joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

7/5/2018

Windows Server 2016 install-addsforest…

by @ 12:43 am. Filed under tech

Forest/Domain Mode = WinThreshold??

Really MSFT?

Come on… Sloppy.

-ForestMode

Specifies the forest functional level for the new forest. Supported values for this parameter can be either a valid integer or a corresponding enumerated string value. For example, to set the forest mode level to Windows Server 2008 R2, you can specify either a value of 4 or Win2008R2.

The acceptable values for this parameter are:

  • Windows Server 2003: 2 or Win2003
  • Windows Server 2008: 3 or Win2008
  • Windows Server 2008 R2: 4 or Win2008R2
  • Windows Server 2012: 5 or Win2012
  • Windows Server 2012 R2: 6 or Win2012R2
  • Windows Server 2016: 7 or WinThreshold

The default forest functional level in Windows Server is typically the same as the version you are running. However, the default forest functional level in Windows Server 2008 R2 when you create a new forest is Windows Server 2003 or 2.

Type:
ForestMode

Parameter Sets:
Win2008, Win2008R2, Win2012, Win2012R2, WinThreshold, Default

Position:
Named

Default value:
Windows2008R2

Accept pipeline input:
False

Accept wildcard characters:
False

Rating 4.25 out of 5

6/13/2018

Cloud Service/Application Providers Anyone?

by @ 10:56 pm. Filed under rants, tech

So many large companies over the years have struggled with information being spread (synced) all over the damn place within their corporate network boundaries. This system, that system, another system, all have different pieces of info or subsets of each others info etc being synced all over the place. Entire product lines are dedicated to this syncing of data around like FIM/MIM. This has been one of the biggest banes of IT in large companies for many many years.

Oh that system isn’t working because it hasn’t synced…

Oh it takes 24 hours to use that app because of the sync schedule…

Oh if it isn’t working wait for the next sync schedule tomorrow morning…

This app says this, that app says that, this third app says another thing, they are all wrong… Ok we will put in a change and you will have to wait x minutes, hours, days, etc for it to get changed to the same thing. If it doesn’t get there by next week let us know…

Anyone in a large org has probably seen, heard, or said one of those things at some point…

So those of us in the large orgs work hard trying to centralize and collapse all of these disparate systems down to fewer and fewer systems… SSO, SAML, centralized Identity, we fight for and in many cases achieve some level of these things and slowly make the world better and better.

And now enters Cloud providers who want you to sync everything up into their space…. Basically saying hey you used to be irritated about shit being spread all over your internal network, now you can be pissed with your stuff being spread all over the internet as you use 2,3,4,++ Cloud providers who aren’t really true Cloud providers, they are people on the Internet who provide on their premises services which is why they need everything synced to them… How about we all say hell no and tell them to fully support SAML that we provide from our giant Identity systems we built and offer JIT provisioning? Why do I have to sync users and groups up to you? If I sent you a SAML assertion for a user, that is their token, map it to what you need to map it to and use it. Why do we need to tell you in advance someone is coming? If we sent you a SAML assertion that says this user is ok to use the services you provide for us, they are ok, literally… That is what we meant when we said they were ok. Go ahead and provision them now and let them work. Oh wait… you accept SAML? Oh you don’t accept the authorization assertions?? WTF. Seriously Cloud dudes. Get a clue, here let me help you… http://bfy.tw/Ib0e

   joe

Rating 4.60 out of 5

Non-Expiring IDs Redux

by @ 6:24 am. Filed under general

Years ago, 13 years ago specifically, I wrote a post about people who allow non-expiring service / application / generic IDs.

If you care to read what I wrote before please see http://blog.joeware.net/2005/05/08/10/

I did not have good things to say about non-expiring IDs then and I have even less good things to say about them now yet we STILL encounter these absolutely stupid constructs all over the Windows world. In fact I have seen accounts with passwords that are used daily that have passwords OLDER than the length of time since I wrote that previous post. And they are for important applications, sometimes absolutely critical applications! You wonder how much turnover has been in the application teams that have the passwords to those IDs… How much exposure does that application have???

