Article Comments for Jan De Clercq

Bitlocker Changes in Windows 8

alunj — Tue, 22 May 2012 15:24:15 GMT

alunj
Tue, 22 May 2012 15:24:15 GMT
I don't suppose they've added a feature for partially-sighted users, where it beeps on boot to let you know that you can now enter your bitlocker PIN?

Q: What tool would you recommend for creating and maintaining security baseline configurations for the different types of Windows machines in our Active Directory (AD) forest?

Carlleww — Tue, 31 Jan 2012 21:58:12 GMT

Carlleww
Tue, 31 Jan 2012 21:58:12 GMT
http://www.windowspasswordsrecovery.com

Windows Password Reset Disk to the Rescue

Carlleww — Tue, 31 Jan 2012 21:55:52 GMT

Carlleww
Tue, 31 Jan 2012 21:55:52 GMT
You can reset a lost or forgot Windows password with 4 methods below: 1. Another valid administrator account which can normally log on. 2. A password reset disk or a repair disc, which is created in advance ( before you lost password ). 3. Third-party software to create a bootable password reset CD/DVD or USB, like Windows Password Recovery Tool 3.0(http://www.windowspasswordsrecovery.com) . 4. Re-install. Will lose data.

Q: Can we disable the default Windows administrative shares (C$, D$, Admin$, IPC$) to lock down some of our Windows servers?

mkline718 — Sun, 29 Jan 2012 11:44:00 GMT

mkline718
Sun, 29 Jan 2012 11:44:00 GMT
The askds blog also covered this earlier this month http://blogs.technet.com/b/askds/archive/2012/01/06/friday-mail-sack-best-post-this-year-edition.aspx#share

Q: What do I need to watch out for in managing the RID pool used in an AD domain? Or is this all done auto-magically?

kazem eghtesad — Fri, 06 Jan 2012 23:53:47 GMT

kazem eghtesad
Fri, 06 Jan 2012 23:53:47 GMT
Hi, I have a problem with RID in my DC (server 2003 enterprise, sp2) The dcdiag result is this: Starting test: RidManager * Available RID Pool for the Domain is 316105 to 1073741823 * win-59aed72cf8.vpgateway.info is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2605 to 3104 * rIDPreviousAllocationPool is 2605 to 3104 * rIDNextRID: 3104 * Warning :Next rid pool not allocated * Warning :There is less than 0% available RIDs in the current pool ......................... WIN-59AED72CF8 passed test RidManager I have set the RID Block size to 10000. I have used LDP to increase the rIDAvailablePool by 200000. I have removed all the stray SRV _ldap._tcp records from the DNS server to make sure I'm using the right RID Master. Still I can not create users and I get system event IDs 16651 & 16645. I was creating users by a VBA script in the Excel, which after about 1500 users all of a sudden I started to get errors. At this time, I have 1518 objects (1501 users & the rest are groups) in the users container. I am logged on as a domain admin. Is there any work around or fix for this? Any help is highly appreciated. Kazem.

Q: What Windows platforms support Windows event forwarding and collection?

ajrinaldi — Thu, 22 Dec 2011 09:06:12 GMT

ajrinaldi
Thu, 22 Dec 2011 09:06:12 GMT
With some new government regulations on capturing and storing Windows Security events, this article was timely.

Q: What's the easiest way to find out the SID and RID that are linked to my account?

murat yildirimoglu — Mon, 24 Oct 2011 03:11:37 GMT

murat yildirimoglu
Mon, 24 Oct 2011 03:11:37 GMT
Jan, whoami /logonid command does not display user's SID or RID but rather its logon session ID. This ID changes from logon session to session. To display user's SID, the right command to be issued is whoami /all. When you give the latter command you can easily notice the SID and it is very different from session ID. And you can verify this info using dsget user command on DCs.

Q: Can I hide the account information of a locked Windows desktop?

briddle — Wed, 10 Aug 2011 10:13:42 GMT

briddle
Wed, 10 Aug 2011 10:13:42 GMT
In a stand-alone Windows Server 2008, I cannot find the policy option 'DontDisplayLockedUserID.' I found one blog that said the policy option was not in Windows Server 2008 or Vista. I sure could use it.

Q: Is there a utility that shows all programs that are configured to run automatically when I log on or boot up my Windows system?

Xalorous — Tue, 19 Apr 2011 14:50:15 GMT

Xalorous
Tue, 19 Apr 2011 14:50:15 GMT
Interesting utility, but it duplicates existing features of windows. Specifically the built in System Configuration Utility. Works since before XP. I’m not sure how far back, but it refers to System.ini, win.ini and boot.ini, which leads me to believe that it goes all the way back to Windows 3 or earlier. I’ve used it extensively in XP, checked that it exists in Windows 7 and server 2003. Can’t swear to Server 2008. Start it by running "msconfig.exe" from start/run or command prompt. One of the things it does is show you everything that runs at start-up, and where they come from (registry, start menu, etc.) Oh, and you can turn them off too, for troubleshooting. And you can disable services as well. Complete with ’hide microsoft services’ similar to the tool above.

