joeware - never stop exploring... :)

Some people still don’t know this even after all of these years… But Exchange can change your non-security enabled groups (sometimes mistakenly called DL’s[1]) into security enabled groups. This is done automagically anytime someone applies a “DL” to security in Exchange, such as on a folder in a mailbox or on public folder or something. For example, say you have a non-security enabled group in the domain called “Active Directory People” which is your distribution list to send email out to your Active Directory people. Someone says (and I mean any someone, even some low level no one who shouldn’t be allowed to change anything at all) “Hey, I also want to give those people access to something in my mailbox, say like the calendar…” Outlook says that is cool, adds the SID for the non-security enabled group to the ACL for the calendar on the mailbox and then Exchange looks at the group and says, well “Crikey mate… that group isn’t security enabled which means the users won’t get the SID in their token so the security delegation just made will never work so let me fix that in AD for you…”[2] and wham bam thank you ma’am… the group is now security enabled.

In the meanwhile someone somewhere else is seeing a “DL” that is now all of a sudden security enabled and saying… “HEY! Who did that, that wasn’t supposed to be done.” and they change it back. And then eventually Exchange changes it back again. And on and on… Of course Microsoft doesn’t give any mechanism to find what ACL on what folder on what mailbox is causing this issue so you have no clue.

At least now they have given a mechanism to STOP the auto security enablement from occurring. I still think it would be great if something told you where the SID was in the ACLs that was causing it.

See

Stop Automatic Conversion of Universal Distribution Groups to Universal Security Groups

 

Thanks to my friend BrianD for sending me the link on this as it is something we have discussed in the past a few times. I heard they were going to do it, didn’t hear that hey actually did do it though. Good to know they did.

   joe

 

[1] A DL is a distribution list and it can be security enabled or not. Not being security enabled doesn’t mean it is automatically only used for email. In fact it could be non-security enabled and still not used for email.

[2] Not sure why Exchange suddenly became Aussie but I am sure my Aussie friends will be suitably impressed insulted. 😉

Thank goodness!  🙂

My freshly loaded PC, previously SFMXP32, now SFMWIN764[1] has been running great. However I have been a bit lax in fully setting it up because I haven’t activated the license yet and think, who knows, maybe I will reload it again for some odd reason… Well that means I haven’t joined it to my home domain yet and I haven’t added any other additional IDs… So what happens, I restart the computer and when it comes back up it doesn’t recognize my password. No I didn’t forget it. No I didn’t typo it. I also didn’t make the little reset your password USB key either. So I am sitting there going, great, I don’t have time to figure out how to hack Windows 7, let’s hope the offline password editor still works…

I went out and downloaded the latest ISO from http://home.eunet.no/pnordahl/ntpasswd/ and burned the CD and voila, 3 minutes later I was up and running again. Have no clue what happened to my old password but it was annoying to have happen though it was in a way good because I now know that Win7 can be broken into the same way as my previous machines could be if I needed to. ;o)

 

    joe

 

[1] Sure sure, it isn’t really a Super Fast Mofo of a machine anymore, heck it can’t even run Hyper-V the chip and board are so old… But I don’t want to hurt its feelings… And yes, computers have feelings…

Saw this in a security list and thought it was worth posting. It is a CD/DVD you can burn to test a machine while the main OS isn’t running so any real bad virus type critters on the machine can’t block the check. Best part is that it is free. It is Linux based but that is fine for scanning your Windows machine’s disks.

 

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

I recently updated my main PC to Windows 7 Ultimate RTM and Office 2010 Preview.

As you can expect, when you come from Windows XP SP2 and Office 2003, there are going to be some changes, some good, some maybe that don’t seem so good.

Overall my thoughts (on both Windows 7 and Outlook) is that they are faster, smoother, and prettier. Overall I really like them. 🙂

The first thing in Office that I ran into that annoyed me was that my Outlook kept hanging at random times, once I removed my hotmail account from being linked into Outlook via the I think, Live Connect, that problem went right away. That is annoying as I want all my email coming into the same program but oh well, I can figure that out later.

The next issue which was really irking me and my friend Andrew who I am chatting with, is how in the world do you color the messages now? I like to make Outlook highlight messages from certain people in different colors so I can see them quickly at a glance. A great example is Don Hatcherl, if Don posts to ActiveDir.org, I want to have that stick out in a very different color because if Don has something to say on the subject of AD, I want to read it. I am the guy who used to do everything he could to get copies of messages he sent to DSTALK (limited number of you will likely know what that is) because what Don writes is almost always incredibly useful and insightful information. I do this with emails from several MSFT people, some of the those include Eric, Brett, Dmitry, Steve Linehan, Nathan, Matt, and yes, even Deano.

