Not sure if I shared this before… A nice little post of Windows Server 2008 Active Directory Feature Components in PDF format.
Windows Server 2008 Active Directory Feature Components
joeware - never stop exploring... :)
Information about joeware mixed with wild and crazy opinions...
9/25/2009
Firefly / Serenity stuff
Brandon has been on a Firefly quote kick lately so I dug up some links for him, thought I would share those and some others with the rest of the geeks…
Cool opening song
This is the captain. We have a little problem with our entry sequence, so we may experience some slight turbulence and then explode.
Ringtone
http://www.madringtones.org/tone/363111-Ballad-of-Serenity
MP3
http://www.whedon.info/Firefly-Theme-Song-Ballad-Of.html
Guitar tutorial
9/22/2009
F5 VPN solution on Windows 7 anyone???
Anyone get this working? I keep blowing up when installing the ActiveX components or if I get through the install it just hangs on checking connection. I actually need this working to get to the network of one of my customers.
9/21/2009
OpenSource Windows Perf Log Analyzer
Haven’t used it but it looks like it could be cool. 🙂 Brian told me about it.
9/17/2009
Finding old unused Domain Controller objects in the Sites Container
Something that always annoys me is when I look at an Active Directory and start finding old Domain Controller Server objects out in the sites container for DCs that were demoted or forcibly removed from Active Directory weeks, months, or years ago. This is just sloppy admin work but once it is done and hasn’t been cleaned up for some time I admit it can be a pain in the arse to cleanup with how dssite.msc (Sites and Services) displays the info. You have to click on every site and expand it out a couple of levels. No one really has time to go back and do that if they didn’t have time to clean up properly in the first place.
So to help folks find objects that are possible old DC objects that should be cleaned up here is a simple AdFind query to help…
adfind -sites -s subtree -f "&(objectcategory=server)(!serverreference=*)" –dsq
That will produce something that looks like
Z:\>adfind -sites -s subtree -f "&(objectcategory=server)(!serverreference=*)" -dsq
"CN=USOHSND-DC01,CN=Servers,CN=USOHSND,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ESBARCME-DC01,CN=Servers,CN=ESBARCME,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=FRILLK-DC01,CN=Servers,CN=FRILLK,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USNYLOC-DC01,CN=Servers,CN=USNYLOC,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USOHVIE-DC01,CN=Servers,CN=USOHVIE,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USMSCLI-DC01,CN=Servers,CN=USMSCLI,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=MXTAMPSREY-DC01,CN=Servers,CN=MXTAMPSREY,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USCAIRV-DC01,CN=Servers,CN=USCAIRV,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ITMOL-DC01,CN=Servers,CN=ITMOL,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USMSBRK-DC01,CN=Servers,CN=USMSBRK,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USSCDUN-DC01,CN=Servers,CN=USSCDUN,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USSCLAN-DC01,CN=Servers,CN=USSCLAN,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=MXTAMPSREY-DC02,CN=Servers,CN=MXTAMPSREY,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=UKCOV-DC01,CN=Servers,CN=UKCOV,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=MXQROQRO-DC01,CN=Servers,CN=MXQROQRO,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=SKSEN-DC01,CN=Servers,CN=SKSEN,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ITLIV-DC01,CN=Servers,CN=ITLIV,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=FRCER-DC01,CN=Servers,CN=FRCER,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=FRVIL-DC01,CN=Servers,CN=FRVIL,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=UKSHI-DC01,CN=Servers,CN=UKLEAM,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=DENUE-DC01,CN=Servers,CN=DENUE,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PLGDANSK-DC01,CN=Servers,CN=PLGDANSK,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PLOST-DC01,CN=Servers,CN=PLOST,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ITMIL-DC01,CN=Servers,CN=ITMIL,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PTLIN-DC01,CN=Servers,CN=PTLIS,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PTBRA-DC01,CN=Servers,CN=PTBRA,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PTCBR-DC01,CN=Servers,CN=PTCBR,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ESTAR-DC01,CN=Servers,CN=ESTAR,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USALGAD-DC01,CN=Servers,CN=USALGAD,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ROSAN-DC01,CN=Servers,CN=ROSAN,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=CZVIZ-DC01,CN=Servers,CN=CZVIZ,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USMONKC-DC01,CN=Servers,CN=USMONKC,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ATASP-DC01,CN=Servers,CN=ATASP,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=CZSLU-DC01,CN=Servers,CN=CZSLU,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ROINE-DC01,CN=Servers,CN=ROINE,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=SEGOT-DC01,CN=Servers,CN=SEGOT,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PLJEL-DC01,CN=Servers,CN=PLJEL,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=MXSONHRM-DC01,CN=Servers,CN=MXSONHRM,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=INHARGGN-DC01,CN=Servers,CN=INHARGGN,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=DEFUE-DC01,CN=Servers,CN=DEFUE,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ESSCU-DC01,CN=Servers,CN=ESSCU,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=SETRO-DC01,CN=Servers,CN=SETRO,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=BEGENT-DC01,CN=Servers,CN=BEGENT,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=LUBAS-DC01,CN=Servers,CN=LUBAS,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=MXBCNTIJ-DC01,CN=Servers,CN=MXBCNTIJ,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=DEBADS-DC02,CN=Servers,CN=DEBADS,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
You can now look that over and determine if yes, those are old DCs (i.e. there aren’t machines that belong to some other application that stuck it there like the old ADC from Exchange). If they are then you simply pipe that output to admod –rm and bam… all clean.
