joeware - never stop exploring... :)

Wow, another good question in the newsgroups that makes for good Blog fodder…. Question: We are running W2k3 AD and Exchange 2003 SP1 in a multiple child domain environment. When we create a Universal Distribution Group in say domain A and add a user in domain B to the Manager tab (we also check ‘Manager […]

I encounter questions like this on a fairly regular basis. Just a few minutes ago I hit it in the newsgroups and I responded, I thought, you know, that would make a good blog entry… So here it is…. The question was Does anyone have a set of queries that I can use to re-construct […]

I was playing around with GPO’s and Security Configuration and Analysis yesterday to verify a process I previously figured out where someone without GPO permissions but with OU permissions could override the domain policy for user password/lockout settings on local computers so that each computer in an OU could have its own policy defined locally […]

If you have access to the source code of mbconn.exe or in fact any tool that can remotely connect a mailbox to an active directory user account without using that poor WMI method, please please please I beg you send it to me. I am under at least 5 different NDAs at this point in […]

If you have ever tried to set a password for a user in AD or ADAM with LDIFDE you know you have to convert the password to unicode, enclose with quotes, then Base64 encode it. What a pain huh? Check out this cool tool to do it… StringConverter F:\> stringconverter.exe \”NewPassword1\” /encode /unicode IgBOAGUAdwBQAGEAcwBzAHcAbwByAGQAMQAiAA== Rating […]

I just wanted to put a quick blog entry out there to say if you run Media Center Edition 2005 beware of a new hot fix that recently hit Windows Update. It is an update for eHome Remote control, some sort of rollup for various things… Well all I have to say is my remote […]

Last night when I was working on the script for doing more granular delegations for the confidentiality bit I ran out to google to look one of the constants or something up and ran into a post of a friend of mine in the newsgroups from a couple of years ago. I didn’t see it […]

Well I have been stuck on one of my chapters for several days now. It is the chapter on Active Directory Security. Unfortunately it is missing any references whatsoever to some pretty basic AD Security concepts like inherited vs explicit ACEs, property sets, extended rights, validated writes, and default ACLs so I am adding all […]

Do you know the name Sanjay Tandon? If not, and you are into Active Directory, that is a bit surprising. Sanjay was one of the AD Dev Security guys (a PM actually) at Microsoft. He was directly responsible for putting together the AD Delegation Whitepaper that you can find here that quite frankly should have […]

The question “what permissions do I need to delegate to move objects between OUs?” seems to crop up in the newsgroups again and again. Whenever I encounter the question I post some info originally posted to the groups by Dmitri Gavrilov back in 2003. If you don’t know who Dmitri is, he is one of […]