So anyway, I start looking around for the old Organize button and I do not see it anywhere, I ask my friend Andrew, he says he doesn’t know but would love to know as well. I figure what the heck, let’s see how good the help is… But then I can’t even find help for like 5 minutes and then after I click on all the tabs and look at the screen as a global holistic whole…

…and I finally spy up in the corner sort of hidden because it is blue icon next to the blue edge of the window the little help icon…

 

Thankful that I finally found it, I click that beautiful, if not highly camouflaged, little round icon to be presented with…  Page Not Available.

Sigh… I click on show me information available offline on my computer.

I search for organize and voila, I get a topic of “Change the color of messages in your Inbox”… Perfect! I click on that and get

 

Ah, that is exactly how it was done before… How could I be so obtuse… go to the Tools menu… so simple, I feel so stupid.

Now where in the world is the Tools menu??? After a few minutes of looking around for a tools menu I thought, I don’t see one… I bet this is old help for Office 2007. No hint in the help that this may be a bit long in the tool hence inaccurate… So I just walked away from it for a while…

Later I came back to it with the idea of fresh eyes finds fresh things. I tried the help once more, still no joy so then I looked at the top tabs… Where would the logical place be? Noting to myself that no business would be happy if all of its employees had to relearn where to find everything in the product that they were used to using. Then thought, wait, what if it is like Vista/Windows 7 where they HIDE the menu’s and you press ALT and they will pop up???

I try it and nope they didn’t do it, but they do pop up the ALT Hints which when I first looked at I felt they looked a bit “comic” but am now ok with…

But regardless, that didn’t help me. So I looked at it all holistically and said, ok, if I were going to make this change myself, I would try to do it in a semi-logical fashion and the most logical place it seems to fit with the tabs is on the view tab so I selected the view tab.

 

Then on the view tab I just started clicking and finally found the feature in the Advanced View Settings:Messages (though the menu item is called View Settings) dialog.  On that dialog it is the Conditional Formatting… selection.

 

 

 

And now to make the formatting rule…

 

 

 

Which results in…

 

 

As a refresher, this is how easy it is to do in Outlook 2003…

 

While you highlight a message from the person you want to “color” select Tools | Organize or ALT-T-Z

 

Click on the Using Colors Tab and select your color and hit Apply Color.

 

 

Done…

 

 

Anyway I now have the ability to color code the emails coming in from the people that I want to stick out to me… Now I wonder, how do I tell those conditional formatting rules to apply to other folders/PSTs?

 

   joe

Due to an issue with the WinPcap install, WireShark doesn’t seem to work on Windows 7 after you install it. Here are the steps I followed to get it to work.

1. Download WinPcap 4.1 Beta5 from http://www.winpcap.org/install/default.htm

2. Manually install WinPcap. Next through Dialogs…

Update 2009/10/12: If the above still doesn’t allow the install of WinPcap and you get something about the version of Windows not being supported, use Window Vista SP2 Compatible mode and that should help it work. To get to the dialog, click on START and then in the search Window type “Run programs made for previous versions of windows” and click on it above and follow the prompts.

3. Error will pop up about installing Microsoft Network Monitor Driver but will install version of WinPcap without support for Dialup connections and VPNs. Click OK

4. Download WireShark 1.2.2 64 bit from http://www.wireshark.org/download.html

5. Install as normal, shouldn’t try to install WinPcap since it is already installed.

 

Trying to install WireShark the normal way which also installs WinPcap doesn’t work. It acts like it installed ok but WireShark can’t see the network interfaces.

Note that if you uninstall and then reinstall WinPcap after WireShark has been installed, you will again fail to see the network interfaces. Just uninstall and reinstall WireShark after you uninstall and reinstall WinPcap.

    joe

I responded to an ActiveDir Org post that was talking about finding the DCs that are not doing well when you see an Event ID 1864 like so

Event Type:    Error
Event Source:    NTDS Replication
Event Category:    Replication
Event ID:    1864
Date:        10/2/2009
Time:        12:32:57 AM
User:        NT AUTHORITY\ANONYMOUS LOGON
Computer:    DC1
Description:
This is the replication status for the following directory partition
on the local domain controller.

Directory partition:
DC=root,DC=corp

The local domain controller has not recently received replication
information from a number of domain controllers.   The count of domain
controllers is shown, divided into the following intervals.

More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
60
Domain controllers that do not replicate in a timely manner may
encounter errors. It may miss password changes and be unable to
authenticate. A DC that has not replicated in a tombstone lifetime may
have missed the deletion of some objects, and may be automatically
blocked from future replication until it is reconciled.