Q: How can I enforce the application of machine Group Policy Object (GPO) settings on a Windows client? Are there any differences here between Windows 2000 and Windows Server 2008?

Mar-Elia — Wed, 23 Feb 2011 22:27:53 GMT

Mar-Elia
Wed, 23 Feb 2011 22:27:53 GMT
The syntax above for gpupdate is incorrect. It implies you can use it to refresh a remote system, but you cannot. The /target parameter takes either "computer" or "user" to tell the command that you want to update that "side" of GPO on the local machine.

Q: How can I enforce the application of machine Group Policy Object (GPO) settings on a Windows client? Are there any differences here between Windows 2000 and Windows Server 2008?

Mar-Elia — Wed, 23 Feb 2011 21:56:18 GMT

Mar-Elia
Wed, 23 Feb 2011 21:56:18 GMT
The syntax above for gpupdate is incorrect. It implies you can use it to refresh a remote system, but you cannot. The /target parameter takes either "computer" or "user" to tell the command that you want to update that "side" of GPO on the local machine.

Q. How can I prevent a Certification Authority (CA) from issuing certificates until it's totally configured?

STONE — Mon, 31 Jan 2011 13:50:14 GMT

STONE
Mon, 31 Jan 2011 13:50:14 GMT
BB

It looks like your method prevents access to the templates from ALL the CAs, not just a new one being built. Am I understanding it correctly?

Q. Is there an easy way to automatically re-enroll certificate holders that received a certificate from an old CA with a new certificate in a new PKI hierarchy?

STONE — Mon, 31 Jan 2011 13:36:59 GMT

STONE
Mon, 31 Jan 2011 13:36:59 GMT
One problem I see is that the "Reenroll All Certificate Holders" is only available for custom tepmlates.

How is it possible to cause the default User nad Computer certificate holders to re-enroll on the new PKI server (after disabling the old server from issuing default certificates)?

Determining the SID of a Windows Group

CONNER — Thu, 09 Dec 2010 09:25:58 GMT

CONNER
Thu, 09 Dec 2010 09:25:58 GMT
The SIDs are automatically displayed when you use "whoami /groups" /sid is an invalid option.

Q. How can I prevent a Certification Authority (CA) from issuing certificates until it's totally configured?

Brown — Wed, 01 Dec 2010 19:50:31 GMT

Brown
Wed, 01 Dec 2010 19:50:31 GMT
Another method I have used to control who can request certificates from the CA is by managing the security properties at the CA service itself. When I prepare a CA to come on line, I remove all domain users and groups from the CA security properties except the CA administrators. Once I have the CA configured, templates configured and added, I will then also add the domain groups I used for the templates to the CA security rights with Read and Request Certificates rights. With thos CA rights, objects can read the templates and request certificates if they have rights on the template to enroll.

BB

Q: How can I hide certain drive letters from Windows Explorer and My Computer?

albert — Thu, 28 Oct 2010 05:29:56 GMT

albert
Thu, 28 Oct 2010 05:29:56 GMT
well, this is new to me, I didnt knw that.
Thanks for sharing that dude. :-)
get some fantastic individual cell phone plans

http://www.cellhub.com/t-mobile-cell-phone-plans/even-more-plans.html

Q: What VPN protocol do you recommend for Windows 7 clients?

mcdonald — Fri, 15 Oct 2010 16:12:30 GMT

mcdonald
Fri, 15 Oct 2010 16:12:30 GMT
Agreed - found this article useful. If you are just looking for a simple, easy-to-use VPN which will allow you to access Facebook, Youtube, hulu, BBC iPlayer, and twitter ... then check out VPN authority (www.vpnauthority.com) .. I’ve found them quite useful and friendly Hope it helps you all! Cheers!

Q: What VPN protocol do you recommend for Windows 7 clients?

george100 — Thu, 14 Oct 2010 07:11:36 GMT

george100
Thu, 14 Oct 2010 07:11:36 GMT
Hi,

Excellent article !
You can Find a VPN Providers List ( PPTP, OPEN and IPsec..) and consumers reviews on
http://www.start-vpn.com/

Q. How can I centrally control the Internet Explorer (IE) security zone site assignments of my users' browsers?

Chip — Wed, 29 Sep 2010 14:39:57 GMT

Chip
Wed, 29 Sep 2010 14:39:57 GMT
I want to add default intranet security zones but also retain the ability of users to add more if need be. How do you add default intranet security zones w/out disabling the ability to add more?

