Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ADSI question

from [Laura A. Robinson] Network Security [Permanent Link]
Subject: RE: ADSI question
Date: Fri, 27 Aug 2004 20:41:33 -0400 
No, that does not happen. Again, this brings me to my point that a migration
and an upgrade are *not* the same thing, because when you *migrate*
accounts, depending on how you do it, they may have been disabled during the
process. An in-place *upgrade* does not disable accounts. 

Laura 


-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com] 
Sent: Thursday, August 26, 2004 8:11 AM
Cc: focus-ms@securityfocus.com
Subject: RE: ADSI question

Arthur thanks,
Well, is for documentation purposes. For audit and 
documentation purposes it needs to be done. The client is on 
AD already but if we enable strong password doesn't that mean 
that all the passwords that do not meet the criteria get 
disabled? That has been my experience in the past..

Thanks
-pa

-----Original Message-----
From: afreyman@dsw.net [mailto:afreyman@dsw.net]
Sent: Wednesday, August 25, 2004 8:13 PM
To: Paul Aviles; focus-ms@securityfocus.com
Subject: RE: ADSI question


I don't believe you can use ADSI to accomplish that. That's a pretty
useful idea, but definitely a security risk. The closest you probably
can come to that is to perhaps run the MBSA tool against your 
server. I
know that it reports if a user has a weak or a blank password for SQL,
but I am not certain about the domain passwords. A more 
drastic approach
would be to run a password cracker against your SAM and see what types
of passwords are out there. 

But I don't really understand why you need to do that. I am 
sure someone
will correct me if I am wrong, but complexity requirements 
are enforced
when a password is changed or created. Existing passwords can 
remain the
same. New rules will apply when the passwords expire or a new 
account is
created.


You are correct about the install of AD in the new environment. As far
as the in-place upgrade, my best guess is that Windows 2003 
will enable
the complexity requirements regardless of your previous 
security policy.
It shouldn't be too much of a problem though. You can leave the policy
in place and wait for user's password to expire or you can disable it
right after your upgrade completes. 


Arthur Freyman


-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com] 
Sent: Wednesday, August 25, 2004 9:31 AM
To: focus-ms@securityfocus.com
Subject: ADSI question

Is it possible to use ADSI to query user accounts and find if they are
using a strong password? Before using GPO's to enable it, I 
need to have
an audit and show how many people don't have them.  Is this a property
of the users?

Also, I believe that when you install AD in a new environment 
by default
it has strong password enabled. Is that the same when you do 
an in place
migration?

Thanks

Paul

--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---

--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ADSI question, Laura A. Robinson
Next by Date:  Re: Password policy enforcement tools was RE: ADSI question, Jose Maria Lopez
Previous by Thread:  Re: ADSI question, Bruce K. Marshall
Next by Thread:  RE: ADSI question, afreyman
Indexes:  [Date] [Thread] [Top] [All Lists]