireless solution for Windows Home Server does work well with Windows 7. In fact, the computer does not challenge the user for a username or password, but just tells you it cannot connect. This is because Windows 7 has a different default setting for WPA-Enterprise authentication to wireless networks. By default the client computer will try to authenticate the user including the computername. IAS warnings in the eventlog are a result of Windows 7 computers trying to authenticate.
The introduction of Windows 2008 brought us the famous Read-Only domain controller, the domain controller without passwords (unless explicitly approved) and one-way replication. That one-way replication also applied to the SYSVOL share. Sysvol is replicated by either FRS or DFSR depending on the initial setup of the domain. If you have upgraded your domain from Windows 2000 or Windows 2003 to Windows 2008 SYSVOL is still using FRS to replicate. When you have initially deployed Windows 2008 and set the forest functional level to use the Windows 2008 standards; DFSR is used. Usually the replication of Sysvol is two-way, you can change the contents on each domain controller and those changes are replicated to all domain controllers.