joeware - never stop exploring... :)

I received an email with a script to clear the pwd_not_reqd flag that the author said he meant to post as a comment but couldn’t (old posts don’t allow comments anymore to slow down on spam). The post was http://blog.joeware.net/2006/06/29/431/

Fortunately, you don’t need a script to do this, it is a one liner with adfind/admod (all one line).

adfind -default -bit -f "&(objectcategory=computer)(useraccountcontrol:AND:=32)" useraccountcontrol -adcsv | admod -sc uacclear:PASSWD_NOTREQD –unsafe

Here it is in action…

[Wed 09/09/2009 18:36:06.30]
G:\new1\Dev\CPP\ExchMbx>adfind -default -bit -f "&(objectcategory=computer)(useraccountcontrol:AND:=32)" useraccountcontrol -adcsv | admod -sc uacclear:PASSWD_NOTREQD -unsafe

AdMod V01.11.00cpp ##BETA## Joe Richards (joe@joeware.net) June 2007

DN Count: 8
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003

Modifying specified objects…
   DN: CN=testcmp,CN=Computers,DC=test,DC=loc…
   DN: CN=testdc,CN=Users,DC=test,DC=loc…
   DN: CN=FakeServer1,CN=Computers,DC=test,DC=loc…
   DN: CN=FakeServer2,CN=Computers,DC=test,DC=loc…
   DN: CN=FakeServer3,CN=Computers,DC=test,DC=loc…
   DN: CN=FakeServer10,CN=Computers,DC=test,DC=loc…
   DN: CN=FakeServer11,CN=Computers,DC=test,DC=loc…
   DN: CN=FakeServer12,CN=Computers,DC=test,DC=loc…

The command completed successfully

This is quick and easy with AdFind and AdMod…

You just have to find the users, pipe their DN and sAMAccountName to AdMod and tell it to do a rename… Like so

adfind –b ou=someou,dc=domain,dc=com -f "&(objectcategory=person)(objectclass=user)(name=*,*)" samaccountname –adcsv | admod –rename {{samaccountname}} –upto 1000

That command self limits itself to only modifying up to 1000 users just in case something isn’t right. You can set that limit to whatever you want or specify –unsafe instead if you just want them all done and are sure your query is ok.

Here is a live example:

[Wed 09/09/2009 13:04:47.87]
G:\>adfind –b cn=users,dc=test,dc=loc -f "&(objectcategory=person)(objectclass=user)(name=*,*)" samaccountname

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
Base DN: cn=users,DC=test,DC=loc

dn:CN=some\, user,CN=Users,DC=test,DC=loc
>sAMAccountName: ThisTestUser

1 Objects returned

[Wed 09/09/2009 13:04:53.88]
G:\>adfind –b cn=users,dc=test,dc=loc -f "&(objectcategory=person)(objectclass=user)(name=*,*)" samaccountname -adcsv |admod -rename {{samaccountname}} -upto 1000

AdMod V01.10.00cpp Joe Richards (joe@joeware.net) February 2007

DN Count: 1
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003

Renaming CN=some\, user,CN=Users,DC=test,DC=loc to ThisTestUser…

The command completed successfully

[Wed 09/09/2009 13:04:59.93]
G:\>adfind –b cn=users,dc=test,dc=loc -f samaccountname=thistestuser samaccountname

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
Base DN: cn=users,DC=test,DC=loc

dn:CN=ThisTestUser,CN=Users,DC=test,DC=loc
>sAMAccountName: ThisTestUser

1 Objects returned

Who would have thunk it???

http://www.microsoft.com/presspass/features/2009/jul09/07-20linuxqa.mspx

“Today, in a break from the ordinary, Microsoft released 20,000 lines of device driver code to the Linux community. The code, which includes three Linux device drivers, has been submitted to the Linux kernel community for inclusion in the Linux tree. The drivers will be available to the Linux community and customers alike, and will enhance the performance of the Linux operating system when virtualized on Windows Server 2008 Hyper-V or Windows Server 2008 R2 Hyper-V.”