If you have a naming standard in place for domain controllers then you can apply that to the filter as well like so…
Z:\>adfind -sites -s subtree -f "&(objectcategory=server)(!serverreference=*)(name=*-dc*)" -dsq
"CN=USOHSND-DC01,CN=Servers,CN=USOHSND,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ESBARCME-DC01,CN=Servers,CN=ESBARCME,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=FRILLK-DC01,CN=Servers,CN=FRILLK,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USNYLOC-DC01,CN=Servers,CN=USNYLOC,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USOHVIE-DC01,CN=Servers,CN=USOHVIE,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USMSCLI-DC01,CN=Servers,CN=USMSCLI,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=MXTAMPSREY-DC01,CN=Servers,CN=MXTAMPSREY,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USCAIRV-DC01,CN=Servers,CN=USCAIRV,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ITMOL-DC01,CN=Servers,CN=ITMOL,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USMSBRK-DC01,CN=Servers,CN=USMSBRK,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USSCDUN-DC01,CN=Servers,CN=USSCDUN,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USSCLAN-DC01,CN=Servers,CN=USSCLAN,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=MXTAMPSREY-DC02,CN=Servers,CN=MXTAMPSREY,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=UKCOV-DC01,CN=Servers,CN=UKCOV,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=MXQROQRO-DC01,CN=Servers,CN=MXQROQRO,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=SKSEN-DC01,CN=Servers,CN=SKSEN,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ITLIV-DC01,CN=Servers,CN=ITLIV,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=FRCER-DC01,CN=Servers,CN=FRCER,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=FRVIL-DC01,CN=Servers,CN=FRVIL,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=UKSHI-DC01,CN=Servers,CN=UKLEAM,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=DENUE-DC01,CN=Servers,CN=DENUE,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PLGDANSK-DC01,CN=Servers,CN=PLGDANSK,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PLOST-DC01,CN=Servers,CN=PLOST,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ITMIL-DC01,CN=Servers,CN=ITMIL,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PTLIN-DC01,CN=Servers,CN=PTLIS,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PTBRA-DC01,CN=Servers,CN=PTBRA,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PTCBR-DC01,CN=Servers,CN=PTCBR,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ESTAR-DC01,CN=Servers,CN=ESTAR,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USALGAD-DC01,CN=Servers,CN=USALGAD,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ROSAN-DC01,CN=Servers,CN=ROSAN,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=CZVIZ-DC01,CN=Servers,CN=CZVIZ,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=USMONKC-DC01,CN=Servers,CN=USMONKC,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ATASP-DC01,CN=Servers,CN=ATASP,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=CZSLU-DC01,CN=Servers,CN=CZSLU,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ROINE-DC01,CN=Servers,CN=ROINE,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=SEGOT-DC01,CN=Servers,CN=SEGOT,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=PLJEL-DC01,CN=Servers,CN=PLJEL,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=MXSONHRM-DC01,CN=Servers,CN=MXSONHRM,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=INHARGGN-DC01,CN=Servers,CN=INHARGGN,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=DEFUE-DC01,CN=Servers,CN=DEFUE,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=ESSCU-DC01,CN=Servers,CN=ESSCU,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=SETRO-DC01,CN=Servers,CN=SETRO,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=BEGENT-DC01,CN=Servers,CN=BEGENT,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=LUBAS-DC01,CN=Servers,CN=LUBAS,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=MXBCNTIJ-DC01,CN=Servers,CN=MXBCNTIJ,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
"CN=DEBADS-DC02,CN=Servers,CN=DEBADS,CN=Sites,CN=Configuration,DC=somecompany,DC=net"
Note that the list is the same. 😉 But it won’t necessarily always be as other apps can put servers in the sites container. Keep that in mind or else you could accidently cause some serious pain. 🙂
And to remove…
E:\>adfind -sites -s subtree -f "&(objectcategory=server)(!serverreference=*)(name=*-dc*)" -dsq | admod -rm -unsafe
AdMod V01.12.00cpp Joe Richards (joe@joeware.net) September 2009
DN Count: 46
