joeware - never stop exploring...

…what would you guys like to see in it?

I am once again thinking about writing a book for AdFind and AdMod coupled with LDAP basics, Active Directory basics, and ADAM / ADLDS Basics. Then maybe some discussion on how to use all of the above mentioned products. Basic guidelines I give folks when I asked. Top questions I am asked and the responses I give, etc.

The idea would be to do some sort of self publishing with this through Amazon or something like that so anyone anywhere can order it and get it.

Thoughts?

There is an article on TechNet about the forest’s tombstone lifetime for Active Directory (http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx) that was discussed on an internal MSFT DS Team / MSFT MVP email list. The discussion pointed out that there is a little confusion around the article.

Specifically the confusion can come up around step 8

Note the value in the Value column. If the value is <not set>, the default value is in effect as follows:

• On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2008, or Windows Server 2008 R2, the default value is 180 days.
• On a domain controller in a forest that was created on a domain controller running Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2, the default value is 60 days.

The question came up… and a good question I might add… “What if you don’t know what version of the OS was used to initially build the forest?”

If this confusion exists for Directory Service MVPs, then it probably exists for some other folks as well.

There is a very easy (for now) way to ascertain what the tombstone lifetime is.

1. Run the command “adfind –sc policies”
2. Read the line that starts with >tombstoneLifetime:
3. If the line exists, the value listed is your tombstone lifetime in days. If the line doesn’t exist, the tombstone lifetime is 60 days.

But joe, doesn’t the OS version matter? No. The reason it doesn’t matter is that the default didn’t change in the source code for the different OS versions. What changed was a line in a file called schema.ini which sets the value of tombstoneLifetime to whatever other value so if the value isn’t set it is the AD default 60 days.

The section of the schema.ini file we are talking about is

; Explict TSL default set in W2K3 SP1 to increase shelf-life of backups and allow longer
; disconnection times.
tombstoneLifetime=180

    joe

History is cyclical in nature, the evidence shows us. What is today, was before. What was yesterday, will be tomorrow. We need to learn from our mistakes, so that instead of travelling endlessly in a repetitious cycle, we move in an upward spiral towards perfection and utopia.

   – David Hatcher Childress in Technology of the Gods

I have had a good many more uplifting thoughts, creative and expansive visions while soaking in comfortable baths in well-equipped American bathrooms than I have ever had in any cathedral.

   – Edmund Wilson

When (Dr. J. Robert Oppenheimer, the “Father of the H-Bomb”) asked in an interview at Rochester University seven years after the Alamogordo Nuclear test whether that was the first atomic bomb ever to be detonated, his reply was, “Well, yes, in modern history.”

    – David Hatcher Childress – Technology of the Gods

joe Note: It is thought that Dr. Oppenheimer was thinking about Mohenjo-Daro and Harappa when he made that comment.

Facts do not cease to exist because they are ignored.

    – Aldous Huxley

asked the question “So if humans have been around pretty much at this same evolutionary state for thousands of years, how come we are the first ones playing Halo on Xbox?” or something similar? My g/f asked me a question like that a few months back and I started to explain that well we don’t really know what all has been accomplished in the past because of our perverse religious side which has us constantly conquering anyone who doesn’t look and think the same and then burning everything in the loser’s culture and attempting to completely eradicating any proof of their existence. On top of that we have had a few cases where disease has knocked civilization for a loop by wiping out some large percentage of the race and when that happens, survival mode kicks in and specialization mode goes out the window… e.g. Who cares about which stars are going to go supernova or which insects have wings and which don’t when you aren’t sure where your dinner is coming from.

Midway through the explanation I thought, I wonder if anyone has done any real exploration in this to see if they can find any kind of proof that by gosh, there were people who lived before us (like Atlantis, Rama, or Mu) who had higher engineering skills than we have right now other than the really obvious things like Pyramids and Easter Island monoliths and other megaliths that we can’t for the life of us duplicate or figure out how to do now…

I found on Amazon and then proceeded to read “Technology of the Gods: The Incredible Sciences of the Ancients” and wow, what a great book. It is interesting to me (read: scary) how it shows how our own scientists will find something they can’t explain and so just toss it off to the side and ignore it. Like archeologists who in 1959 found belt buckles in China that were thousands of years old… but made out of Aluminum[1]???