Q. How can I centrally control the Internet Explorer (IE) security zone site assignments of my users' browsers?

Artes — Thu, 23 Sep 2010 03:08:24 GMT

Artes
Thu, 23 Sep 2010 03:08:24 GMT
I gues this refers to Windows Server 2008? How do you do it using Windows Server 2003!?!

Q. Can you expand on the differences between local groups and domain local groups? What type of local group do you recommend for managing access control settings in my Active Directory (AD) environment?

Doc — Tue, 17 Aug 2010 17:18:14 GMT

Doc
Tue, 17 Aug 2010 17:18:14 GMT
It’s still a best practice, mentioned in this 2007 TechNet article for example:

http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

The advantages are significant if your environment is large or complex. In a small shop it might be more trouble than it’s worth.

What's DNS name devolution?

RickSheikh — Wed, 11 Aug 2010 16:01:29 GMT

RickSheikh
Wed, 11 Aug 2010 16:01:29 GMT
And the flip side of this conversation would be the "appending to unqualified multi-label name queries" setting defined under the same hive of GPO settings.

Q: Is there a way to make an application run with administrator privileges when I double-click its icon?

Van Alstine — Wed, 11 Aug 2010 14:39:32 GMT

Van Alstine
Wed, 11 Aug 2010 14:39:32 GMT
Just to confirm, checking "Run this program as an administrator" still requires the logged in user to be an admin (or know an admin password), correct? It would be nice if an admin could cache an admin password into a shortcut so a regular user could run certain things as an admin. I realize there are some 3rd party apps to do this, but it would be convenient if it was integrated into Windows.

Q. Can you expand on the differences between local groups and domain local groups? What type of local group do you recommend for managing access control settings in my Active Directory (AD) environment?

Overes — Tue, 03 Aug 2010 16:24:19 GMT

Overes
Tue, 03 Aug 2010 16:24:19 GMT
Murat:

The key thing you mentioned is this: "In a single domain forest..."

For those of us running forests with multiple domains, the nesting of Global Groups into Domain Local Groups still makes perfect sense.

A Global Group can only contain members from its own domain, whereas a Domain Local group can contain members from any domain. If I have users across domains needing access to a resource, using only Global Groups creates additional work.

Q. Can you expand on the differences between local groups and domain local groups? What type of local group do you recommend for managing access control settings in my Active Directory (AD) environment?

murat yildirimoglu — Sat, 24 Jul 2010 16:43:24 GMT

murat yildirimoglu
Sat, 24 Jul 2010 16:43:24 GMT
Dove, this has not been a best practice for many years. You and De Clercq do not remember this correctly!
The best practice recommended originally by Microsoft was, in NT times, group the users in global groups, create local groups in where the resource resides, nest the global groups in the local group, and finally grant permission to the local groups.
What De Clercq offers is not this. He recommends as a best practice to use domain local groups. Domain local groups are not the local groups in the original recommandation. De Clercq completely misses this point. As a result he suggest a nonsense thing: Global groups nested in the domain local groups.
Think like that: In a single domain forest, and when the domain functional level is at least Windows 2000 native, domain local groups are the same as the global groups! There is no good in nesting global groups in domain local groups!

Q. Can you expand on the differences between local groups and domain local groups? What type of local group do you recommend for managing access control settings in my Active Directory (AD) environment?

Dove — Fri, 23 Jul 2010 13:23:03 GMT

Dove
Fri, 23 Jul 2010 13:23:03 GMT
Murat, This has been a best practice for many years because of the two benefits which Jan cited: Control and Accountability. If you do not nest the groups, there is no native, centralized way to track usage and enforce access policies. The DL’s track access to target resources and the DG’s track the users (actors) upon those resources. Without this practice, tracking access from a central location either is (A) very difficult or (B) requires expensive, resource-intensive third-part tools. Yes, you could use global groups...and any competent compliance auditor can give you a *VERY* hard time when you can’t document how and where those groups are used. Hope this helps.

Q. Can you expand on the differences between local groups and domain local groups? What type of local group do you recommend for managing access control settings in my Active Directory (AD) environment?

murat yildirimoglu — Wed, 21 Jul 2010 01:21:26 GMT

murat yildirimoglu
Wed, 21 Jul 2010 01:21:26 GMT
Jan, local group membership can be controlled thru Active Directory, using restricted groups component in the group policy objects.
Second, your best practice about the usage of the groups is not a best practice at all. Why do you group users in the global groups, and then set permissions on the domain local groups, and finally make the global group a member of the domain local group? It is not best, nor practical. Why not only use the global groups intstead?

Q: How can I reset the local administrator password on several workstations from the command line using as few commands as possible?

