Microsoft Strong Passwords

Just a reminder about passwords for clients where we have enabled “Passwords must meet complexity requirements”. I received a call today from another tech needing help, and here are the specific criteria:

When this setting is enabled user passwords will have the following requirements:

• The password is at least six characters long.

• The password contains characters from three of the following five categories: English uppercase characters (A ” Z); English lowercase characters (a ” z); base 10 digits (0 ” 9); non ” alphanumeric (For example: !, $, #, or %); Unicode characters.

• The password does not contain three or more characters from the user’s account name. If the account name is less than three characters long then this check is not performed because the rate at which passwords would be rejected would be too high. When checking against the user’s full name several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token that is three or more characters long, that token is searched for in the password, and if it is present, the password change is rejected. For example, the name “Erin M. Hagens” would be split into three tokens: “Erin,” “M,” and “Hagens.” Since the second token is only one character long it would be ignored. Therefore, this user could not have a password that included either “erin” or “hagens” as a substring anywhere in the password. All of these checks are case insensitive.

In this specific instance, the problem was that the user was trying to use part of their name in their password.

Checking for strength:

Continue reading “Microsoft Strong Passwords”

Roaming Profile Review

By default in Windows 2003, a roaming profile only assigns permissions to the named user and the local system account, the administrators do not have permissions to this folder, and there is a security check before loading the folder that indeed only those two accounts have access to that profile. Additionally the user is the owner of the folder and all sub-folders/content.

When troubleshooting profile problems, you will need to click on the advanced tab under security and take ownership of the folder, which you can do as a local administrator, however once you do this the profile may break. After that, you will typically assign the administrator group full access to the folder.

Once you are done, please be sure to remove the administrator under security, as well as change the ownership of the folder and sub-folders/content back to the named user. Otherwise you may experience problems with the profile.

This default behavior can be changed via Group Policy or via the Registry, which will permit additional users, and bypass the security check, but it is not recommended.

This is an except and overview of the detailed article at:

Remote support for hardware problems

happy laptopRemote support tools can be an excellent tool in resolving problems, but they need to be used in combination with the described experience provided by the end user. This recently was discovered in two different problems reported by users but we couldn’t confirm via remote tools.

The first was strange monitor colors – which typically we would associate with a video setting within Windows, however a remote session confirmed that the setting were correct. Additionally, the user was saying that the colors were wrong, like the pallet was all mixed up – yet we couldn’t see this remotely. The problem, when escalated to on-site work: a bad video cable. This caused a problem in how the output of the video card ended up at the monitor – so it was (effectively) a monitor problem. Since the video card and settings were working properly, remotely we were not able to confirm this.

The second was with a mouse problem – according to the user the mouse was moving too fast, erratic. Remotely, it appeared to be working fine, and the settings appeared correct. Our mouse interacted properly. Even adjusting the Windows settings to the slowest, still resulted in too erratic control for the user. While sometimes it is a user error, an onsite review uncovered that this user was on a Wyse Thin Client which also has it’s own control panel and an interface to control mouse speed, and it was set at the highest level. Adjusting this back to the middle corrected the problem.

Next time you’re working with end users remotely, understand the limitations of remote control to diagnose all problems. Be sure to rely upon user feedback.

Force workstation loggoff after inactivity

i found you!There are various situations where you may want a computer to automatically loggoff the user when they have been idle for a period of time. The most freqnet use for this is for shared workstations, such as on a production floor, or other open access area. In the past, a common method was to enable a “role based” user account, such as shipping or quality control. This logon was known to all users of the specific workstation.

There is, however a tool available which is basically a screen saver hack, provided by Microsoft, which, when enabled, will log off the user instead of displaying a screen saver. This effectively permits multiple users to share the same system throughout the day, while retaining seperate, secret passwords – without hindering the other user when they forget to log off. Now it is still a better practice to actually log off, but this is a great fail safe alternative: WinExit.scr – you can find it at:

70-290 Concepts: User/Groups/Computers

graduation·          Active Directory under Windows Server 2003 supports four levels of domain functionality:

o    Windows 2000 mixed: Pre-windows 2000 domain controllers and servers

o    Windows 2000 native: All domain controllers windows 2000 or greater

o    Windows Server 2003 interim: All domain controllers are Windows 2003 or greater (only used for NT 4 upgrades to server 2003)

o    Windows Server 2003: All domain controllers are Windows 2003 or greater

·          Switching domain functionality is a one way operation only: upgrade

·          Windows Server 2003 Supports three levels of Active Directory Forrest functionality:

o    Windows 2000: Base level, all domain controllers are Windows NT 4 or greater

o    Windows 2003 interim: All domain controllers are Windows NT4 or 2003 – not Server 2000 DC’s

o    Windows 2003: All domain controllers are Windows 2003 or greater

·          You can create a user account in three different ways:

o    Create the user in AD using ADUC (Active Directory Users and Computers) MMC

o    CSVDE.exe command line tool

o    LDIFe.exe command line tool

·          CSVde.exe can be used to import users from a CSV file, as well as import and export data from Active Directory

·          LDIFde.exe exports/imports data from Active Directory using the LDAP Data Interchange Format (LDIF).

·          You can create a computer account in three ways:

o    Logon to each workstation and join it to the domain

o    Pre-stage the computer in AD using the ADUC (Active Directory User and Computer) MMC

o    Pre-stage the computer using DSADD.exe command line utility

·          A non-administrator can join up to 10 workstations to the domain using their ordinary credentials

·          You need to restart the computer account (in Active Directory) if:

o    The session setup from the computer domain member failed to authenticate: “The following error occurred: access is denied.”

o    NETLOGON event: 3210: failed to authenticate with \\domaindc.

·          Groups can be assigned as:

o    Security groups, which define logical groups of objects, which may be nested, and also be an e-mail distribution group.

o    Distribution groups, which are used specifically for the purpose of e-mail distribution and cannot be applied security permissions.

o    You can change the designation at any time provided the domain is functioning in Server 2000 Native or higher.

·          You can assign security groups in universal groups in Windows 2000 native or higher.

·          Single-domain: A-G-DL-P: Accounts placed in Global groups, placed in Domain Local groups, and Permissions are assigned to resources from the domain local groups.

·          Multi-domain: A-G-U-DL-P: Accounts placed in Global groups, which are then included in Universal groups, which are then placed in Domain Local groups, and assigned Permissions to local resources.

Powered by

Up ↑