joeware - never stop exploring... :)

This was an outstanding post and I thought should be copied here…

 

---

From: ActiveDir-owner@mail.activedir.org On Behalf Of Don Hacherl
Sent: Sunday, September 07, 2008 12:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegating Start/Stop Service on DCs

Years ago I worked with a “domain admin qualified” person at Microsoft who fat fingered the admin UI and deleted a container instead of the object he was intending.  The container was named “North America”, and that was the night we wrote our first authoritative restore tool.  (Later he said “I wondered why it was taking so long to finish.”)

A tightly constrained proxy program can be more reliable and less dangerous than a distracted human administrator.

Don

Now this is really stupid, hope they have a fix in the works.

http://blogs.technet.com/sus/archive/2008/09/03/wsus-windows-vista-clients-reboot-automatically-even-though-a-user-is-logged-on.aspx

The idea is to shut off things that you don’t need and I would argue, successfully I think, that if you aren’t using remote desktop to control a machine, it doesn’t need to be running. I don’t care if the WUA people did it wrong, they can fix it.

Recently in working with Laura Hunter on my Technical Review of Active Directory Cookbook 3rd Edition, I mentioned that AdFind and AdMod could be used together to do a smart™  update of bit flag attributes. She was a bit surprised so I figured I would mention it here as well for everyone.

But first let’s back up…

Some attributes in AD are not as intuitive as they could be. A subset of these attributes are attributes that are bit flags. This is an attribute with a numeric/integer format that has meaning at the bit level instead of the overall value level. The most common example is probably userAccountControl so let’s discuss that a little.

The userAccountControl value will look something like 512 or 514 or 546 or maybe 4096 or who knows what else… Many people will look at those at absolute values but you absolutely cannot do that… Because it isn’t right.

The userAccountControl is actually a bit flag where each bit in the value means something different. The current enumeration looks like (http://msdn.microsoft.com/en-us/library/ms680832.aspx)

Hexadecimal value
Identifier (defined in iads.h)
Description

0x00000001
ADS_UF_SCRIPT
The logon script is executed.

0x00000002
ADS_UF_ACCOUNTDISABLE
The user account is disabled.

0x00000008
ADS_UF_HOMEDIR_REQUIRED
The home directory is required.

0x00000010
ADS_UF_LOCKOUT
The account is currently locked out.

0x00000020
ADS_UF_PASSWD_NOTREQD
No password is required.

0x00000040
ADS_UF_PASSWD_CANT_CHANGE
The user cannot change the password.

Note  You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.

0x00000080
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
The user can send an encrypted password.

0x00000100
ADS_UF_TEMP_DUPLICATE_ACCOUNT
This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.

0x00000200
ADS_UF_NORMAL_ACCOUNT
This is a default account type that represents a typical user.

0x00000800
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT
This is a permit to trust account for a system domain that trusts other domains.

0x00001000
ADS_UF_WORKSTATION_TRUST_ACCOUNT
This is a computer account for a computer that is a member of this domain.

0x00002000
ADS_UF_SERVER_TRUST_ACCOUNT
This is a computer account for a system backup domain controller that is a member of this domain.

0x00004000
N/A
Not used.

0x00008000
N/A
Not used.

0x00010000
ADS_UF_DONT_EXPIRE_PASSWD
The password for this account will never expire.

0x00020000
ADS_UF_MNS_LOGON_ACCOUNT
This is an MNS logon account.

0x00040000
ADS_UF_SMARTCARD_REQUIRED
The user must log on using a smart card.

0x00080000
ADS_UF_TRUSTED_FOR_DELEGATION
The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.

0x00100000
ADS_UF_NOT_DELEGATED
The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.

0x00200000
ADS_UF_USE_DES_KEY_ONLY
Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.

0x00400000
ADS_UF_DONT_REQUIRE_PREAUTH
This account does not require Kerberos pre-authentication for logon.

0x00800000
ADS_UF_PASSWORD_EXPIRED
The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.

0x01000000
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.

So if you have something like 512, that is actually 0x200 or 1000000000 (base 2) which looking at the list above translates to ADS_UF_NORMAL_ACCOUNT… Ok so a normal user account. 514 is 0x202 or 1000000010 (base 2) which is ADS_UF_NORMAL_ACCOUNT combined with ADS_UF_ACCOUNTDISABLE… A disabled account. See how easy?

Now the hard part is that you want to update that value but you don’t want to screw up what might already be there… For example, say you want to enable a user account, what value do you put in… Some may say right off (and incorrectly) to write the value 512 to the attribute. That may work some or most or none of the time… What if the account is set up to use a smart card?? The proper value then would be 262656 (0x40200 or 1000000001000000000 (base 2)).

So the smart, or proper, way to handle these types of attributes, attributes such as userAccountControl, options, searchFlags, systemFlags, etc is to do bitwise math when setting or clearing a value. This is the AND/OR/XOR/NOT stuff that you may have glossed over if you had a computer science class that actually tried to teach it…

Anyway you don’t really have to understand how it works in order to modify it properly. Just use adfind and admod together…

Say I want to enable an account with a samaccountname of joewareupdatesvc I would run a command like

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod useraccountcontrol::{{.:CLR:2}}

or to disable the account you would run

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod useraccountcontrol::{{.:SET:2}}

That way, regardless of the current settings, you wouldn’t mess anything up. You would do the one thing you wanted to do, enable or disable the account.