Wu — Mon, 17 May 2010 22:45:19 GMT

Wu
Mon, 17 May 2010 22:45:19 GMT

here is the methods I know.

The first thing which you check if you forget login password. When we install Windows, it automatically creates an account "Administrator" and sets its password to blank. So if you have forget Your user account password then try this:
Start system and when you See Windows Welcome screen / Login screen, press ctrl+alt+del keys Twice and it’ll show Classic Login box. Now type "Administrator" (without quotes) in Username and leave Password field blank. Now press Enter and you should be able to log in Windows.
Now you can reset your account password from "Control Panel -> User Accounts".
Same thing can be done using Safe Mode. In Safe Mode Windows will show this in-built Administrator account in Login screen.

Windows XP and further versions also provide another method to recover windows Password by using "Reset Disk". If you created a Password Reset Disk in Past, you can use that disk to reset windows password. Or try some window password recovery tool.

Fortify Remote-Server Security

Leo — Thu, 04 Mar 2010 07:45:45 GMT

Leo
Thu, 04 Mar 2010 07:45:45 GMT
links to the figures are broken:
... windowsitpro.com/files/97962/figure_01.gif
... windowsitpro.com/files/97962/figure_02.gif

otherwise - great info

Fortify Remote-Server Security

Leo — Thu, 04 Mar 2010 07:44:37 GMT

Leo
Thu, 04 Mar 2010 07:44:37 GMT
links to the figures are broken:
... windowsitpro.com/files/97962/figure_01.gif
... windowsitpro.com/files/97962/figure_02.gif

otherwise - great info

Fortify Remote-Server Security

David — Thu, 04 Mar 2010 07:34:29 GMT

David
Thu, 04 Mar 2010 07:34:29 GMT
The historical recollection isn’t correct. NT4 BDCs did contain the password hashes and could authenticate users without needing to contact the PDC. (Horrible single point of failure if that wasn’t the case.) Their APIs just wouldn’t accept direct changes. Only the PDC was writeable, BDCs contained all attributes as read-only.

Q: In Windows Server 2008, there's a feature that lets you use the Directory Service Restore Mode (DSRM) administrator account and password to log on to a Server 2008 domain controller (DC) at any time. What's this feature for and how do I enable it?

Rick — Wed, 17 Feb 2010 12:13:10 GMT

Rick
Wed, 17 Feb 2010 12:13:10 GMT
"Also remember that the DSRM administrator account password isn’t checked against any AD password policy." Because DSRM account lives in the SAM.

Windows Server 2008 Hyper-V Security

Migration — Thu, 21 Jan 2010 10:20:40 GMT

Migration
Thu, 21 Jan 2010 10:20:40 GMT
Very helpful information! Any IT manager/admin worth his/her salt should know Hyper-V backwards and forwards. Glad to see this take on the important, but often-overlooked, security side of the equation.

Windows Password Reset Disk to the Rescue

Susan — Fri, 08 Jan 2010 00:01:02 GMT

Susan
Fri, 08 Jan 2010 00:01:02 GMT
I think the best way for you is to reset your windows password. The Windows password Key 8.0 can solve all your problem within a few minutes. Importantly,No need to call a technician, no need to re-install anything, and you certainly don’t need to reformat. http://www.lostwindowspassword.com/ it also allows you to reset windows password with with USB Flash Drive or Floppy Disk now!!

Windows Password Reset Disk to the Rescue

Linky — Mon, 21 Dec 2009 06:54:07 GMT

Linky
Mon, 21 Dec 2009 06:54:07 GMT
There’s a way to reset the password and it doesn’t involve reformatting and reinstalling Windows. The solution is called Windows Password Reset 7.0. It can reset almost all Windows passwords in seconds. It is a great windows password recovery tool: http://www.resetwindowspassword.com . you can log in again just in one second. It also support windows 7 password reset.

Disconnecting Local and Remote Users from a Vista or XP System

Eric — Fri, 27 Nov 2009 04:56:32 GMT

Eric
Fri, 27 Nov 2009 04:56:32 GMT
Other than this method. Is there commane-lie method to disconnect remote users?

Windows Password Reset Disk to the Rescue

windows — Wed, 04 Nov 2009 00:27:12 GMT

windows
Wed, 04 Nov 2009 00:27:12 GMT
As far as I know , there are two main methods to solve the windows password problem as follows: 1st Method: Start system and when you see Windows Welcome screen / Login screen, press ctrl+alt+del keys twice and it’ll show Classic Login box. Now type \Administrator\ (without quotes) in Username and leave Password field blank. Now press Enter and you should be able to log in Windows. Now you can reset your account password from \Control Panel - User Accounts\. Same thing can be done using Safe Mode. In Safe Mode Windows will show this in-built Administrator account in Login screen. 2th Method: Windows password Recovery software: for example:Windows Password Recovery It is easy and convenient to use. http://www.windowspasswordsrecovery.com

Q: Does Windows include a mechanism to show failed logon information to the user at logon time?

