I am not loving this one so much, not sure I really get it…
New Family: Jerry Seinfeld and Bill Gates (Long Version)
-
logon:
-
visitors:
-
- Journalized Theme Copyright © 2002–2025 Mike Little.
Information about joeware mixed with wild and crazy opinions...
I am not loving this one so much, not sure I really get it…
New Family: Jerry Seinfeld and Bill Gates (Long Version)
So my outstandingly good friend and brother from another, but English, mother (or would that be Mum) Dean Wells has moved on from one job and onto another. This will likely shock the heck out of some people and others will say wow that makes sense, about time. I know I was shocked at first and later said, “This really makes a lot of sense for you Dean.”
So anyway, Dean has left MSETechnology, the company he was co-founder of… to join… wait for it…. The Dark Side… Yes, friends, Dean Wells now works for Microsoft as a Full Time Microsoft Employee on the XBOX 360 Game Pad Controller User Experience Team. You all know Dean as that fun loving Directory Services “know it all” and “speaks in a funny accent” guy but what you don’t know is that he spends inordinate amounts of time at home, on planes, on trains, on taxis, at the back of his training classes, and yes, even on double-decker buses, playing XBOX 360 and he has some serious comments on how the Game Pad does and should work. He could take it no more when he started playing “Karaoke Revolution Presents American Idol Encore 2” and his wife beat him and he said, “This isn’t right, the game pad didn’t do what I wanted it to do…. Someone has to do something!!!!”
Again some people will be like “WTF…. No way, Dean is an MVP, he is outside of MSFT and helps point out where MSFT isn’t doing things right and debates with them to get things right.” Others will say “This is perfectly logical and good and now he can continue that fight but from inside the walls with his little pretty blue badge.”
Again, to be honest, when Dean told me a while back I was pretty shocked… I said, “Dude, wtf, why now?” He said, “I was just waiting for that damned Bill Gates to leave…” and well, now Bill has moved on to bigger and better things and is off doing Shoe commercials so I guess Dean felt it was time to make his move.
I first “met” Dean in the newsgroups and email when Microsoft first offered me my MVP award back in 2000 or 2001. After I became an MVP I started chatting with Dean because he was newly minted as an MVP as well and he told me he nominated me (Along with Roger Abell) so of course I immediately liked Dean and Roger for their obvious levels of intelligence. π
Dean and I chatted in email and the newsgroups fairly regularly and eventually after a couple of years he actually talked me into going to Seattle for a Microsoft MVP Summit. I got off the plane at SEATAC and went to luggage and he (with Jimmy the Swede) met me there by the luggage carousel and history started being made. π
Seriously, we got along right off and although we[1] were silly enough to let Jimmy drive us back to the hotel (and we actually survived) we talked in person and realized that we were each people we could talk to in a way that we don’t often get to talk to others. We could assume understanding at all sorts of various levels and learned that while we were very similar we were also quite different in areas but instead of that being divisive, it was extremely complimentary. We could insult each other as a matter of course and we would laugh instead of get insulted. It was and still is all good.
Over the years we learned more and more about each other even, and this was always a point of oddness to me, on a plane ride to Vancouver for DEC one year we learned that our birthdays are 2 days apart. Same year, same month, separated by two days. Now this wouldn’t normally be odd to me because I am sure there are at least 3 people in the world who have a birthday within 2 days of mine. What was odd was that we were both up in the higher middle levels of the same field along very similar tracks and were born in different countries and became very good friends due to our similarities and we had a birthday within 2 days of each other. So who is the older one? That would be me of course, you can tell from my far superior intelligence and maturity, however in person you will think it is Dean because he is the one with all the gray hair. π
I am very happy and excited for Dean and the new opportunities that lie before him and his family. I think this was an outstanding move for him and his family. I wish him all the luck and love in the world to accomplish what he has set out to accomplish and realizes that he doesn’t need the luck because he is just that good. If he wants to accomplish something, he will just go and do it. Luck doesn’t play into it. But I wish it anyway. π
One of the big questions that comes up is what happens to the Dean and joe Show? The answer is… We don’t know. It may be possible we will speak together again in the future, a MSFT guy up on stage with a non-MSFT guy isn’t unheard of, I mean Bill Gates has presented with Steve Jobs in the past and that went ok… But again we don’t know. Certainly the tone would change a little bit, I don’t see how it couldn’t change, Dean and I have never had a problem being a little irreverent towards MSFT in our chats but now that Dean *IS* MSFT well that tone is very likely going to change a little. My thoughts are NEVER SAY NEVER but at the same time, don’t be placing bets on us speaking either. What will be will be.