Absolutely great book. I highly recommend it. It seriously will get you thinking. Has lots of photos and images and links to other sources of information to follow up. The book is only $12 and is eligible for Amazon Prime if you have that (and if you don’t, why not?).

      joe

[1] If you don’t know, to our knowledge, the only way to create aluminum is to process Bauxite ore with A LOT of electricity… We have only been producing aluminum in commercial quantities (this last go around at civilization anyway) for roughly 100 years… So who has the chutzpah to make belt buckles out of the stuff thousands of years ago.

I have posted what I expect to be the final AdFind and AdMod beta before final release.

http://www.joeware.net/downloads/beta/adfindmod_beta.zip

I am shooting for a mid-February release.

In the last 10 days most of the updates are in AdFind. Lots of misc shortcut bug fixes. Added some additional attribute decodes. One big item is that I added digest authentication for both utilities (-digest) as that has been missing.

   joe

http://www.ctntunited.com

Saw their products at the Detroit North American Auto Show and they were quite interesting.

   joe

Just don’t do it.

See http://technet.microsoft.com/en-us/library/ee424329(WS.10).aspx

From the article

When a company acquires another company, business unit, or product line, the purchasing company may also want to acquire corresponding IT assets from the seller. Specifically, the buyer may want to acquire some or all of the domain controllers that host the user accounts, computer accounts, or security groups that correspond to the business assets that are to be purchased. The only supported methods for the buyer to acquire the IT assets that are stored in the seller’s Active Directory forest are as follows:

1. Acquire the only instance of the forest, including all domain controllers and directory data in the seller’s entire forest.
2. Migrate the needed directory data from the seller’s forest or domains to one or more of the buyer’s domains. The target for such a migration may be an entirely new forest or one or more existing domains that are already deployed in the buyer’s forest. We recommend that you migrate the directory data without security identifier (SID) history. If you migrate the directory data with SID history, information about the seller’s forest will be retained in the new forest of the buyer. For more information about migrating directory data without SID history, see Migrating Accounts Without Using SID History (http://go.microsoft.com/fwlink/?LinkId=113694).

This isn’t just a so-so recommendation that may or may not be right for your specific circumstance (sort of like the disk configuration guidelines), this is a hard and fast rule. Seriously bad things can happen and likely will if you mess around with it. If you do it and run into issues, the DS Team at Microsoft will walk away shaking their head[1].

    joe

[1] They didn’t tell me this, I am just guessing based on my conversations with them.

I really really hope this new Michigan State University logo isn’t for real. Why? Because it sucks.

http://blogs.suntimes.com/sportsprose/2010/01/michigan_state_to_unveil_new_l.html

http://blog.mlive.com/ganggreen/2010/01/michigan_state_spartans_to_unv.html

http://blog.mlive.com/ganggreen/2010/01/new_michigan_state_logo_may_no.html

Current

Alleged New

If this is the new logo, besides the thought that it sucks I think… Why? Why waste money right now on something like this. We hear educational establishments complaining because money is tight because of reduced attendance and reduced state funding due to the economy so someone decided to spend money working on changing the logo and all of the branding so that everything would have to be replaced???

      joe

http://www.pcworld.com/businesscenter/article/187009/financial_firm_notifies_12m_after_password_mistake.html

A Concord, New Hampshire, financial services company is sending data breach notification letters to customers after discovering that shared passwords, set up to simplify administrative functions nearly 10 years ago, could have exposed the private data of 1.2 million customers.

Off the top of my head, every company I have ever seen does this in some shape or form. I am always the one saying don’t do it, but usually I don’t have a big enough hammer to get person X to be forced to NOT do this.

I have written this topic before… http://blog.joeware.net/2005/05/08/10/

I wonder how many other companies around the world are in the same bad spot as the company mentioned above and they just don’t realize it.