Using server: USMITRY-DC12.NorthAmerica.somecompany.net:389
Directory: Windows Server 2003
Deleting specified objects…
DN: CN=USOHSND-DC01,CN=Servers,CN=USOHSND,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=ESBARCME-DC01,CN=Servers,CN=ESBARCME,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=FRILLK-DC01,CN=Servers,CN=FRILLK,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=USNYLOC-DC01,CN=Servers,CN=USNYLOC,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=USOHVIE-DC01,CN=Servers,CN=USOHVIE,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=USMSCLI-DC01,CN=Servers,CN=USMSCLI,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=MXTAMPSREY-DC01,CN=Servers,CN=MXTAMPSREY,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=USCAIRV-DC01,CN=Servers,CN=USCAIRV,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=ITMOL-DC01,CN=Servers,CN=ITMOL,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=USMSBRK-DC01,CN=Servers,CN=USMSBRK,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=USSCDUN-DC01,CN=Servers,CN=USSCDUN,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=USSCLAN-DC01,CN=Servers,CN=USSCLAN,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=MXTAMPSREY-DC02,CN=Servers,CN=MXTAMPSREY,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=UKCOV-DC01,CN=Servers,CN=UKCOV,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=MXQROQRO-DC01,CN=Servers,CN=MXQROQRO,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=SKSEN-DC01,CN=Servers,CN=SKSEN,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=ITLIV-DC01,CN=Servers,CN=ITLIV,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=FRCER-DC01,CN=Servers,CN=FRCER,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=FRVIL-DC01,CN=Servers,CN=FRVIL,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=UKSHI-DC01,CN=Servers,CN=UKLEAM,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=DENUE-DC01,CN=Servers,CN=DENUE,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=PLGDANSK-DC01,CN=Servers,CN=PLGDANSK,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=PLOST-DC01,CN=Servers,CN=PLOST,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=ITMIL-DC01,CN=Servers,CN=ITMIL,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=PTLIN-DC01,CN=Servers,CN=PTLIS,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=PTBRA-DC01,CN=Servers,CN=PTBRA,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=PTCBR-DC01,CN=Servers,CN=PTCBR,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=ESTAR-DC01,CN=Servers,CN=ESTAR,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=USALGAD-DC01,CN=Servers,CN=USALGAD,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=ROSAN-DC01,CN=Servers,CN=ROSAN,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=CZVIZ-DC01,CN=Servers,CN=CZVIZ,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=USMONKC-DC01,CN=Servers,CN=USMONKC,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=ATASP-DC01,CN=Servers,CN=ATASP,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=CZSLU-DC01,CN=Servers,CN=CZSLU,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=ROINE-DC01,CN=Servers,CN=ROINE,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=SEGOT-DC01,CN=Servers,CN=SEGOT,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=PLJEL-DC01,CN=Servers,CN=PLJEL,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=MXSONHRM-DC01,CN=Servers,CN=MXSONHRM,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=INHARGGN-DC01,CN=Servers,CN=INHARGGN,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=DEFUE-DC01,CN=Servers,CN=DEFUE,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=ESSCU-DC01,CN=Servers,CN=ESSCU,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=SETRO-DC01,CN=Servers,CN=SETRO,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=BEGENT-DC01,CN=Servers,CN=BEGENT,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=LUBAS-DC01,CN=Servers,CN=LUBAS,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=MXBCNTIJ-DC01,CN=Servers,CN=MXBCNTIJ,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
DN: CN=DEBADS-DC02,CN=Servers,CN=DEBADS,CN=Sites,CN=Configuration,DC=somecompany,DC=net…
The command completed successfully
joe
9/15/2009
Resolving Foreign Security Principals to SAM Names
This is probably obvious to some but thought I would write it up for those it wasn’t obvious for…
Sometimes when you look at a group in AD or ADAM, you see foreignSecurityPrincipal (FSP) objects in the membership. These aren’t generally, for most people anyway, quick to be resolved to friendly names so maybe you end up looking each one up individually which is slow and painful, especially if you have multiple.
