joeware - never stop exploring... :)

Who would have thunk it???

http://www.microsoft.com/presspass/features/2009/jul09/07-20linuxqa.mspx

“Today, in a break from the ordinary, Microsoft released 20,000 lines of device driver code to the Linux community. The code, which includes three Linux device drivers, has been submitted to the Linux kernel community for inclusion in the Linux tree. The drivers will be available to the Linux community and customers alike, and will enhance the performance of the Linux operating system when virtualized on Windows Server 2008 Hyper-V or Windows Server 2008 R2 Hyper-V.”

http://dloder.blogspot.com/2009/08/exchange-2010-rc1-and-adminsdholder.html

This is just silly… Seriously. Allegedly products go through a security review, how did this make it past that? This isn’t the kind of thing that should be caught in testing as indicated by the first comment, this kind of thing should never have happened in the first place. It is, IMO, the result of the same general mindset that has existed in Exchange since I first started dealing with it… Exchange team feels that AD exists to serve Exchange so everything Exchange needs is right and good and proper. That was an incorrect mindset in the beginning and isn’t any better now when you see something like this. I do know some folks that moved to the Exchange team from the DS team would probably have said “what are you thinking?” if this had been brought up to them.

http://mostlyexchange.blogspot.com/2009/09/sending-e-mail-as-sms-or-text-message.html

 

Really useful answer by Michael W. on the Microsoft TechNet forums. If you want to send a text message from an e-mail client, most carriers allow you to do this. You send an e-mail message to number@emaildomain. For example, if you want to send a message to a T-Mobile user whose phone number is (808) 555-1234, then you would address the message to 8085551234@tmomail.net Keep in mind that the recipient may have to pay a "per text message" charge. Below are the US carriers. For more, see this link.
UNITED STATES

n@teleflip.com Teleflip
n@message.alltel.com Alltel
n@paging.acswireless.com Ameritech
n@txt.att.net ATT Wireless
n@bellsouth.cl Bellsouth
n@myboostmobile.com Boost
n@mobile.celloneusa.com CellularOne
n@mms.uscc.net CellularOne MMS
1n@mobile.mycingular.com Cingular
n@sms.edgewireless.com Edge Wireless
n@messaging.sprintpcs.com Sprint PCS
n@tmomail.net T-Mobile
n@mymetropcs.com Metro PCS
n@messaging.nextel.com Nextel
n@mobile.celloneusa.com O2 / Orange
n@qwestmp.com Qwest
n@pcs.rogers.com Rogers Wireless
n@msg.telus.com Telus Mobility
n@email.uscc.net US Cellular
n@vtext.com Verizon
n@vmobl.com Virgin Mobile

One of the alert joeware fans out there sent me a link to the following TechNet story that utilizes AdFind.

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

While the article is a bit rough, for example sdprop isn’t responsible for AdminSDHolder[1] it is an ok article for a general sort of conceptual overview on how it works[2] and there is some good info summary that is useful to have in a single place. I will try to point out specific things that aren’t right that could bite you though.

First “this could bite you” issue is that ProtectAdminGroups (PAG see note [1]) does not CLEAR the inheritance flag on the ACL… All the process does is compare the WHOLE Security Descriptor from the AdminSDHolder object to the object that should be “protected”. If the size or the binary “string” varies in any way, the Security Descriptor on the object is overwritten by the Security Descriptor from the AdminSDHolder object[3]. This means that if you set the AdminSDHolder object to inherit permissions, any object that is updated with PAG will also be set to inherit since the inheritance is set by a flag in the DACL portion of the Security Descriptor. This is important to note because if someone screws up and sets the AdminSDHolder to inherit perms, your protection is effectively gone that is to save your butt when you accidently move an admin user or group into an OU that someone else has rights to make certain modifications. For example, blow the Security Descriptor on AdminSDHolder, then accidently move Administrator into an OU that has granted (RE)SET PASSWORD to local admin XYZ and now local admin XYZ can take over the administrator group.

The second issue is “The ability to control groups protected by AdminSDHolder is enabled by modifying the dsHeuristic flag. This is a Unicode string in which each character contains a value for a single domain-wide setting.”. The dsHeuristic flag is actually forest-wide, not domain wide. The attribute is in the configuration container and that container is pretty much only used for forest wide configurations.

Third issue is an AdFind query… Specifically “Adfind.exe -b DC=domain,DC=com -f "adminCount=1" DN”. There are actually two issues here, the first will bite you, the second won’t bite you but is technically incorrect. The bite you issue is that admincount=1 is a very inefficient filter. That attribute isn’t indexed so this query would end up forcing the DC to enumerate every single object in the domain and looking at that value to determine which ones to return. If you want to find out what users are impacted, use “&(objectcategory=person)(objectclass=user)(admincount=1)”, if you want to find what groups, use “&(objectcategory=group)(admincount=1)”. The second issue in this command is the use of DN… DN isn’t an attribute, if you just want DN’s, specify –dn, not DN. It actually works because AdFind is asking AD to return the DN attribute which doesn’t exist so only the DN gets output. By default the DN is always returned and AdFind displays it for you. Will this hurt anything??? Nope. But it could confuse people if they are trying to understand the command.