These bad IDs are easy to find… Download oldcmp and run a report with the following command

oldcmp -report -users -age 365 -sh -realage -h test.loc -format csv

Then chop the non-CSV portion from the top of the file and pull into excel and look at what you have out there. Very likely you will find service/app/generic IDs that have been out there set as non-expiring and haven’t had a password change in years…

   joe

This is an interesting article…

http://www.wired.com/dangerroom/2010/01/darpa-us-geek-shortage-is-a-national-security-risk/

Sure, we’re all plugged in and online 24/7. But fewer American kids are growing up to be bona fide computer geeks. And that poses a serious security risk for the country, according to the Defense Department.

I think a another big part of this problem is around the outsourcing of the computer geek type jobs, specifically IT, database, and developer jobs. I am where I am because I worked my way up the ranks. I didn’t start out knowing what I know now, I slowly learned and moved forward and learned more and got better. Challenges in lower level jobs taught me how to solve harder and more complex issues. It taught me to think through the problem, it taught me to think long term. It allowed me to move up and take on more complicated, higher level jobs. If I hadn’t been in those jobs and worked my way up, I very likely would never have written the tools I have written, never have authored the content that I have written. Before I found computers I was gung ho about being a Dr. I would practice writing a sloppy signature and everything. Even today my handwriting would make any physician or surgeon jealous.

Anyway, these starter and medium level jobs are all being pushed to offshore (or best shore) locations and so there are fewer and fewer jobs available for people to start in and move up the chain. People aren’t going to move straight into high level developer and architect positions, or if they do… watch out. We outsource our low level stuff now and continue doing so, we will be outsourcing our high level jobs later and then what will the security risk be?

    joe

I promise myself that any time I hit about five emails for the same issue, I will try to write a blog entry about it so people can find it during their Google search phase before attempting to bother the developers/support folks…

Well I hit the limit this morning with an issue that has annoyed me for a long time with CSVDE but didn’t otherwise care about because quite simply I don’t use it and honestly not many people even realize to even ask about…

CSVDE gives incorrect output for objectClass. It gives you a single value for objectClass although objectClass is a multi-valued attribute.

For example:

C:\temp\delete>csvde -s test-dc1 -r name=joe  -f CON:  -l objectclass
Connecting to "test-dc1"
Logging in as current user using SSPI
Exporting directory to file CON:
Searching for entries…
Writing out entries
.
Export Completed. Post-processing in progress…
DN,objectClass
"CN=joe,OU=Users,OU=My,DC=test,DC=loc",user
1 entries exported

The command has completed successfully

C:\temp\delete>adfind -e -default -f name=joe  objectclass

AdFind V01.41.00cpp ##BETA## Joe Richards (joe@joeware.net) January 2010

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=joe,OU=Users,OU=My,DC=test,DC=loc
>objectClass: top
>objectClass: joeware-DottedLine
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user

1 Objects returned

You will note that in the CSVDE export it doesn’t mention joeware-DottedLine at all… The generic issue here is that from the CSVDE output you have no understanding that there is a dynamic aux class bound to the object. Dynamic auxiliary classes make additional attributes available on objects. In this case, the ability to specify an additional dotted line manager or managers.  This could be troublesome if you are exporting objects and then re-importing them later.

   joe

I have updated the AdMod Beta again. My good friend Princess (Jorge) was very nice to ping me with an issue he was hitting in AdMod (both previous stable versions and beta) this last week and low and behold after testing I realized it was a bug. A bug in a very nasty portion of the CSV code.  Those of you who recall, CSV functionality was never intended to be in AdMod (and AdFind). One night after a particularly awesome Summit and Directory Experts Conference I figured out how to hack CSV into the tools. However it was akin to how most companies used to build convertibles. They built a normal car, welded a couple of extra braces on and cut the top off. Slowly but surely I am slowly cleaning up this really bad code and unfortunately the bug Jorge hit was deep in the middle of some of the worst of it. Once I knew it was a bug, it took me another 4 hours to actually trace down WHERE the bug was. And I didn’t even figure it out while sitting in front of the computer. It was one of those things where you are off doing something completely disconnected and your mind wanders and the answers pops into your head. I love it when that happens.

Once the bug was found the fix was simple, obvious and solid and I was able to plug it in but there was a good period of time there that I was thinking I didn’t like Jorge very much. ;o)

Anyway, the upshot is that there is a new AdMod beta up on the website if you would like to download it.