So here is a quick example to help you when you hit this…
Say you have a group in ADAM that has membership that looks like
E:\>adfind -h . -b CN=Administrators,CN=Roles,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C} member
AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009
Using server: someadamserver.NorthAmerica.somecompany.net:389
Directory: Active Directory Application Mode
dn:CN=Administrators,CN=Roles,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1511590266-3576895337-3233274463-6632,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1511590266-3576895337-3233274463-519,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1757981266-299502267-1801674531-239491,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1757981266-299502267-1801674531-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1757981266-299502267-1801674531-76732,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-507921405-813497703-1202660629-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1757981266-299502267-1801674531-96228,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
1 Objects returned
GREAT! Thanks AdFind for telling me who is in the group… But wait, who exactly do those FSPs relate to? Two ways…
First using –ASQ
E:\>adfind -h . -b CN=Administrators,CN=Roles,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C} -asq member objectsid -resolvesids
AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009
Using server: someadamserver.NorthAmerica.somecompany.net:389
Directory: Active Directory Application Mode
dn:CN=S-1-5-21-1757981266-299502267-1801674531-96228,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\sitescope
dn:CN=S-1-5-21-507921405-813497703-1202660629-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: EUROPE\Domain Admins
dn:CN=S-1-5-21-1757981266-299502267-1801674531-76732,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\MMS_Search
dn:CN=S-1-5-21-1757981266-299502267-1801674531-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\Domain Admins
dn:CN=S-1-5-21-1757981266-299502267-1801674531-239491,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\so_jar
dn:CN=S-1-5-21-1511590266-3576895337-3233274463-519,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: ROOT\Enterprise Admins
dn:CN=S-1-5-21-1511590266-3576895337-3233274463-6632,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: ROOT\AdamAdmins
7 Objects returned
Next using the AdFind piped to AdFind functionality
E:\>adfind -h . -b CN=Administrators,CN=Roles,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C} member -qlist | adfind -h . objectsid -resolvesids
AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009
Using server: someadamserver.NorthAmerica.somecompany.net:389
Directory: Active Directory Application Mode
dn:CN=S-1-5-21-1511590266-3576895337-3233274463-6632,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: ROOT\AdamAdmins
dn:CN=S-1-5-21-1511590266-3576895337-3233274463-519,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: ROOT\Enterprise Admins
dn:CN=S-1-5-21-1757981266-299502267-1801674531-239491,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\so_jar
dn:CN=S-1-5-21-1757981266-299502267-1801674531-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\Domain Admins
dn:CN=S-1-5-21-1757981266-299502267-1801674531-76732,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\MMS_Search
dn:CN=S-1-5-21-507921405-813497703-1202660629-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: EUROPE\Domain Admins
dn:CN=S-1-5-21-1757981266-299502267-1801674531-96228,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\sitescope
7 Objects returned
You can clean it up even more with either the above commands by simple adding –list like so
E:\>adfind -h . -b CN=Administrators,CN=Roles,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C} -asq member objectsid -resolvesids -list
NORTHAMERICA\sitescope
EUROPE\Domain Admins
NORTHAMERICA\MMS_Search
NORTHAMERICA\Domain Admins
NORTHAMERICA\so_jar
ROOT\Enterprise Admins
ROOT\AdamAdmins
joe
9/14/2009
Blog performance and availability
You may have encountered some perf issues reading the blog today (Sept 14, 2009). This was due to something within my provider POWWEB. I contacted them and they said they would look into it and suddenly it was working as normal again. Of course this provoked questions…
This was the first response I received
Hello,
The main issue here is that you need to limit the amount of posts that you are loading on one page. There are too many posts per page which is really drawing out your load time. I have raised your PHP memory limit and have also resolved a session.save_path issue within your php.ini file but the main issue here is that too many posts loading at one time issue. That can be adjusted from the admin area of your WordPress blog. Let me know once this is done if you still have loading issues and I’ll continue to help where I can.