To identify the domain controllers by name, install the support tools
included on the installation  CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest.   The
command is "repadmin /showvector /latency <partition-dn>".

with an AdFind command and got a few emails back along the lines of “What in the world is that command doing???”.

So here is the “biggest” command of the bunch, understand this will help you understand any of the other commands in the posting.

adfind -h DCName -config -s base msDS-NCReplCursors;binary -metasort lastsync -mvnotfilter msDS-NCReplCursors=deleteddsa

The output from this command looks like…

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: JOEWARE-DC1.joeware.local:389
Directory: Windows Server 2003
Base DN: CN=Configuration,DC=joeware,DC=local

dn:CN=Configuration,DC=joeware,DC=local
>msDS-NCReplCursors;binary:     214151 2009/10/02-16:55:51      Default-First-Site-Name\JOEWARE-DC2
>msDS-NCReplCursors;binary:     540610 2009/10/02-17:28:14      Default-First-Site-Name\JOEWARE-DC1

1 Objects returned

though you will most likely see more servers listed. If you only have two DCs, you really don’t need something like this to tell you whether you are replicating or well or not.

 

So anyway… on to the explanation of what is going on…

 

At its core, AdFind is a “simple” LDAP query tool. Every LDAP query comes down to a couple of basic components

Host and port to query

Search Base

Search Scope

Search Filter

Then from there you move into modifiers… What attributes to return and what session options to use and how AdFind should manipulate the output. These will impact how the query runs (like showing deleted objects) or what info is returned (like specifying you only want the displayName attribute) and how it is outputted by the tool. AdFind allows you to tweak most of that with switches. If you know what you are looking for, you can usually find it. The problem comes in if you aren’t familiar with what AD can do and then you just see a bunch of switches doing stuff that you don’t have a clue about. Heck even some attributes people don’t have a clue about… Like msDS-NCReplCursors, most people haven’t a clue what a replication cursor is or that the info was even available through LDAP queries. You can get a little info from MSDN but even that isn’t too awesome.

In terms of the points above combined with the adfind command in question…

First the basic LDAP stuff…

• Host|Port —- -h DCName – Port isn’t specified but defaults to 389 for query. As for the host, if this isn’t specified, the system will ask the Windows LDAP Library to use the “default” DC for the machine the tool is running on.
• Search Base —- -config – this is a shortcut for the search base. When the tool connects to the DC, it enumerates the rootdse and pulls out the configuration context NC and adds that to the query as if you specified it with the –b switch.
• Search Scope —- -s base – this is the BASE type search, i.e. give me the exact object and only that object that I specified as the search base.
• Search Filter —- This isn’t specified in this query because I am asking for the BASE object. I don’t have to specify what I want in a filter because I already did with the combination of the scope and the search base. However, AdFind will send along objectclass=* which will match any object.

 

So now after the basics, you have attributes and session options from an LDAP standpoint…

• You are specifying a specific attribute – msDS-NCReplCursors and you are doing a little LDAP RFC trick called specifying the encoding option. This encoding specified by ;binary is telling AD that I want the data back in binary regardless of the default format to return that attribute. The default happens to be an XML stream. I prefer binary because the DC doesn’t have to work to marshall (i.e. convert) the binary (which it uses internally) to XML to pass it over the wire to me. That saves on DC time for both the marshaling work but also the amount of data it has to push over the network. And it saves my client from having to take in all that network traffic and to unmarshall the stream into something I can consume. This encoding option doesn’t do something for all attributes, but it can be very useful where it does. There is a massive savings on the wire by getting this data in binary versus XML.

 

The rest of the switches are modifiers to tell AdFind how to handle the output. These have nothing to do with what is sent to the DC, it is all handled locally.

• -metasort lastsync – this tells AdFind to sort the data in the Cursor attribute by the lastsync time. You can read more at adfind /meta?
• -mvnotfilter msDS-NCReplCursors=deleteddsa – tells AdFind that for the multi-value attribute msDS-NCReplCursors, it should filter out (NOT filter) and lines that have deleteddsa in the attribute value. If you wanted to see all of the deleteddsa’s then you could reverse this and use -mvfilter msDS-NCReplCursors=deleteddsa which says that it should filter the multi-value attribute and only show values with that string.

 

Everything you can do with AdFind and AdMod break down like this. It is simply basic LDAP queries that are tweaked by whatever methods the OS allows and then filtered or decoded in whatever ways I can dream up to be useful.

 

    joe

Surprised how many people still aren’t aware of Security Essentials, the free Microsoft AV software.

http://www.microsoft.com/Security_essentials