Thanks to Jorge and everyone else that is testing the apps and sending me feedback, it is always appreciated and helps me make a better product for all of us.

http://www.joeware.net/downloads/beta/adfindmod_beta.zip

   joe

http://blogsearch.google.com/blogsearch?hl=en&ie=UTF-8&filter=0&q=%22The+tool+is+called+Gold+Finger%22&sa=N&start=0

This email came in from one of my former work managers… It wasn’t him. I knew it by the writing style and word choice and well, that it happened at all to be honest, as soon as I saw it but others may not figure it out so fast…

Hi, I really don’t mean to inconvenience you right now but I made a quick
trip to London UK this past weekend and had my bag stolen from me in
which contains my passport and credit cards. I know this may sound odd,
but it happened very fast. I’ve been to the US embassy and they’re
willing to help me fly without my passport but I just have to pay for my
ticket and settle some bills. Right now I’m out of cash plus i can’t
access my bank without my credit card here, I’ve made contact with them
but they need more verification. I was  thinking of asking you to lend me
some funds now and I’ll pay back as soon as I get home. I need to get on
the next available flight.
Please reply as soon as you can if you are ok with this so i can forward
the details as to where to send the funds. You can reach me via May field
hotel’s desk phone if you can, the numbers are, 011447024051771 or
011447024043668

See http://www.sodahead.com/other/i-got-hacked-early-this-morning-see-letter-below/blog-224049/

    joe

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=a45059af-47a8-4c96-afe3-93dab7b5b658

The same for Windows Vista is on the horizon…

I incorrectly linked AdMod when I posted it (http://blog.joeware.net/2010/01/07/1862/) previously. So if you ran it you probably saw an error about a missing DLL unless you had already installed the Borland/Codegear DLLs for some other app. I have recompiled and relinked with static linkages so everyone should be fine now. Let me know if there are any other issues.

http://www.joeware.net/downloads/beta/adfindmod_beta.zip

My sincere apologies for the inconvenience!

  joe

“Better authentication methods can come along any day now… I’m ready…”

That is something I said this morning while working on my work laptop. We recently were required to add whole machine encryption which meant adding yet another password and remembering yet another ID/Password combination. When I loaded the encryption software two things irked me… The first was that I had yet another ID/Password combination to worry about and second that the local recovery mechanism was three silly questions most of which based on information that can change[1]…

Now when I fire up my laptop for work I have to enter a whole disk encryption userid / password. It is my main corporate ID in UPN/email format but a whole other password that must be six numeric digits[2]. Then I get my main logon screen which is my main ID in SAM format (I could use UPN here if I chose as well), but with my password from the corporate forest. Then I get my desktop and Office Communicator fires up and for some reason, more times than not, it asks me to enter my password as well. So again I enter my corporate password. Then up comes MSN for when Office Communicator isn’t working (all too often unfortunately)… So I enter that entirely different userid and password. Then I fire up Outlook and get to enter passwords for the PST files (yes that is my choice). So now that is the first 2 minutes of the work day…

Now let’s say I need to connect to different customer environments… We have three different shared environments that I can connect to that house many of our customers. One uses my corporate userid name but not the corporate password. One uses a whole other userid (a second corporate userid since we went through a merger with another company) and password. And the last uses two factor auth so I have to enter my secondary corporate userid with a PIN I know and a passcode from an RSA Token. Now this is only for some accounts. Other accounts have their own IDs and passwords. So say I need to get into the account I spent most of last year on, I go to their Reverse Proxy Web Site and enter my main userid and password from their corporate directory, then to connect to a server I use one of my six Admin IDs I have for that environment. Next if I connect to another large customer that I have been handling various questions for a W2K8 migration I enter a userid with a smartcard (different from the RSA token) temporary password to get into the firewalled section that is set aside for that customer, and then another userid/password to get onto the Citrix system that allows me to work on that network. If I want to connect to their lab environment, even more userids and passwords… If happen to have yet another RSA token and set of userids to connect to another largish customer I used to work on as well. I have to actually label my RSA tokens by which company the token is for. That alone is a pain, how come I can’t at least use one token/smart card for all of the companies?