Thank you,
Gareth B.
Operations, Tech Tier 2
Not having seen any issues in a very very long time with page loads and having the current setting for number of posts for at least a year I responded:
Why did this all of a sudden become an issue in the last day? I have had the same configuration for posts etc for well over a year now with no issues.
thanks, joe
Their response was again less than ideal
Hello,
I cannot remark on what WordPress configurations may do from time to time, as updates often happen quite often within WordPress. I do know that this may not have been seen before now due to perhaps browser caching. Some new browsers do force a new version of the site to be pulled every time you browse to it, which is good because it then shows the most complete and new version of your site.
When I use any of the many website optimization or page testing sites on the net, I get many flags for this site in concern to the amount of data that is pulled and the number of queries on this one very long page. I definitely advise limiting the number of posts that display on one page to avoid further issues with speed.
Thank you,
Gareth B.
Operations, Tech Tier 2
As someone who has been doing operational support in Enterprise class companies for > 10 years, I feel this answer is more accurately represented with “umm we don’t know what is going on” or alternately “we knew what was wrong but we screwed up and we certainly aren’t going to tell you what we did and in the meanwhile, let me ding you on something else that could possibly cover it although we know it isn’t the problem because it is working great now without you making any mods to your wordpress config…”
Oh the mention of the mod to the session.save_path is also a red herring, I never modified the php.ini file and taking a peek at it, it is still the same as the default for the server. And it is identical to the php.ini file I have on another couple of sites I host through POWWEB.
Overall I like POWWEB but I don’t believe I have yet to have had a good experience with their support team. But then I am probably a bit pickier than a lot of people having done support so long myself and generally recognizing BS when I hear it.
joe
Wee photo gallery…
For those looking to identify the misc plants growing around the yard… Or if you have to look for a specific plant for your natural remedies…
http://www.ipm.ucdavis.edu/PMG/weeds_intro.html
9/9/2009
What about PWD_NOT_REQD?? – Revisited
I received an email with a script to clear the pwd_not_reqd flag that the author said he meant to post as a comment but couldn’t (old posts don’t allow comments anymore to slow down on spam). The post was http://blog.joeware.net/2006/06/29/431/
Fortunately, you don’t need a script to do this, it is a one liner with adfind/admod (all one line).
adfind -default -bit -f "&(objectcategory=computer)(useraccountcontrol:AND:=32)" useraccountcontrol -adcsv | admod -sc uacclear:PASSWD_NOTREQD –unsafe
Here it is in action…
[Wed 09/09/2009 18:36:06.30]
G:\new1\Dev\CPP\ExchMbx>adfind -default -bit -f "&(objectcategory=computer)(useraccountcontrol:AND:=32)" useraccountcontrol -adcsv | admod -sc uacclear:PASSWD_NOTREQD -unsafeAdMod V01.11.00cpp ##BETA## Joe Richards (joe@joeware.net) June 2007
DN Count: 8
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003Modifying specified objects…
DN: CN=testcmp,CN=Computers,DC=test,DC=loc…
DN: CN=testdc,CN=Users,DC=test,DC=loc…
DN: CN=FakeServer1,CN=Computers,DC=test,DC=loc…
DN: CN=FakeServer2,CN=Computers,DC=test,DC=loc…
DN: CN=FakeServer3,CN=Computers,DC=test,DC=loc…
DN: CN=FakeServer10,CN=Computers,DC=test,DC=loc…
DN: CN=FakeServer11,CN=Computers,DC=test,DC=loc…
DN: CN=FakeServer12,CN=Computers,DC=test,DC=loc…The command completed successfully
My Active Directory Forest and Exchange…
This is a combined effort work of art… The guilty shall remain nameless…
My Active Directory forest before Microsoft Exchange
My Active Directory forest after Microsoft Exchange
[joeware – never stop exploring… :) is proudly powered by WordPress.]