Ed — Tue, 13 Oct 2009 14:06:25 GMT

Ed
Tue, 13 Oct 2009 14:06:25 GMT
Wouldn’t mind if it was restricted to just unsuccessful logins.

Using the Local Computer Security Zone

JOSEPH — Fri, 09 Oct 2009 15:33:45 GMT

JOSEPH
Fri, 09 Oct 2009 15:33:45 GMT
I have been a subscriber for years. Why do I not have access to this article. Your quest for money will result in people like me looking for other sources of information...

A Better BitLocker: BDE Enhancements

Sam — Wed, 30 Sep 2009 17:32:15 GMT

Sam
Wed, 30 Sep 2009 17:32:15 GMT
There would be less incentive for people to pony up for the more expensive version. The question is will large organizations and government use the technology to keep data safe. Or will we continue to see reports of millions of credit card details, welfare details, customer details lost?

A Better BitLocker: BDE Enhancements

Ed — Wed, 30 Sep 2009 15:50:43 GMT

Ed
Wed, 30 Sep 2009 15:50:43 GMT
I don’t see why some form of Bitlocker isn’t available for the non-business line of Windows 7. It doesn’t have to have all the features but the password security at the initial OS boot would be nice. After all, there are plenty of laptop purchases by consumers as well.

Q: Can you use a web publishing rule instead of a server publishing rule to offload SSL processing on an ISA server?

Jorge — Fri, 26 Jun 2009 05:59:54 GMT

Jorge
Fri, 26 Jun 2009 05:59:54 GMT
you start ... "The goal was to offload the ISA Server by using a server publishing rule instead of a web publishing rule " ... and then ... "The thought was that, security-wise, it makes sense to not perform HTTP-level inspection on the ISA server, but simple packet filtering as offered by an ISA server publishing rule" . BUT on 2nd part of the article ... you say ... " The idea of using a web publishing rule instead of a server publishing rule to offload the ISA Server makes sense ..." I’m confused here !! I thought it was the other way around ...

Authenticated Users Group vs the Everyone Group

BOB — Fri, 19 Jun 2009 08:30:40 GMT

BOB
Fri, 19 Jun 2009 08:30:40 GMT
Im logged in, why cant i see the rest of the article anymore?

Q: Can you use a web publishing rule instead of a server publishing rule to offload SSL processing on an ISA server?

Dimitrios — Mon, 15 Jun 2009 16:56:56 GMT

Dimitrios
Mon, 15 Jun 2009 16:56:56 GMT
The following phrase is incorrect: "In other words, a server publishing rule only supports SSL bridging and not SSL tunneling." It should read instead: In other words, a server publishing rule only supports SSL tunneling and not SSL bridging.

Q: Can two Active Directory (AD) accounts have identical SIDs? If so, how can I remove the duplicate account?

kreangsak — Wed, 03 Jun 2009 04:02:55 GMT

kreangsak
Wed, 03 Jun 2009 04:02:55 GMT
thx you very much http://youngadmin.blogspot.com

Q: How can I perform a system state backup of my Windows Server 2008 system from the command line?

Murat — Tue, 14 Apr 2009 04:18:05 GMT

Murat
Tue, 14 Apr 2009 04:18:05 GMT
system state backup in windows 2008 is not a system state backup as we know it. In the previous versions, system state backup contained limited amount of data: Registry, approximately 2000 files, boot files, com+ files. It was handy; it was so little that we could copy it to a CD-ROM or flash disk and it took a little time. But in windows 2008, system state backup is the completePC Backup from the command line. It is not so practical.

Q: Can two Active Directory (AD) accounts have identical SIDs? If so, how can I remove the duplicate account?

Smart — Wed, 01 Apr 2009 04:50:05 GMT

Smart
Wed, 01 Apr 2009 04:50:05 GMT
To deal with Duplicate SIDs in the organization use DSM (Duplicate SIDs Monitor) written by Smart-X At www.smart-x.com

Q: Can two Active Directory (AD) accounts have identical SIDs? If so, how can I remove the duplicate account?

amrendra — Fri, 27 Mar 2009 00:32:55 GMT

amrendra
Fri, 27 Mar 2009 00:32:55 GMT
good job

Q: I'm trying to find out which network ports I must open on my intranet firewalls to make one of our inhouse Windows client/server applications communicate properly. How can I list the remote network ports that a client-side application uses?