This doesn’t at all go into the stuff I have for my personal world… Access to Microsoft Source Code is another smart card/password. Microsoft Private News Groups. Hotmail email account. My joeware email accounts. Admin IDs for each of my test forests for playing with AD. Home Depot account, six or seven credit card accounts, eBay, Amazon, my website and blog, 401k, health insurance, stock benefits site, Craig’s List, Code Gear Developer Account so my IDE can log into Code Gear. Admin IDs for each of the PCs I have my house, both servers, and clients. Voice mail for work phone, personal mobile phone. Key code lock on my front door to my house. Hmm what else, iTunes/App Store, all the various apps on the iPhone, etc etc etc yadda yadda yadda blah blah blah…

At this point I am getting confused just trying to maintain in my head which userid/password/token/smartcard combinations are used at which points; especially when you have one userid string blah@corp.com that is used in five different locations with five different passwords. I’m ready for authentication that just takes a look at me and says… well you look a little rough because you didn’t comb your hair this morning and are still wearing your pajamas but I recognize you as joe and will let you onto the system… And since I am actually looking at you, all of the other systems will trust that I know what I am talking about and allow you in too or I can just pass on the live video feed to them if they want to validate you… At this point the only thing I tend to have in common across multiple systems is the same answers to the recovery questions… While my userid/password isn’t likely to be consistent across systems, my mother’s maiden name probably is… It reminds me of something a good friend of mine at MSFT has said multiple times in my presence when talking about Identity… SK (for short) would say something like… You know, I don’t log into my 401k (I think it was 401k, maybe it was health benefits site or maybe it was both…) very much so I always forget my password and so then I always use the self password reset system for the web site which asks me questions[3]… Those questions might as well be my password.

Federation and Info Card is getting bigger and bigger but even if it took all my web based auth and put it into a single auth system I would still have too much to recall and deal with.

Anyway, no answers here for this issue… just venting.  Oh and I would like to see an end to the sub-zero degree Fahrenheit wind chill temperatures as well while I am at it.

   joe

[1] I.E. What is/was your favorite this or that or what was the date of this or that event. For example, I have never had a honeymoon but one of the questions was, when was the date for that? Now I would put none, but a year or two from now that could have a different answer and if I needed to recover I would have to recall when I filled out the recovery info… I am in the recovery console because I can’t even recall a password I use every day… I also hate when companies use things like favorite food or favorite movie or even favorite teacher, who says those things won’t change?

[2] Seriously… WTF. No more, no less than six numbers…

[3] Those questions are probably less secure than the password that isn’t being remembered…

Wow, I got quite a few emails on the Special Folder GUIDs posts… Thanks to all who sent me the link… Keep it up!

Here are the link everyone was sending me

http://msdn.microsoft.com/en-us/library/ee330741(VS.85).aspx

http://news.cnet.com/8301-13860_3-10426627-56.html?part=rss&subj=news&tag=2547-1_3-0-20

Choose your friends carefully. Association brings about assimilation. If you think your friends are stupid and crude, get new friends unless you want to be stupid and crude. Or to put it another way… Birds of a feather flock together.

   – Combination of quotes from Chris Rock, Patrice Dean & others

After seeing http://blog.joeware.net/2010/01/07/1860/ my good friend Deano reminded me that he had shown me something like this back last year for just Network Connections…

md c:\_special\nc.{7007ACC7-3202-11D1-AAD2-00805FC1270E}

Looks like…

Is someone trying to gear up for the 2012 election already???

http://www.salon.com/politics/war_room/2010/01/08/giuliani

“In an interview on ABC’s "Good Morning America," Giuliani said, "What he [Obama] should be doing is following the right things that Bush did — one of the right things he did was treat this as a war on terror. We had no domestic attacks under Bush. We’ve had one under Obama.””