The fourth issue is another AdFind query… Specifically “Adfind.exe -b DC=domain,DC=com -f "(&(objectclass=group)(admincount=1))" DN”. Until Windows Server 2008 the objectclass attribute isn’t indexed so just using objectclass in the filter can be inefficient. The efficient form of this query is “(&(objectcategory=group)(admincount=1))”.

The fifth issue is “When a user is removed from a protected group, the adminCount attribute on that user account is changed to 0.”. Last I recall looking, this wasn’t the case. You took someone out of the group, this would stay set and the Security Descriptor would still reflect AdminSDHolder. All manual cleanup. Possibly in later versions of the OS maybe ADUC is smart enough to do this for you, but it isn’t part of the PAG process. Even if it were, it wouldn’t help anything, nothing in the OS is fired based on that attribute value. The OS does a scan of protected groups each run of PAG and does its work based on that, not the value of adminCount.

Obviously all of the stuff about making SDProp run at different rates is moot now given the info above.

Hmm on second thought, that article is rougher than I initially thought. 😉

 

    joe

 

 

[1] I once thought that as well but not for some time. There is specific code and an internally scheduled task that is responsible for AdminSDHolder all by itself which I will just call ProtectAdminGroups as I don’t know if it has any other name and in Windows Server 2008 R2 they add a new control access right called Run Protect Admin Groups Task (and an associated RootDSE Mod – http://msdn.microsoft.com/en-us/library/dd305198(PROT.13).aspx). Regardless it definitely isn’t SDPROP. SDPROP is used for fixing up ACL inheritance and when moving objects about. I may take some time and sit down and write up how the AdminSDHolder functionality really works at some point, but not today. The ProtectAdminGroups task does run every 3600 seconds and only on the PDC though…

 

[2] Don’t be using this article to try and show how technically brilliant you are when interviewing (either side of the interview) because the other side may really know how it works and you could 1) End up looking like an Idiot 2A) Not get the job or 2B) Turn away a potential employee who actually knew what they were talking about. If, for example, you interviewed me and asked me what process was responsible for adminSDHolder ACL updates you would never hear me say SDPROP unless it was… It is actually this but some people think it is SDPROP.

[3] This is much easier and less overhead than doing an ACE by ACE and flag by flag compare of each DACL. And note… it is called Admin”SD”Holder… not Admin”DACL”Holder…

I have a PC that I don’t like much but have to use. I don’t like the software configuration on the machine but don’t have any real choices in the matter. I won’t go into it more than that…

So today I am trying to get something done and as usual the machine is crawling along about 74.297% +/- 2.72% slower than it should likely be performing. Very likely it as something to do with Symantec EP running on the machine which I hate[1]  and finally said screw it, I will reboot and maybe that will fix it… It has sort of worked in the past and I hadn’t rebooted in a week or two (preferring instead to hibernate)… So I click on restart, nothing. Click on it again, nothing. Click on it again, it stubbornly refrains… Great a Windows machine that refuses to go down. ;o)

My solution… no it wasn’t pull the battery, that would have worked but I wanted the OS to be somewhat involved in the shutdown so it was aware that I was unhappy with it so I opened a command prompt and typed

 

taskkill /fi “IMAGENAME=s*” /f

 

Then I finally got the “system is shutting down” dialog to pop up. 🙂

When the machine came back up it was quite a bit more responsive. Good thing too as I was about to put the bad little laptop in the corner…

 

To everyone in the US of A… Have a great Labor Day Weekend.

 

    joe

 

[1] I dislike all AV and antimalware software on my machines. Running it you are always as slow as you would be during the brief times you maybe get infected with something. Well brief for me, I am a paranoid web surfer and never had the interest to see Brittany Spears or Paris Hilton nude so am in general safe…

Alternate working title… The super cool PERL backup script I wrote in 1997 doesn’t work on Windows Server 2003 x64 *&(#%^&^#

Back in the golden days of Windows NT 4 SP2 or maybe it was SP3 in or around 1997 by then I had a problem I had to solve with automatically backing up some file systems and put them somewhere safe so we could recover them quickly and easily. The quickly and easily meant that the standard backup methods likely weren’t the best way to go so I wrote a very wicked cool PERL script that would use ntbackup to backup the folders needing protection, then zip the file, then either use CIFS/SMB or FTP to copy the file to someplace else that I could quickly recover the file from. The main changes to this script over the years have simply been the support of backing up Active Directory and embedding it into an executable via ActiveState’s PerlApp application (very cool, if you write perl on Win32, you should have the Perl Dev Kit from ActiveState…).

Now just to be honest, I love love love love love this solution. I have used it in some way shape or form in every job I have had since 1997 and also use it at home for backing things up too.