To wrap this up…. My main words of advice for my friend Dean is this… Have fun and laugh a lot and spend a lot of time with the family enjoying life. π
joe
P.S. He isn’t really working on the XBOX 360 Game Pad User Experience team, he applied, they rejected him, said his hands were too small (size does matter) and too soft. His backup plan of getting on the Directory Services team did pan out for him though so he will be on the Directory Services team doing who knows what kind of damage with several of my other friends that work there. π
[1] And by “We”, I, of course, mean Dean. I didn’t know Jimmy at the time and didn’t know my life was in danger until AFTER we were racing down the freeway and Jimmy spent more time turned around in the seat with his hands on the head rest looking in the backseat at me than at the road. I mentioned it and he told me, seriously, that cruise control was on so everything was fine…
Talk to your children about the fact that they own their feelings. Their sadness or anger is not caused by someone else. They are not mad because someone else made them mad. They’re angry or sad because of how they choose to respond. Emotional responses are triggered by our interpretation – the meaning we assign to a situation – and our corresponding reaction to the interpretation. In other words, our emotions flow from the meaning we attach to situations.
– Dr. Phil (Chapter 6 – Family First)
http://www.hasthelhcdestroyedtheearth.com/
Don’t know what the LHC is???
Read this —> http://en.wikipedia.org/wiki/Lhc
Seriously… its very cool. Even if you don’t care about the science, at least you will know what it is when Angels and Demons (by Dan Brown – yes Da Vinci Code Dan Brown) comes out next year (http://en.wikipedia.org/wiki/Angels_%26_Demons_(film)).
This was an outstanding post and I thought should be copied here…
From: ActiveDir-owner@mail.activedir.org On Behalf Of Don Hacherl
Sent: Sunday, September 07, 2008 12:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegating Start/Stop Service on DCsYears ago I worked with a “domain admin qualified” person at Microsoft who fat fingered the admin UI and deleted a container instead of the object he was intending. The container was named “North America”, and that was the night we wrote our first authoritative restore tool. (Later he said “I wondered why it was taking so long to finish.”)
A tightly constrained proxy program can be more reliable and less dangerous than a distracted human administrator.
Don
Now this is really stupid, hope they have a fix in the works.
The idea is to shut off things that you don’t need and I would argue, successfully I think, that if you aren’t using remote desktop to control a machine, it doesn’t need to be running. I don’t care if the WUA people did it wrong, they can fix it.
So I just found out I am not done with Active Directory Cookbook 3rd Edition, a couple of more chapters haven’t been uploaded to the SharePoint yet. That sucks. Can’t wait to get that off my plate so I don’t have to worry about it anymore.
Recently in working with Laura Hunter on my Technical Review of Active Directory Cookbook 3rd Edition, I mentioned that AdFind and AdMod could be used together to do a smartβ’ update of bit flag attributes. She was a bit surprised so I figured I would mention it here as well for everyone.
But first let’s back up…
Some attributes in AD are not as intuitive as they could be. A subset of these attributes are attributes that are bit flags. This is an attribute with a numeric/integer format that has meaning at the bit level instead of the overall value level. The most common example is probably userAccountControl so let’s discuss that a little.
The userAccountControl value will look something like 512 or 514 or 546 or maybe 4096 or who knows what else… Many people will look at those at absolute values but you absolutely cannot do that… Because it isn’t right.