This isn’t special magic just for userAccountControl, adfind|admod can do that for any bit flag attribute. The idea is that you have AdFind pipe the current value of the attribute to AdMod so it can take that info, manipulate it, and then set the new value.

There are some special shortcuts in AdMod for this as well that do apply to userAccountControl, but in the background, they simply specify the commands above on your behalf, specifically you could use the -sc uacset, -sc uacclear, -sc ad-disable, -sc ad-enable shortcuts… Something like

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod -sc ad-enable

or

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod -sc ad-disable

 

Very easy… While I use the userAccountControl stuff a lot, I would say anymore my most common use of this is when playing around with schemas…. I am constantly flipping bits in the searchFlags attributes to enable/disable indexing for various attributes or other functions that are controlled by the bits in searchFlags (see http://msdn.microsoft.com/en-us/library/ms679765(VS.85).aspx). So when I am playing around and say need to index objectclass for a few minutes for a test I run

adfind -sc s:objectclass searchflags -adcsv | admod searchflags::{{.:SET:1}}

then when I want to go back to the previous setting…

adfind -sc s:objectclass searchflags -adcsv | admod searchflags::{{.:CLR:1}}

 

   joe

Familar with Service Connection Point objects? This is an object in AD that is published by various services so people/processes can find them. For example, by default ADAM will publish a service connection point object in AD so you can easily track down the instances, it will look something like

dn:CN={04c817c7-46a4-4a0e-b258-c2bd69c00f78},CN=2K3UTL01,CN=Computers,DC=test,DC=loc
>objectClass: top
>objectClass: joeware-ServerClass
>objectClass: leaf
>objectClass: connectionPoint
>objectClass: serviceConnectionPoint
>cn: {04c817c7-46a4-4a0e-b258-c2bd69c00f78}
>distinguishedName: CN={04c817c7-46a4-4a0e-b258-c2bd69c00f78},CN=2K3UTL01,CN=Computers,DC=test,DC=loc
>instanceType: 4
>whenCreated: 20070614062433.0Z
>whenChanged: 20080529030556.0Z
>uSNCreated: 797021
>uSNChanged: 1285616
>showInAdvancedViewOnly: TRUE
>name: {04c817c7-46a4-4a0e-b258-c2bd69c00f78}
>objectGUID: {D63DD350-B13F-47FA-8503-911D44EFE7C1}
>keywords: partition:O=testpart
>keywords: 802b7d6e-78da-40f3-8db6-cdc3318b3784
>keywords: partition:CN=Configuration,CN={F0415E15-15F1-4777-81D7-0B4E9FAD7921}
>keywords: cb6b3b7b-6447-498e-a62f-e4a80b1ce3aa
>keywords: fsmo:naming
>keywords: fsmo:schema
>keywords: instance:instance1
>keywords: site:Default-First-Site-Name
>keywords: 1.2.840.113556.1.4.1791
>keywords: 1.2.840.113556.1.4.1851
>keywords: 04c817c7-46a4-4a0e-b258-c2bd69c00f78
>serviceClassName: LDAP
>serviceBindingInformation: ldaps://2k3utl01.test.loc:636
>serviceBindingInformation: ldap://2k3utl01.test.loc:389
>serviceDNSName: 2k3utl01.test.loc
>serviceDNSNameType: A
>objectCategory: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=test,DC=loc
>dSCorePropagationData: 20080818161307.0Z
>dSCorePropagationData: 20080426152208.0Z
>dSCorePropagationData: 20071208191953.0Z
>dSCorePropagationData: 16010101181633.0Z

This is pretty useful information when searching for ADAM instances, especially in a large org with thousands or hundreds of thousands of machines.  One of the really useful items is the serviceClassName attribute which tells you the type of service you are dealing with…. For an ADAM instance or likely anything that publishes a LDAP serviceConnectionPoint object the serviceClassName is LDAP… Great, so I can do a search of my forest looking for all SCP objects with serviceClassName=LDAP and that should give me a first cut at ADAM machines…. Ummm no.

Why not? Because serviceClassName isn’t in the partial attribute set (aka PAS aka Global Catalog)…. why not???? It is a small attribute and would be immensely useful there.

So take it from me… just add that attribute to the PAS set via

 

adfind -sc s:serviceclassname -dsq | admod isMemberOfPartialAttributeSet::TRUE

Imagine that…

http://www.vmware.com/company/news/releases/svvp.html

 

PALO ALTO, Calif. – Sept 3, 2008 — VMware, Inc. (NYSE: VMW), the global leader in virtualization solutions from the desktop to the datacenter, today announced it has qualified its industry-leading VMware ESX hypervisor under the Microsoft Server Virtualization Validation Program (SVVP). VMware ESX 3.5 update 2 (ESX 3.5u2) is the first hypervisor to be listed under the program, providing VMware customers who run Windows Server and Microsoft applications with access to cooperative support from Microsoft and VMware.