Rob — Thu, 19 Feb 2009 14:09:24 GMT

Rob
Thu, 19 Feb 2009 14:09:24 GMT
Good tips. The f switch is not available in Windows XP. Just use -aob instead.

Limit Concurrent Windows Logon Sessions

François — Tue, 27 Jan 2009 03:41:48 GMT

François
Tue, 27 Jan 2009 03:41:48 GMT
LimitLogin is incredibly cumbersome to deploy and administer. It: - performs an irreversible Active Directory schema modification (!!!) - requires an IIS server - does not come with an integrated deployer - does not support Windows NT 4.0 domains - does not provide E-mail and popup notifications - does not log lock/unlock events - does not allow to define login limits by group - does not allow to customize messages displayed to users - does not allow to set workstation restrictions If you want to be serious about preventing/limiting simultaneous logins, you should give a look to a 3rd party software solution called UserLock : http://www.userlock.com

Password Synchronization

Juma — Mon, 17 Nov 2008 15:33:28 GMT

Juma
Mon, 17 Nov 2008 15:33:28 GMT
Ja ist OK

Exchange Server 2003 Security

Tue, 11 Nov 2008 14:00:45 GMT

x
Tue, 11 Nov 2008 14:00:45 GMT
That was very nice, thank you.

Exchange Server 2003 Security

Anne — Tue, 11 Nov 2008 10:37:17 GMT

Anne
Tue, 11 Nov 2008 10:37:17 GMT
pand0ra, thanks for your feedback! We are actually planning to revamp our content-lockdown policies in the next few months, which will make much more of the content on windowsitpro.com available to everyone. I’ve changed this article to registered user so you can access the complete article. Thanks for reading!

Exchange Server 2003 Security

Mon, 10 Nov 2008 18:22:02 GMT

x
Mon, 10 Nov 2008 18:22:02 GMT
This is kind of a waste of time creating an account. Why should I pay when this info is free elsewhere on the Internet?

Determining When a User Last Logged On

Karen — Fri, 10 Oct 2008 17:48:23 GMT

Karen
Fri, 10 Oct 2008 17:48:23 GMT
In the article "Finding a User’s Last Logon," Bill Stewart provides a script that you can use to determine when a user last logged on to a domain. Although you need Windows Script Host (WSH) to run the script, you don’t need to know how to write a script to run it. You provide all the information the script needs when you launch the script from a command prompt. I’ve opened up the article to registered users through November 30 so you can download the script and read about how to use it. (Registration is free and simple if you’re not already a registered user.) The article is at http://windowsitpro.com/article/articleid/96302/finding-a-users-last-logon.html. Karen Bemowski, senior editor Windows IT Pro, SQL Server Magazine

Determining When a User Last Logged On

Mikhail — Fri, 10 Oct 2008 14:20:48 GMT

Mikhail
Fri, 10 Oct 2008 14:20:48 GMT
There are free tool exists which reports users inactivity time: http://www.netwrix.com/inactive_users_tracker_freeware.html

Restricting Read and Write Access to USB Storage Devices

tae — Thu, 25 Sep 2008 16:00:45 GMT

tae
Thu, 25 Sep 2008 16:00:45 GMT
good

Setting Machine Logon Restrictions for Multiple Users

Dennis — Wed, 24 Sep 2008 01:15:16 GMT

Dennis
Wed, 24 Sep 2008 01:15:16 GMT
You could use the restricted groups settings in GPO and control the members of the local users group. This requries however the specifc computers to be part of an easaliy managed OU-structure. See htp://support.microsoft.com/kb/279301 and http://support.microsoft.com/kb/810076 for more info about restricted groups.

Windows Server 2008 Password Policies

mihaj — Sun, 31 Aug 2008 06:25:01 GMT

mihaj
Sun, 31 Aug 2008 06:25:01 GMT
Hi If anyone needs PSO manager, you can use Password Policy Manager, which can be found here: http://www.parhelia-tools.com here is description: Password Policy Manager (PPM) tool is a simple tool that allows you to create new Password Security Object (PSO) and apply it to selected objects (users or groups). You can also use this tool to search, modify or delete any existing PSO. This applies only to Windows 2008 domains. Regards

Changing the Password on a DC's DSRM and Recovery Console Administrator Account

Hussain — Mon, 25 Aug 2008 13:04:15 GMT

Hussain
Mon, 25 Aug 2008 13:04:15 GMT
I have a Win XP build that has the switch user option disabled. A user locked the machine and forgot their password. Their password was reset, but they had to re-boot the workstation for the new password to take effect. Is there a way to have the password reset and not require the user to reboot as there might be some unsaved work on their workstation. Any help on this would be greatly appreciated. Thanks.