http://dloder.blogspot.com/2009/08/exchange-2010-rc1-and-adminsdholder.html

This is just silly… Seriously. Allegedly products go through a security review, how did this make it past that? This isn’t the kind of thing that should be caught in testing as indicated by the first comment, this kind of thing should never have happened in the first place. It is, IMO, the result of the same general mindset that has existed in Exchange since I first started dealing with it… Exchange team feels that AD exists to serve Exchange so everything Exchange needs is right and good and proper. That was an incorrect mindset in the beginning and isn’t any better now when you see something like this. I do know some folks that moved to the Exchange team from the DS team would probably have said “what are you thinking?” if this had been brought up to them.

http://mostlyexchange.blogspot.com/2009/09/sending-e-mail-as-sms-or-text-message.html

Really useful answer by Michael W. on the Microsoft TechNet forums. If you want to send a text message from an e-mail client, most carriers allow you to do this. You send an e-mail message to number@emaildomain. For example, if you want to send a message to a T-Mobile user whose phone number is (808) 555-1234, then you would address the message to 8085551234@tmomail.net Keep in mind that the recipient may have to pay a "per text message" charge. Below are the US carriers. For more, see this link.
UNITED STATES

n@teleflip.com Teleflip
n@message.alltel.com Alltel
n@paging.acswireless.com Ameritech
n@txt.att.net ATT Wireless
n@bellsouth.cl Bellsouth
n@myboostmobile.com Boost
n@mobile.celloneusa.com CellularOne
n@mms.uscc.net CellularOne MMS
1n@mobile.mycingular.com Cingular
n@sms.edgewireless.com Edge Wireless
n@messaging.sprintpcs.com Sprint PCS
n@tmomail.net T-Mobile
n@mymetropcs.com Metro PCS
n@messaging.nextel.com Nextel
n@mobile.celloneusa.com O2 / Orange
n@qwestmp.com Qwest
n@pcs.rogers.com Rogers Wireless
n@msg.telus.com Telus Mobility
n@email.uscc.net US Cellular
n@vtext.com Verizon
n@vmobl.com Virgin Mobile

One of the alert joeware fans out there sent me a link to the following TechNet story that utilizes AdFind.

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

While the article is a bit rough, for example sdprop isn’t responsible for AdminSDHolder[1] it is an ok article for a general sort of conceptual overview on how it works[2] and there is some good info summary that is useful to have in a single place. I will try to point out specific things that aren’t right that could bite you though.

First “this could bite you” issue is that ProtectAdminGroups (PAG see note [1]) does not CLEAR the inheritance flag on the ACL… All the process does is compare the WHOLE Security Descriptor from the AdminSDHolder object to the object that should be “protected”. If the size or the binary “string” varies in any way, the Security Descriptor on the object is overwritten by the Security Descriptor from the AdminSDHolder object[3]. This means that if you set the AdminSDHolder object to inherit permissions, any object that is updated with PAG will also be set to inherit since the inheritance is set by a flag in the DACL portion of the Security Descriptor. This is important to note because if someone screws up and sets the AdminSDHolder to inherit perms, your protection is effectively gone that is to save your butt when you accidently move an admin user or group into an OU that someone else has rights to make certain modifications. For example, blow the Security Descriptor on AdminSDHolder, then accidently move Administrator into an OU that has granted (RE)SET PASSWORD to local admin XYZ and now local admin XYZ can take over the administrator group.

The second issue is “The ability to control groups protected by AdminSDHolder is enabled by modifying the dsHeuristic flag. This is a Unicode string in which each character contains a value for a single domain-wide setting.”. The dsHeuristic flag is actually forest-wide, not domain wide. The attribute is in the configuration container and that container is pretty much only used for forest wide configurations.

Third issue is an AdFind query… Specifically “Adfind.exe -b DC=domain,DC=com -f "adminCount=1" DN”. There are actually two issues here, the first will bite you, the second won’t bite you but is technically incorrect. The bite you issue is that admincount=1 is a very inefficient filter. That attribute isn’t indexed so this query would end up forcing the DC to enumerate every single object in the domain and looking at that value to determine which ones to return. If you want to find out what users are impacted, use “&(objectcategory=person)(objectclass=user)(admincount=1)”, if you want to find what groups, use “&(objectcategory=group)(admincount=1)”. The second issue in this command is the use of DN… DN isn’t an attribute, if you just want DN’s, specify –dn, not DN. It actually works because AdFind is asking AD to return the DN attribute which doesn’t exist so only the DN gets output. By default the DN is always returned and AdFind displays it for you. Will this hurt anything??? Nope. But it could confuse people if they are trying to understand the command.