The userAccountControl is actually a bit flag where each bit in the value means something different. The current enumeration looks like (http://msdn.microsoft.com/en-us/library/ms680832.aspx)
Hexadecimal value
Identifier (defined in iads.h)
Description0x00000001
ADS_UF_SCRIPT
The logon script is executed.0x00000002
ADS_UF_ACCOUNTDISABLE
The user account is disabled.0x00000008
ADS_UF_HOMEDIR_REQUIRED
The home directory is required.0x00000010
ADS_UF_LOCKOUT
The account is currently locked out.0x00000020
ADS_UF_PASSWD_NOTREQD
No password is required.0x00000040
ADS_UF_PASSWD_CANT_CHANGE
The user cannot change the password.Note You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
0x00000080
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
The user can send an encrypted password.0x00000100
ADS_UF_TEMP_DUPLICATE_ACCOUNT
This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.0x00000200
ADS_UF_NORMAL_ACCOUNT
This is a default account type that represents a typical user.0x00000800
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT
This is a permit to trust account for a system domain that trusts other domains.0x00001000
ADS_UF_WORKSTATION_TRUST_ACCOUNT
This is a computer account for a computer that is a member of this domain.0x00002000
ADS_UF_SERVER_TRUST_ACCOUNT
This is a computer account for a system backup domain controller that is a member of this domain.0x00004000
N/A
Not used.0x00008000
N/A
Not used.0x00010000
ADS_UF_DONT_EXPIRE_PASSWD
The password for this account will never expire.0x00020000
ADS_UF_MNS_LOGON_ACCOUNT
This is an MNS logon account.0x00040000
ADS_UF_SMARTCARD_REQUIRED
The user must log on using a smart card.0x00080000
ADS_UF_TRUSTED_FOR_DELEGATION
The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.0x00100000
ADS_UF_NOT_DELEGATED
The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.0x00200000
ADS_UF_USE_DES_KEY_ONLY
Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.0x00400000
ADS_UF_DONT_REQUIRE_PREAUTH
This account does not require Kerberos pre-authentication for logon.0x00800000
ADS_UF_PASSWORD_EXPIRED
The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.0x01000000
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.
So if you have something like 512, that is actually 0x200 or 1000000000 (base 2) which looking at the list above translates to ADS_UF_NORMAL_ACCOUNT… Ok so a normal user account. 514 is 0x202 or 1000000010 (base 2) which is ADS_UF_NORMAL_ACCOUNT combined with ADS_UF_ACCOUNTDISABLE… A disabled account. See how easy?
Now the hard part is that you want to update that value but you don’t want to screw up what might already be there… For example, say you want to enable a user account, what value do you put in… Some may say right off (and incorrectly) to write the value 512 to the attribute. That may work some or most or none of the time… What if the account is set up to use a smart card?? The proper value then would be 262656 (0x40200 or 1000000001000000000 (base 2)).
So the smart, or proper, way to handle these types of attributes, attributes such as userAccountControl, options, searchFlags, systemFlags, etc is to do bitwise math when setting or clearing a value. This is the AND/OR/XOR/NOT stuff that you may have glossed over if you had a computer science class that actually tried to teach it…
Anyway you don’t really have to understand how it works in order to modify it properly. Just use adfind and admod together…
Say I want to enable an account with a samaccountname of joewareupdatesvc I would run a command like
adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod useraccountcontrol::{{.:CLR:2}}
or to disable the account you would run
adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod useraccountcontrol::{{.:SET:2}}
That way, regardless of the current settings, you wouldn’t mess anything up. You would do the one thing you wanted to do, enable or disable the account.
This isn’t special magic just for userAccountControl, adfind|admod can do that for any bit flag attribute. The idea is that you have AdFind pipe the current value of the attribute to AdMod so it can take that info, manipulate it, and then set the new value.