Well for the first time I was running the script on an x64 machine and it adamantly refused to run. Specifically it kept spitting out “Windows cannot find ‘c:\winnt\system32\ntbackup.exe’ as shown below…

 

 

As you can imagine, this is a bit frustrating. Then I started thinking more and more about it and recalled that there is all sorts of redirection going on in x64 to “help” us lowly users find the “proper” versions of things. Specifically in this case, if you run an x86 application and it calls out to <WINDIR>\system32 the call is actually redirected to <WINDIR>\SysWow64 (sounds sort of like Sham Wow in my head). This is all well and good right up until you need to executable a binary from an x86 EXE embedded perl script and no x86 version of that binary is available… Say like ntbackup.exe… All you get then is “the file doesn’t exist” error and when you look at it from the x64 command prompt DIR says “THERE IT IS!!!” and you think… WTF.

So to refresh my memory I went and hunted down the appropriate resources which were

http://support.microsoft.com/kb/896456

http://msdn.microsoft.com/en-us/library/aa384249(VS.85).aspx

http://msdn.microsoft.com/en-us/library/aa384187(VS.85).aspx

which brings you to the conclusion that you need to write your app/script to take advantage of the Wow64DisableWow64FsRedirection function to work. Obviously I am not afraid to do that and whip up the needed app but I just kept thinking… I shouldn’t have to do this. So I kept looking and thinking.

After looking for awhile I found out that this annoyed enough people that in Windows Vista they added a new directory alias… <WINDIR>\SYSNATIVE which takes you to <WINDIR>\system32 regardless of the “bit-ness” of the application. This doesn’t help on Windows Server 2003 x64 though (nor Windows XP x64 if you are playing in that sandbox). So I kept looking and thinking.

After a while I thought… What if I just set up a file system linkage from <WINDIR>\SysWow64\ntbackup.exe to <WINDIR>\system32\ntbackup.exe. Would that work??

So I dug out fsutil to create a hardlink (UNIX people out there are like yeah no kidding, Windows people are like hard wha???)

E:\>fsutil hardlink create c:\winnt\syswow64\ntbackup.exe c:\winnt\system32\ntbackup.exe
Hardlink created for c:\winnt\syswow64\ntbackup.exe <<===>> c:\winnt\system32\ntbackup.exe

and voila… the script is working fine again.

I added the setup of this hard link to the script setup file…

if exist %windir%\syswow64 (
   echo x64 Windows detected, creating ntbackup hardlink
   fsutil hardlink create %WINDIR%\syswow64\ntbackup.exe %WINDIR%\system32\ntbackup.exe
  )

So why don’t I link <WINDIR>\SysWow64 to <WINDIR>\system32… First hardlinks only work at the file level, but second even if it worked at the directory level that would be inherently dangerous as other things could get redirected that I didn’t intend. I know specifically how ntbackup is being used on the system which gives me a lot more info about that specific case than all of the thousands of files in the folder.

Next popular question will be… how do I display hardlinks? You do that with HLSCAN.EXE.

Another possible question will be… so joe, how do I know authoritatively if this is going on?? Well one of the best ways would be to start an x86 command prompt and look for the file you want via that. So type start %windir%\syswow64\cmd and then use dir to look for the file you need to find.

Oh yeah almost forgot… how do you get rid of a hardlink once created? You delete the “file”. i.e. In the example above, I would type del c:\winnt\syswow64\ntbackup.exe and that would remove the hardlink to c:\winnt\system32\ntbackup.exe

 

And yes… I know this will break again with Windows Server 2008 as NTBACKUP is sadly no longer available but I don’t have to deal with that exact issue quite yet… I honestly don’t know what I will do then as I don’t much like what I have seen of the new backup facility.

 

    joe

I recently received an email asking how to find old trusts. I sent back an AdFind query that will list all trusts and when they last had a password change. That query is

adfind -default -rb cn=users -f "&(objectcategory=person)(name=*$)" pwdlastset -tdcd -sort pwdlastset

The command looks in the user’s container of the default domain and looks for any user’s with a name that ends in $ which will be your trusts unless you have monkeyed around with placing $ on the end of user names and keep them in your user’s container. It then outputs the pwdlastset attribute with my delta format output which looks like…

pwdLastSet: 2009/08/16-17:18:18 Eastern Daylight Time (-3 days 21 hours 17 minutes 47 seconds)

In this example, the password was changed almost 4 days ago.

 

Next I added a switch to force a sort on the attribute so that things come out in sorted order oldest to newest.

 

Anything that is older than 30 days is an old trust that is not being maintained as the passwords should be updated at least every 30 days.

As I write this, I realize I could have given an even better answer by having the LDAP query filter out any trusts with a password that was newer than 30 days like so…

adfind -default -rb cn=users –binenc -f "&(objectcategory=person)(name=*$)(pwdlastset<={{CURRENT:-31d}})" pwdlastset -tdcd -sort pwdlastset

 

Which adds another switch, –binenc which tells AdFind to look at the LDAP query and make some mods based on string matches and also added in another component of the filter to specify I want passwords that are newer than 31 days ago.

If you need to look at a specific domain, add –h domainname to the command and it will go to that domain instead.

 

      joe