I once saw an application ID that was exposed in a public manner and that digression absolutely required that the password get changed. They knew which app team requested the account originally (most companies don’t even have that much knowledge) so this shouldn’t be all that hard right? One bit of bad news… That account’s password hadn’t been changed in over a decade. They change the password and suddenly unrelated apps all over the company start crashing and burning. Completely different application teams completely unrelated to the original requesting team. The business was impacted in a major way so there was no choice but to set the password back to the original password and try to sort out what was going on. Several new application IDs were created and a few days later and the password was changed again. Boom! A bunch more apps all blew up. Several new application IDs were created and a few days later the password was changed again. Boom! Lather, Rinse, Repeat. This went on for many weeks. Literally. This never would have happened if the original service ID has been getting changed on a regular basis because apps would have broken soon after leveraging the well known ID and the owning app team would have said piss off we aren’t making our application less secure because you were a moron… So the app teams would have learned a valuable lesson; don’t “borrow” other teams’ IDs. My best guess as to what happened there was that there was turnover from the original team that “owned” the ID and whomever went to another team ran into a need for an ID so they knew about that one and used it. Year over year the ID’s use crept out from one team to two teams to four teams to eight teams to who knows how many teams in probably an even faster manner than the binary progression illustrated. Again all of that undeterminable risk to the company could have been prevented simply by not allowing non-expiring IDs.

Non-expiring IDs is something I have railed against for years (literally since the 90’s when I first saw it and thought wow that is really stupid) in many very very large companies since I have spent most of my career working in the Fortune 50 space with several companies in the Fortune 5 including several Fortune 1s. Despite all of that thought and railing I have never thought of non-expiring passwords on service IDs in a manner that I saw in an email the other day that I absolutely have to share because the second I saw it I thought it was a brilliant way to look at it. It takes what I have said and makes it so easy to comprehend to many people who generally have trouble understanding the concept of why you don’t allow for non-expiring passwords…

“We would never issue a Certificate with an infinite expiry date, but Active Directory service accounts are issued with passwords that never expire.” 

This was written by my good friend and coworker Chris Farris. Even people who can’t seem to “get” why you wouldn’t set up a service ID with non-expiring password easily understand that you don’t give out certificates without an expiry date. In fact, the same people who think it is weird you wouldn’t give a non-expiring service ID would think it was very weird to have a certificate that didn’t expire.

The extra scary thing here though is that a service ID is far more flexible (hence dangerous) in its usage than a certificate yet people still want them to be non-expiring. When I say more flexible I mean anyone with the userid string and clear text password can pretty much use the ID anywhere they want in any way they want where if you have a certificate you have very limited ways and places that that can be used.

Microsoft has progressed a little past where we were in 2005 by giving us Managed Service Accounts (MSAs) and Group Managed Service Accounts (gMSAs) which still do not, for some reason, enjoy significant saturation into the market[1] and unfortunately they don’t cover every use case and in particular don’t cover non-Windows based LDAP or CIFS/SMB type applications[2] but as I mentioned before, this isn’t rocket science, applications can and should be written to manage their own password. It can be more complicated if you have apps that run across multiple machines and have to share the same ID (why do they have to share the same ID??) but you coders are the smartest of the smart right?? Prove it. Write your applications intelligently and to use the security features that are available. This doesn’t require any expensive fancy PAM software, it just requires coders who have a clue about security and can write decent code.

   joe   

[1] Perhaps every Microsoft product that current asks for a service ID should be reviewed and changed to using MSA/gMSA by default and you have to jump through hoops to use a normal service ID?

[2] Theoretically (more than theoretically actually) a non-Windows platform app could actually use the gMSA functionality but it would take some work to get it all set up right[3].

[3] https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/ , https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/

Rating 4.75 out of 5

5/25/2018

Hey about that new version of AdMod… Not to jiggle your elbow but…

by @ 4:07 pm. Filed under tech

.

..

….

.

..

Or if you prefer

|

/

\

|

/

errr….

So back a while back (http://blog.joeware.net/2017/10/31/5801/) I pulled AdMod into the garage…It is still there. I am working on it when I can. It is slow going, much slower going than AdFind goes because the code is much more involved and a lot less forgiving of mistakes. If I screw up you may screw something in your directory up and while that would be entirely your fault, I would still not be happy about it. So it necessarily goes a little slower. On top of that work has been very busy and involved and life in general has been also.