Logon Rights: The Heart of Windows Access Control

Mon, 25 Aug 2008 00:30:58 GMT

j
Mon, 25 Aug 2008 00:30:58 GMT
ASDAS

Changing the Password on a DC's DSRM and Recovery Console Administrator Account

joe — Fri, 22 Aug 2008 19:58:48 GMT

joe
Fri, 22 Aug 2008 19:58:48 GMT
Thank you very much

Golden Rules to Group By

Kevin — Tue, 19 Aug 2008 10:44:48 GMT

Kevin
Tue, 19 Aug 2008 10:44:48 GMT
Good stuff.

Determining When a User Last Logged On

Dotan — Thu, 14 Aug 2008 12:06:30 GMT

Dotan
Thu, 14 Aug 2008 12:06:30 GMT
Hi again. Please disregard my last question. Of course, I had to use regsvr32 to register the DLL. Thank you for the nice tip. This new tab could be handy in my environment.

Determining When a User Last Logged On

Dotan — Thu, 14 Aug 2008 11:40:38 GMT

Dotan
Thu, 14 Aug 2008 11:40:38 GMT
Hi, That’s a great tip. Thank you for the info. Do I need to copy acctinfo.dll to the System32 folder in order to add the "Additional Account Info" tab in AD? Thanks!

Win.NET Server Kerberos

Ravindra — Wed, 16 Jul 2008 06:57:38 GMT

Ravindra
Wed, 16 Jul 2008 06:57:38 GMT
Great article , very nicely explained.

Using the Security Configuration Wizard to Harden Your Windows Servers

wala — Sat, 28 Jun 2008 09:37:13 GMT

wala
Sat, 28 Jun 2008 09:37:13 GMT
ljkkjlkj llkj

How AD’s Reset Password and Change Password Permissions Differ

sisko — Thu, 12 Jun 2008 10:39:46 GMT

sisko
Thu, 12 Jun 2008 10:39:46 GMT
fine, just what i needed

Controlling Access to the Windows Security Event Log

Alexandre — Fri, 23 May 2008 18:50:37 GMT

Alexandre
Fri, 23 May 2008 18:50:37 GMT
Ok, eu gostei.

Controlling Access to the Windows Security Event Log

Alexandre — Fri, 23 May 2008 18:49:57 GMT

Alexandre
Fri, 23 May 2008 18:49:57 GMT
ok

Setting Machine Logon Restrictions for Multiple Users

ramireddy — Fri, 23 May 2008 00:43:00 GMT

ramireddy
Fri, 23 May 2008 00:43:00 GMT
ok

Setting Machine Logon Restrictions for Multiple Users

ramireddy — Fri, 23 May 2008 00:42:26 GMT

ramireddy
Fri, 23 May 2008 00:42:26 GMT
ok

Implementing Windows Server 2003 AD Object Quotas

amitji — Thu, 22 May 2008 10:46:30 GMT

amitji
Thu, 22 May 2008 10:46:30 GMT
I THINK IS GOOD FACILITY IS PRODED BY THE WINDOWS IT PRO. THANKS A LOT

Implementing Windows Server 2003 AD Object Quotas

amitji — Thu, 22 May 2008 10:44:22 GMT

amitji
Thu, 22 May 2008 10:44:22 GMT
THANKS

Analyzing the Windows Event Logs

R Bruce — Tue, 20 May 2008 02:22:00 GMT

R Bruce
Tue, 20 May 2008 02:22:00 GMT
where’s the beef?

Kerberos Authentication Problems Occur When Users Belong to Many Groups

Pontus — Wed, 07 May 2008 07:30:14 GMT

Pontus
Wed, 07 May 2008 07:30:14 GMT
js

Understanding IE Security Zones

aungsi — Thu, 01 May 2008 10:57:10 GMT

aungsi
Thu, 01 May 2008 10:57:10 GMT
need to read the article first

Learning about Name Suffix Routing

gt98us — Thu, 01 May 2008 08:58:12 GMT

gt98us
Thu, 01 May 2008 08:58:12 GMT
why

The Hazards of Running a Service under the Local System Account

elizabeth — Tue, 29 Apr 2008 15:18:36 GMT

elizabeth
Tue, 29 Apr 2008 15:18:36 GMT
Can’t see the article.

Using AD Property Sets

Christof — Thu, 24 Apr 2008 06:16:27 GMT

Christof
Thu, 24 Apr 2008 06:16:27 GMT
ok

Comparing Windows Kerberos and NTLM Authentication Protocols

URS — Tue, 15 Apr 2008 09:51:48 GMT

URS
Tue, 15 Apr 2008 09:51:48 GMT
Excellent article! Exactly what I was looking for! Thanks!