Huh? Come again? As my friend Gary Coleman would say…  Qué usted que habla de Willis?

http://www.wired.com/video/ces-2010-hands-on-with-transparent-display-of-the-future/60826805001

No new info here… Just revisiting my previous post about the recorder that lets you record what you are doing for documentation or debugging. I keep forgetting the command and so wanted to post here so I can find it easier without having to worry that the original poster’s post goes away…

So joe, when you can’t remember the command again… it is PSR.EXE

Mark Minasi has an interesting newsletter this month about a special folder that you can create to see all your CPL’s in one place. Very nice… You can read about it here –> http://www.minasi.com/newsletters/nws1001.htm

Basically I ran the following command

md c:\_special\cp.{ED7BA470-8E54-465E-825C-99712043E01C}

And then just pull the folder up in Explorer…

explorer c:\_special\cp.{ED7BA470-8E54-465E-825C-99712043E01C}

That will save a lot of time hunting around for stuff… I agree with Mark that I don’t see anything “hidden” there, but likely it is stuff that people weren’t aware of because you have to click on so much stuff to find things anymore if you are just browsing. The “search” mentality is growing and affecting design decisions… You know the mentality I am talking about… You can put stuff anywhere on your computer, it doesn’t matter where because you are just going to use Google Desktop to find it… As I heard today when discussing organization of data on computers… “I am utterly reliant on Google Desktop for it to be meaningful.”

Anyway, I can just imagine the discussions at MSFT…

Engineer: We should put this stuff in a central organized location.

Manager: Nah, throw it everywhere, it doesn’t matter.

Engineer: They won’t be able to find the stuff…

Manager: They will be using our search engine and can just type in what they are looking for and it will pop right up…

Engineer: What if they aren’t searching for something specific, but looking around.

Manager: No one would ever do that, do it the way I said, just throw things everywhere.

Unfortunately, this is the first Minasi newsletter I have seen in some time. I like looking at newsletters, especially techy based ones. But if I get an email and it requires me to chase after the info in a web site, I generally decline and delete the message. I am in email now, I want to stick there and get it done, if I go to a web browser who knows what will happen, I will probably get stuck on Google News or something. I recall way back when Mark used to send out actual newsletter emails, then he said he had to stop temporarily for some reason. Don’t recall what it was but he said don’t worry, I will go back to sending out newsletters again… Still waiting here…

Anyway it looks like this

Then if you are enumerating the items looking for something in particular, say color, you can still use the Windows Search stuff and type color in the search bar at the top and it will filter the list down for you like…

   joe

http://download.microsoft.com/download/8/2/3/823871D1-819F-446D-ADD5-3049B78F020F/Windows_Server_2008_R2_Feature_Components.pdf

I have been exceedingly lax in updating AdMod this last year. I started working on it on and off after releasing AdFind V01.40.00 last year and while I have gotten much in, I haven’t gotten it released. In the meanwhile, I would hit little things that needed to be fixed in AdFind so I started tweaking that as well. Now I see we are in the new year and still no release and my testing of the existing functionality hasn’t been going fast either to make me comfortable to release as production so instead… I have gone the way of Google and am now offering a public beta of AdFind V01.41.00 and AdMod V01.12.00. You can find the beta versions at

http://www.joeware.net/downloads/beta/adfindmod_beta.zip

These have been stable in my testing but my testing has not been comprehensive. Obviously AdFind isn’t going to break anything, it can’t, it doesn’t write anything anywhere, however AdMod could go a little awry though again, I haven’t experienced that in a bit. If I had been experiencing it, it wouldn’t see the light of day. I am a bit picky like that, I can and will make mistakes and something will get released with a bad issue occasionally, but something will not get released with a bad issue when I am aware of it.

I am not going to go over all the changes in the code right here right now. My main concern is for people to play with the tools to see if they break anything that previously worked. There were some massive changes around CSV processing so definitely check that out.

If you look back through the blog postings from this last year, you will find a couple of examples of new features/switches in AdMod.

   joe

Iranian Air Defense Site: ‘Unknown aircraft you are in Iranian airspace. Identify yourself.’

Aircraft: ‘This is a United States aircraft. I am in Iraqi airspace..’ 

Air Defense Site: ‘You are in Iranian airspace. If you do not depart our airspace we will launch interceptor aircraft!’ 

Aircraft: ‘This is a United States Marine Corps FA-18 fighter.  Send ‘em up, I’ll wait!’ 

Air Defense Site: ( ….. total silence)