Work has been a lot of “hey we needed this two months ago!” combined with scraping the floors and trying to sort out exactly how many subfloors have been stacked on top of each other… or if you prefer a roofing analogy how many times they have shingled over the roof versus a desperately needed complete tear off. The answer so far is a lot. A bunch of sorta so so implemented standards etc. It is tough to blame people though because the environment is so large (way too large in many ways and I *can* blame people for those decisions that caused that) and the security tools in place that make working painful and terribly inefficient (do not EVER use Symantec DCS on domain controllers please) and the priorities are so fluid and shifting often on a daily basis it is tough to stick to something and see it through. I mean you still have to do it as that is your job as a professional despite what management thinks the priorities are, it is just tougher than in smaller more static environments. So many weird / interesting issues that have been encountered that I need to find time to write up and post. Everything from “Are you f’ing kidding me POS hardware manufacturer?” to “Are you f’ing kidding me Microsoft?” to “Are you f’ing kidding me Apple?” to all sorts of stuff. So much that most of it is just a blur. That is part of the reason for fluid and shifting priorities and we need this changed immediately.

And ironically, diametrically opposed in fact, to fluid and shifting priorities and we need this changed immediately there is a lot of dependence on things being static and not changing… You all know that as secret code as people *&^$(*&$#$ hardcoding applications and application configurations. And by the way… Load Balancers and VIPS in front of Domain Controllers is STILL an unsupported and truly bad idea and if you say “well at least we aren’t hard coding the applications” you really still are, you just have an extra layer of obfuscation there…. You are hardcoding one app that is hardcoded to domain controllers. Stop. Smack your developers and tell them do it right, it is time. It is actually well past the time. More, A TON MORE, on that later as another thing I have been working on is a blog post about stupid and/or lazy devs not properly finding domain controllers. At last peek it was > 6000 words or roughly 12 8.5×11 pages printed and needed to be chopped up into a blog series versus a single post. I thought for a second of selling it to some eZine or tech site or magazine or something because it is good stuff but it really needs to be read so I want it to be very freely available and reblogged and pointed at by every admin in the world to their devs and vendors. I like money, strike that – really like money, but I would rather give this for free if it somehow helps the industry get better. Don’t ever say I didn’t sacrifice myself for all y’all. Open-mouthed smile

Anyway back to AdMod… it is still being worked on and has a ton of new functionality in it, especially around Security Descriptors. I do a massive amount of testing every time I make a change so that if I do break something I don’t have to roll back a bunch of complicated code to find what specifically caused it. 

Oh and also at the same time I have submitted something like 40 BUGBUGs and an additional 40 or so DCRs to myself for the next version of AdFind.

So please hold tight, just like Christmas, but hopefully sooner, AdMod is coming…

   joe

Rating 4.50 out of 5

Replicating Changes Control Access Right series

by @ 2:35 pm. Filed under tech

[Updated: 2018/07/07]

There are a series of control access rights (CARs) that are specifically tied to granting permissions for returning “Replicated Changes” which are changes to the Directory Service (DS) that would be (and are if everything is working properly) replicated to other Directory Service Agents (aka DSAs / domain controllers or ADLDS instances). There isn’t a lot of documentation for these and quite a bit of confusion. I know I was confused by it for a while myself thinking this doesn’t seem right and so I looked at the Windows Source code to get the authoritative answer.

These permissions are granted to the DSAs and can also be granted to other security principals (groups/users/computers) to allow them to pull the changes via the LDAP DIRSYNC control and/or the RPC based DRSGetNCChanges. A common example of an application that has these permissions granted is FIM or MIM for syncing changes from Active Directory. An even more common example is Azure Active Directory Connector which ties your on premises Active Directory to your Azure Active Directory, note that it is simply (at the time of this writing) a specialized version of FIM/MIM. SharePoint is another app like that likes to do things with this functionality.

I am writing this post because there is regularly confusion over what the different versions of the permissions are and what has to be applied for something to work at all.