Authenticated Users Group vs the Everyone Group

DARRELL — Tue, 25 Mar 2008 12:18:39 GMT

DARRELL
Tue, 25 Mar 2008 12:18:39 GMT
NXVIVN

Blocking Domain Users from Executing Certain Programs

Muhamamd — Thu, 13 Mar 2008 12:54:04 GMT

Muhamamd
Thu, 13 Mar 2008 12:54:04 GMT
This is the time to maintain the Security problem it it. but i want to see the information under this

NT Gatekeeper: Understand the Creator Owner Account

Richard — Wed, 12 Mar 2008 01:11:26 GMT

Richard
Wed, 12 Mar 2008 01:11:26 GMT
kjjlb

AD Delegation Eases Administration

Russell — Mon, 03 Mar 2008 07:15:32 GMT

Russell
Mon, 03 Mar 2008 07:15:32 GMT
NOT SURE

Using SPNs in Windows 2000

John — Wed, 13 Feb 2008 14:42:48 GMT

John
Wed, 13 Feb 2008 14:42:48 GMT
good doc

The Basics of ACL Inheritance

ataurrahaman — Wed, 13 Feb 2008 03:09:45 GMT

ataurrahaman
Wed, 13 Feb 2008 03:09:45 GMT
it is the best site ever i have visited

Ins and Outs of Anonymous Access

STEVEN — Sat, 09 Feb 2008 18:05:45 GMT

STEVEN
Sat, 09 Feb 2008 18:05:45 GMT
a

Dump and Query Event Log Files on Remote Systems

anupamkumarmcse — Sat, 09 Feb 2008 12:04:24 GMT

anupamkumarmcse
Sat, 09 Feb 2008 12:04:24 GMT
This Information is very improtanta for me ATLEAST

Learn To Be Least

vinhchau — Tue, 29 Jan 2008 02:40:46 GMT

vinhchau
Tue, 29 Jan 2008 02:40:46 GMT
gOOD

Windows Server 2008 Password Policies

Caroline — Fri, 04 Jan 2008 16:32:22 GMT

Caroline
Fri, 04 Jan 2008 16:32:22 GMT
Thank you ts67. One of the editors will see about getting it fixed. Caroline

Windows Server 2008 Password Policies

Thomas — Fri, 04 Jan 2008 12:55:18 GMT

Thomas
Fri, 04 Jan 2008 12:55:18 GMT
The links for figures 1 and 2 are wrong

Kerberos Authentication Problems Occur When Users Belong to Many Groups

Nickolay — Mon, 17 Dec 2007 09:59:30 GMT

Nickolay
Mon, 17 Dec 2007 09:59:30 GMT
My Comment

NT Gatekeeper: Using the WinExit Screen Saver to Force User Logoffs

Anne — Tue, 25 Sep 2007 09:59:11 GMT

Anne
Tue, 25 Sep 2007 09:59:11 GMT
jzientek: I’m sorry you’ve been having trouble accessing the article. If you’re a Security Pro VIP subscriber, you should be able to access this article and all Security Pro VIP content. I’ll ask our customer service rep, Colette, to contact you. You can also email her at criehl@pentontech.com.

Authenticated Users Group vs the Everyone Group

Hugo — Mon, 24 Sep 2007 13:20:01 GMT

Hugo
Mon, 24 Sep 2007 13:20:01 GMT
Well defined differences in behavior of Authenticated Users between W2K3 and W2K AD and XP vs XP SP2.

NT Gatekeeper: Using the WinExit Screen Saver to Force User Logoffs

jzientek@myeastern.com — Fri, 21 Sep 2007 17:29:36 GMT

jzientek@myeastern.com
Fri, 21 Sep 2007 17:29:36 GMT
I already have a subscription, but in order to see the rest of this article, I need a vip membership???????

Tools to Troubleshoot Account Lockouts

Mikhail — Fri, 14 Sep 2007 05:55:52 GMT

Mikhail
Fri, 14 Sep 2007 05:55:52 GMT
Much better 3rd party tool exists: Account Lockout Examiner. It does many things with regards to account lockouts (automated scanning, advanced troubleshooting, e-mail notifications, delegated help desk access and much more). Take a look guys, I recommend. The link is: http://netwrix.com/account_lockout_examiner.html

Understanding Trust Transitivity

Pfiddy_techy — Tue, 05 Jun 2007 00:02:19 GMT

Pfiddy_techy
Tue, 05 Jun 2007 00:02:19 GMT
Can I get a chance to read it first???

NT Gatekeeper: Generating Random Passwords

KEVIN — Wed, 18 Apr 2007 17:57:53 GMT

KEVIN
Wed, 18 Apr 2007 17:57:53 GMT
***

Understanding Windows PKI Certificate Revocation

David — Mon, 12 Mar 2007 23:25:32 GMT

David
Mon, 12 Mar 2007 23:25:32 GMT
Where’s the rest of the article