There are some special shortcuts in AdMod for this as well that do apply to userAccountControl, but in the background, they simply specify the commands above on your behalf, specifically you could use the -sc uacset, -sc uacclear, -sc ad-disable, -sc ad-enable shortcuts… Something like
adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod -sc ad-enable
or
adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod -sc ad-disable
Very easy… While I use the userAccountControl stuff a lot, I would say anymore my most common use of this is when playing around with schemas…. I am constantly flipping bits in the searchFlags attributes to enable/disable indexing for various attributes or other functions that are controlled by the bits in searchFlags (see http://msdn.microsoft.com/en-us/library/ms679765(VS.85).aspx). So when I am playing around and say need to index objectclass for a few minutes for a test I run
adfind -sc s:objectclass searchflags -adcsv | admod searchflags::{{.:SET:1}}
then when I want to go back to the previous setting…
adfind -sc s:objectclass searchflags -adcsv | admod searchflags::{{.:CLR:1}}
joe
Familar with Service Connection Point objects? This is an object in AD that is published by various services so people/processes can find them. For example, by default ADAM will publish a service connection point object in AD so you can easily track down the instances, it will look something like
dn:CN={04c817c7-46a4-4a0e-b258-c2bd69c00f78},CN=2K3UTL01,CN=Computers,DC=test,DC=loc
>objectClass: top
>objectClass: joeware-ServerClass
>objectClass: leaf
>objectClass: connectionPoint
>objectClass: serviceConnectionPoint
>cn: {04c817c7-46a4-4a0e-b258-c2bd69c00f78}
>distinguishedName: CN={04c817c7-46a4-4a0e-b258-c2bd69c00f78},CN=2K3UTL01,CN=Computers,DC=test,DC=loc
>instanceType: 4
>whenCreated: 20070614062433.0Z
>whenChanged: 20080529030556.0Z
>uSNCreated: 797021
>uSNChanged: 1285616
>showInAdvancedViewOnly: TRUE
>name: {04c817c7-46a4-4a0e-b258-c2bd69c00f78}
>objectGUID: {D63DD350-B13F-47FA-8503-911D44EFE7C1}
>keywords: partition:O=testpart
>keywords: 802b7d6e-78da-40f3-8db6-cdc3318b3784
>keywords: partition:CN=Configuration,CN={F0415E15-15F1-4777-81D7-0B4E9FAD7921}
>keywords: cb6b3b7b-6447-498e-a62f-e4a80b1ce3aa
>keywords: fsmo:naming
>keywords: fsmo:schema
>keywords: instance:instance1
>keywords: site:Default-First-Site-Name
>keywords: 1.2.840.113556.1.4.1791
>keywords: 1.2.840.113556.1.4.1851
>keywords: 04c817c7-46a4-4a0e-b258-c2bd69c00f78
>serviceClassName: LDAP
>serviceBindingInformation: ldaps://2k3utl01.test.loc:636
>serviceBindingInformation: ldap://2k3utl01.test.loc:389
>serviceDNSName: 2k3utl01.test.loc
>serviceDNSNameType: A
>objectCategory: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=test,DC=loc
>dSCorePropagationData: 20080818161307.0Z
>dSCorePropagationData: 20080426152208.0Z
>dSCorePropagationData: 20071208191953.0Z
>dSCorePropagationData: 16010101181633.0Z
This is pretty useful information when searching for ADAM instances, especially in a large org with thousands or hundreds of thousands of machines. One of the really useful items is the serviceClassName attribute which tells you the type of service you are dealing with…. For an ADAM instance or likely anything that publishes a LDAP serviceConnectionPoint object the serviceClassName is LDAP… Great, so I can do a search of my forest looking for all SCP objects with serviceClassName=LDAP and that should give me a first cut at ADAM machines…. Ummm no.
Why not? Because serviceClassName isn’t in the partial attribute set (aka PAS aka Global Catalog)…. why not???? It is a small attribute and would be immensely useful there.
So take it from me… just add that attribute to the PAS set via
adfind -sc s:serviceclassname -dsq | admod isMemberOfPartialAttributeSet::TRUE
[joeware – never stop exploring… :) is proudly powered by WordPress.]