So to start, here are the specific Control Access Rights we are talking about:

[Thu 05/24/2018 22:44:20.45]
E:\>adfind -hh k16tst-dc1.k16tst.test.loc -config -f displayname=*replicating* rightsguid name displayname -nodn -jtsv2
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2    DS-Replication-Get-Changes      Replicating Directory Changes
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2    DS-Replication-Get-Changes-All  Replicating Directory Changes All
89e95b76-444d-4c62-991a-0facbeda640c    DS-Replication-Get-Changes-In-Filtered-Set      Replicating Directory Changes In Filtered Set

The permissions in Active Directory should all be at the ROOT of the naming context and do not have to (and shouldn’t be configured to) be inherited down to the rest of the directory. They are CAR permissions so you need the Control Access (represented as CR in SDDL strings and CTL in AdFind enhanced Security Descriptor output) permission granted and not a ReadProp/WriteProp kind of thing. The permissions in a standard configuration will look something like:

[Thu 05/24/2018 22:45:19.41]
E:\>adfind -hh k16tst-dc1.k16tst.test.loc -s base -jsdenl ;;;replicating

AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: DC=k16tst,DC=test,DC=loc

dn:DC=k16tst,DC=test,DC=loc
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;K16TST\Enterprise Read-only Domain Controllers
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;K16TST\Domain Controllers
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes In Filtered Set;;BUILTIN\Administrators
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BUILTIN\Administrators
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;BUILTIN\Administrators
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes In Filtered Set;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

1 Objects returned

So what do they do? We will start with the most powerful and work our way back…

“Replicating Directory Changes All”  – This permission allows you to replicate ANYTHING. Secrets (like password hashes), Filtered Attributes (RODC FAS), and any other attribute/object you want to check out. Note that from what I have so far been able to ascertain, you cannot get the secrets via the LDAP interface; it requires using the RPC interface. I could be wrong here, if you know for sure, please let me know.

“Replicating Directory Changes In Filtered Set” – This permission allows you to replicate things in the RODC FAS but NOT secrets like password hashes etc.

“Replicating Directory Changes” – This is the lowest level permission HOWEVER you need this to use the RPC and LDAP DIRSYNC replicating changes mechanisms period. I.E. if you don’t have this you don’t have anything[1].

You might think I’m crazy… err no… You might think (and it makes it nice and clean for delegation models) that you could just set “Replicating Directory Changes All” and be done with it but no, the way the code is written, you must also have the base level “Replicating Directory Changes” as well. Basically the functional flow is something like:

1. Do you have “Replicating Directory Changes” permissions on the NC Head object you are using these special mechanisms with?
    A. No – Get out, here is your ERROR_DS_DRA_ACCESS_DENIED (error 8453) for your troubles.
2. Are you asking for any RODC FAS attributes?
    A. Yes.
       I. Do you have “Replicating Directory Changes In Filtered Set”?
          a. No.
             i. Do you have “Replicating Directory Changes All”?
                1. No – Get out, here is your ERROR_DS_DRA_ACCESS_DENIED (error 8453) for your troubles.
3. Are you asking for Secrets (like password hash) and do you have “Replicating Directory Changes All”?
    A. No – Get out, here is your ERROR_DS_DRA_ACCESS_DENIED (error 8453) for your troubles.
4. [This bit is a guess based on testing so far] Are you using LDAP DIRSYNC and asking for Secrets
    A. Yes. You get your output but secrets (like password) will come through blank.
5. Yay, you have access, here is the output for your request.   

Again if I had written this I very likely (depends on the actual requirements documentation) would have checked for “Replicating Directory Changes All” first and then if that was there just return TRUE for the function. Next check for “Replicating Directory Changes in Filtered Set” and if they weren’t asking for Secrets return TRUE for the function. And finally if those failed check the base level “Replicating Directory Changes” and if they weren’t asking for FAS/Secret stuff return TRUE for the function. Written my way the delegation is simpler. You need the one Grant ACE to do what you need to do, not two. 

    joe

[1] There is an exception for DIRSYNC called “Per Object” mode to access DIRSYNC without needing the Replicating* permissions. There is little to no documentation that I have found regarding this functionality. Perhaps at some point I will tackle it. If you are aware of any good documentation, let me know and I will check it out and likely share it.