The fourth issue is another AdFind query… Specifically “Adfind.exe -b DC=domain,DC=com -f "(&(objectclass=group)(admincount=1))" DN”. Until Windows Server 2008 the objectclass attribute isn’t indexed so just using objectclass in the filter can be inefficient. The efficient form of this query is “(&(objectcategory=group)(admincount=1))”.

The fifth issue is “When a user is removed from a protected group, the adminCount attribute on that user account is changed to 0.”. Last I recall looking, this wasn’t the case. You took someone out of the group, this would stay set and the Security Descriptor would still reflect AdminSDHolder. All manual cleanup. Possibly in later versions of the OS maybe ADUC is smart enough to do this for you, but it isn’t part of the PAG process. Even if it were, it wouldn’t help anything, nothing in the OS is fired based on that attribute value. The OS does a scan of protected groups each run of PAG and does its work based on that, not the value of adminCount.

Obviously all of the stuff about making SDProp run at different rates is moot now given the info above.

Hmm on second thought, that article is rougher than I initially thought. 😉

    joe

[1] I once thought that as well but not for some time. There is specific code and an internally scheduled task that is responsible for AdminSDHolder all by itself which I will just call ProtectAdminGroups as I don’t know if it has any other name and in Windows Server 2008 R2 they add a new control access right called Run Protect Admin Groups Task (and an associated RootDSE Mod – http://msdn.microsoft.com/en-us/library/dd305198(PROT.13).aspx). Regardless it definitely isn’t SDPROP. SDPROP is used for fixing up ACL inheritance and when moving objects about. I may take some time and sit down and write up how the AdminSDHolder functionality really works at some point, but not today. The ProtectAdminGroups task does run every 3600 seconds and only on the PDC though…

[2] Don’t be using this article to try and show how technically brilliant you are when interviewing (either side of the interview) because the other side may really know how it works and you could 1) End up looking like an Idiot 2A) Not get the job or 2B) Turn away a potential employee who actually knew what they were talking about. If, for example, you interviewed me and asked me what process was responsible for adminSDHolder ACL updates you would never hear me say SDPROP unless it was… It is actually this but some people think it is SDPROP.

[3] This is much easier and less overhead than doing an ACE by ACE and flag by flag compare of each DACL. And note… it is called Admin”SD”Holder… not Admin”DACL”Holder…

I have a PC that I don’t like much but have to use. I don’t like the software configuration on the machine but don’t have any real choices in the matter. I won’t go into it more than that…

So today I am trying to get something done and as usual the machine is crawling along about 74.297% +/- 2.72% slower than it should likely be performing. Very likely it as something to do with Symantec EP running on the machine which I hate[1]  and finally said screw it, I will reboot and maybe that will fix it… It has sort of worked in the past and I hadn’t rebooted in a week or two (preferring instead to hibernate)… So I click on restart, nothing. Click on it again, nothing. Click on it again, it stubbornly refrains… Great a Windows machine that refuses to go down. ;o)

My solution… no it wasn’t pull the battery, that would have worked but I wanted the OS to be somewhat involved in the shutdown so it was aware that I was unhappy with it so I opened a command prompt and typed

taskkill /fi “IMAGENAME=s*” /f

Then I finally got the “system is shutting down” dialog to pop up. 🙂

When the machine came back up it was quite a bit more responsive. Good thing too as I was about to put the bad little laptop in the corner…

To everyone in the US of A… Have a great Labor Day Weekend.

    joe

[1] I dislike all AV and antimalware software on my machines. Running it you are always as slow as you would be during the brief times you maybe get infected with something. Well brief for me, I am a paranoid web surfer and never had the interest to see Brittany Spears or Paris Hilton nude so am in general safe…