Rating 4.40 out of 5

EnableECP vs enableecp

by @ 5:25 am. Filed under tech

The reg key hklm\system\currentcontrolset\services\lanmanserver\parameters has a specific value you can set under it called EnableECP.

There is some confusion on whether or not that key is case sensitive.

I can say that no, it is not case sensitive. I looked it up in the source code. The ZwOpenKey ObjectAttributes parameter is being initialized via InitializeObjectAttributes with OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE.

‘nuff said.

   joe

Rating 4.50 out of 5

2/27/2018

Moving Outlook Profiles to New Machine

by @ 1:37 pm. Filed under tech

This is the magic reg key if you use Outlook 2016 for POP3/IMAP and other want to not have to re-do all of your settings…

Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles

Rating 4.50 out of 5

Disable Outlook 2016 Animated Typing

by @ 1:32 pm. Filed under tech

So annoying….

reg add HKCU\Software\Microsoft\Office\16.0\Common\Graphics /t REG_DWORD /v DisableAnimations /d 1 /f

Rating 4.71 out of 5

2/22/2018

TechSmith SnagIt

by @ 2:49 pm. Filed under general

I picked up SnagIt some time ago and I didn’t initially use it very much because it felt a bit overwhelming next to the built-in simple Snipping Tool but I recently forced myself to sit down with it and sort it out and I am glad I did because it is absolutely awesome.

I totally recommend it if you need to get screen still or video captures.

   joe

https://www.techsmith.com/

Rating 4.67 out of 5

12/15/2017

Active Directory… 18 Years Old… But Do Your App Vendors and Developers Even Know How To Use It Properly?

by @ 8:55 am. Filed under general, tech

Windows 2000 Active Directory was released to manufacturing 18 years ago on December 15, 1999. It now has to register for the draft. Happy Birthday Active Directory!

You would think in that 18 years and the broad acceptance of Windows that every single software vendor and every application developer everywhere in the world would have been able to have figured out how to work with Active Directory. Sadly this is not true. Nearly every single week (sometimes day) I encounter applications from developers and vendors that write code to interact with AD but have absolutely no clue how to properly find domain controllers or properly use them once they find them. This results in a lot of applications that are far worse than they need to be if the developer/vendors would only spend a little time figuring out some basic items and properly coding to use the system. This isn’t just in house developers and small vendors, this includes very large vendors and sometimes even Microsoft itself. No… Just because Microsoft made Active Directory doesn’t mean that every group inside of Microsoft knows how to properly use it. I have helped many companies over the years with issues with how they use Active Directory, by far the company I have most helped is Microsoft themselves.

A big part of the issue are end user companies buying the products that allow vendors and developers to continue to write software that doesn’t work properly. Especially when a vendor labels something as Active Directory compatible or Active Directory integrated and yet the application is barely LDAP enabled and customers don’t look at them and say “This isn’t good enough.”[1]

I think every large company that writes code that works with Active Directory, especially if they are selling the products to other companies, should be hiring one or a few people who are very good with Active Directory, who understand it, understand the underlying components, how to use it, etc. The quality of AD integration that I have seen out of a variety of products could increase orders of magnitude if they did that. I was recently looking at a product from a random major well known Storage company and some folks in the company I work for by day were trying to get it to work with AD and were telling me “It has to be in an OU called XYZ and that OU has to be at the root of the domain and we have to be Domain Admins to do the work to join it”. Eventually we figured out that none of that was true but the documentation and defaults were so bad the folks doing the work (including the consultants from the vendor) all thought that was the case and could only get it to work by eating up a bunch of time on one of the smallest most critical support teams in the company. If random major well known Storage company wants to do stuff with AD they are big enough to hire some AD people that can help do what they want to with AD correctly. The defaults and the documentation should all be simple least privilege basic “how do you want us to fit into your structure” and not, “We don’t want to spend the time documenting and writing this so it is done the best way, just do what we want and we will allow you to continue to pay outrageous amounts of money for our products.”

So what are the low bars for an application to be properly Active Directory Integrated?

Finding Domain Controllers

Does your application have you configure a connection to Active Directory by specifying one or more domain controllers? I.E. Hard coding? While this is a nice option for an application to have to assist with troubleshooting, it should NOT be the primary and default method of configuration. This configuration setting is a very low bar for a vendor/developer to reach if they want to say they are Active Directory compatible/integrated. This also comes up in conversations when someone is asking for a load balancer or VIP (Virtual IP) to point at for AD/LDAP operations. If someone says they want or need a load balancer for accessing Active Directory for good redundancy that is a blood red screaming sign of improper AD compatibility / integration.

Generally speaking[2] there is no good valid reason for hard coding to specific domain controllers. It actually makes an application more likely to break and doesn’t leverage the built-in redundancy that is innate to the Active Directory design.

Admin and/or Operator and/or Local System Security Context

Does your application require you to be Domain Admin, or Administrator or be a member of one of the Operator groups or does it require to run as “local system” on a domain controller? Why? If you don’t know why, you better figure it out. Most likely it is due to lazy or uninformed developers/vendors. Any company that has a clue about AD Security isn’t just going to give someone any of that access just so they can add a device or run an application. If they are willing to do it or alternately willing to run some random application on your behalf then you need to start questioning the security and stability of your corporate Active Directory.

I want to call out Microsoft particularly over this one as they have historically completely and utterly sucked in this space. If you follow the MSFT documentation strictly for all of their products you will end up with a ton of people with no need to be Domain Admins with that level of access. This may be fine in a shop with 20 servers and 500 clients but when you have thousands of servers and hundreds of thousands of clients it makes no sense. If Microsoft did it correctly they would determine the actual minimal amount of permissions necessary to do anything for the various functions of their tools/programs and document that and then say but if you want… you can just use domain administrator. Microsoft has in very great part caused the “too many people have too much access in too many environments problem” that so many companies are regularly getting busted for in security audits (for good reason).

Applications and application support people should be able to function properly with AD Delegation; that is why there is AD Delegation. This is yet another very low bar to meet. No requirement to be in any specific group, especially Domain Admins or anything else that is built into the core OS. Applications should know exactly what access rights they need so when you need to deploy them you know exactly what needs to be granted so the application runs properly. If a developer/vendor cannot quickly and immediately tell you exactly what granular rights and delegation are needed you need to read that as a big blood red warning sign. Look for another product.

Application Must Run on a Domain Controller

Does your application have to run on a Domain Controller? Why? If you don’t know why, you better figure it out. Most likely it is due to lazy or uninformed developers/vendors. Sound familiar? I say that a lot because it happens a lot. Too often I see vendor products out there that they are charging thousands or even millions of dollars for that don’t even reach the quality bar that my free stuff hits. As a general rule Domain Controllers should be Domain Controllers, period. Don’t put other applications on DCs, they don’t belong there. Domain Controllers are or at least should be some of your most secure boxes on your network. That means the attack surface should be made as small as is absolutely possible. This means no additional software running on them. Every additional piece of code and every single port opened that an additional application is listening on is another piece of code and port that could have a potential vulnerability that someone could compromise. Again, even Microsoft is bad at this and saying this or that service should be run on domain controllers. When you see it just say no, tell them to fix it. I have done this many many times and if enough people say it strongly enough they correct the problem.

A quick side bar point here is also that there should be as few domains and domain controllers as possible to support your service. Every domain, every domain controller adds to the attack surface and offers an opportunity to make a mistake and or miss something that allows someone else to hurt you. There really needs to be very high bar amazing reasons to have multiple domains and especially multiple forests.

GC Knowledge

Does your application understand the concept and proper use of Global Catalogs? If not, the application is not AD Integrated. If the application understands and used Global Catalogs it will be specifically called out, you won’t have to plug in a Global Catalog server and port in the LDAP URL and hope it works.

Bind IDs

Does your application only allow full DNs for the bind ID instead of allowing the other allowed formats such as (not an inclusive list) the legacy Windows ID format (domain\user) or User Principal Name (user@domain.com)? If so, it is not AD integrated.

More to come on these topics.

   joe

[1] Or for the less PC folks… “What the *&^$%* is this $#*#*?”

[2] There can be some possible reasons for hard coding in the case of applications that synchronize data to/from Active Directory.

Rating 4.82 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]