RE: [ActiveDir] Change in A/D security between 2k and 2k3

[Michael B. Smith]

Doing non-GUI provisioning for Exchange is a PITA, at best. Not to mention poorly 
documented. I've got way too many lines of vbscript for my environment, and even so, I 
couldn't figure out how to do some of it in script (primarily address list ACEs).

Microsoft's MPS for Exchange 2003 is _slick_. But I haven't had a chance to spend any 
time looking under the hood yet.

While you're here -- some info/questions about a tool near/dear to your heart -- 
adfind:

It appears to have an off-by-one error (or something) -- it doesn't seem to display 
the primary group for a user in the memberOf attribute (does that mean it isn't there?)

Prolly somewhat related to the above, it doesn't decode primaryGroupID into a name.

msExchMailboxSecurityDescriptor: â <-- displays a non-printable character here

It would be nice to be able to suppress the display of blobs (like msExchRecordedName 
and mSMQSignCertificates).

Thanks again,
Michael

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Wednesday, January 28, 2004 1:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3


LOL no problem... Joe's late night troubleshooting service at your... Well service.

Now we have found we actually have a bunch of garbage in many of our proxyaddresses 
attributes... Trying to pull all that out... Another perl script of course.  Going to 
have to chat with the people who do the data provisioning in the morning....


  joe
 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Wednesday, January 28, 2004 12:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

Word.

Word. Word. Word.

Note: those are all four-letter words.

Those other combinations WORK on both Windows 2000 and Windows 2003. To date, I'd used 
what the manual and the vendor support staff said to use. (And no, I don't know why it 
failed otherwise, and I find myself not horribly concerned, now that I have something 
that works.)

Thanks for talking me through this.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Wednesday, January 28, 2004 12:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3


Actually with AD you can specify the bind principal as 

        NetBIOS name:  domain\username
        UPN             :  [EMAIL PROTECTED]   (Assuming that is the UPN)
        DN              :  cn=user,ou=blah,dc=blah,dc=com

Should be able to do the same with your program as well unless they do a sanity check 
on the input and defines sane as DN format only... 

You can use the same DN for adfind if you would like as well to test it. I just 
usually tell people the netbios form because they are more familiar with it.

On the PS... We are working it out and yes it does seem to not like it... 


  joe

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, January 27, 2004 11:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

Adfind works just dandy on w2k3. I tested it too, with -simple.

Another question on ldap_simple_bind_s()....

What is the format of the DN parameter?

This application has me specify the user as CN=username,CN=Users,DC=domain,DC=com 
along with a base DN for the search (DC=domain,DC=com) whereas adfind needs the base 
in the same format, but requires the username parameter in the 
netbiosdomainname\username format.

Does adfind rewrite the username or could this be where the change is?

Thanks!

Michael

PS: Exchange hates duplicate proxyAddresses. Whose code let THAT slip by? :-)

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Tuesday, January 27, 2004 11:07 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3


Heh, I was done with work faster than I expected. You have got to love perl... :op  We 
seem to have a small issue with multiple user/contact objects having the same proxy 
addresses and it is throwing errors on the E2K servers and I had to go find all the 
dupes out of some 220k objects with the proxyaddresses attribute... There were 64... 


Ok back to the problem at hand; I tested this against one of my W2K3 Test DCs running 
in a VPC session... As expected it worked fine.

You might want to get a network trace of the traffic between the DC and the server 
trying to talk to the DC, I am curious. If they are indeed using just simple LDAP 
calls ala ldap_simple_bind_s you will totally see that traffic nearly in clear text in 
NetMon including the password being sent. You will see right where it is failing. 

Actually let me get on the podium for a minute on the benefits of network tracing and 
your friendly neighborhood LDAP apps... It is good to do to understand what calls the 
LDAP is making to see how bad or how good it is. You will find a lot of LDAP apps make 
a lot of unnecessary calls (<cough>e2k<cough>)and do a lot of unnecessary 
authentications. I would say one of my favorite "screwups" is an app that 
authenticates people and the way it does it is it binds with an app ID to do a search 
of the user's dn and then unbinds and rebinds with the user's dn... This is great, 2 
authentications for every one needed. Anyway, if you can find the time, it is always 
good to look at the apps and profile the traffic they generate and the queries they 
use so you can catch those stupid objectclass=something queries (<cough>e2k<cough>) 
and other inefficient things (<cough>e2k<cough>). You can also do this by cranking up 
various debugging on your DC but you usually don't want to do that with a prod box. 
NetMON is much lighter... 

Just so I don't go away without insulting at least one person.... If you call yourself 
an admin and DO NOT know how to use some sort of network analysis/sniffer tool, you 
really need to do your job and go learn one. This is invaluable for solving problems 
around AD and computers in general. Otherwise when you get that weird issue where some 
network switch or router is throwing away UDP packets from the Kerberos authentication 
process you will have to have someone who knows how to do the job come in and do it. 
It is also very handy for DNS issues. 



[Tue 01/27/2004 22:54:00.81]
F:\DEV\cpp\OldCmp>Adfind -h vw2k3a -default -f name=administrator -simple -u 
vtest\testuser -up Password1

AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003

Using server: VW2K3a.vtest.local
Base DN: DC=vtest,DC=local

dn:CN=Administrator,CN=Users,DC=vtest,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: Administrator
>description: Built-in account for administering the computer/domain
>distinguishedName: CN=Administrator,CN=Users,DC=vtest,DC=local
>instanceType: 4
>whenCreated: 20031026153618.0Z
>whenChanged: 20031230164947.0Z
>uSNCreated: 8194
>memberOf: CN=TestUni,CN=Users,DC=vtest,DC=local
>memberOf: CN=Group Policy Creator Owners,CN=Users,DC=vtest,DC=local
>memberOf: CN=Domain Admins,CN=Users,DC=vtest,DC=local
>memberOf: CN=Enterprise Admins,CN=Users,DC=vtest,DC=local
>memberOf: CN=Schema Admins,CN=Users,DC=vtest,DC=local
>memberOf: CN=Administrators,CN=Builtin,DC=vtest,DC=local
>uSNChanged: 28711
>name: Administrator
>objectGUID: {AE5284F2-257D-479D-8776-F46BDAE17028}
>userAccountControl: 66048
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 127122886467739888
>lastLogoff: 0
>lastLogon: 127172765879264320
>pwdLastSet: 127115734585121920
>primaryGroupID: 513
>objectSid: S-1-5-21-1851711904-3339057820-1962739558-500
>adminCount: 1
>accountExpires: 9223372036854775807
>logonCount: 32
>sAMAccountName: Administrator
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=vtest,DC=local
>isCriticalSystemObject: TRUE
>lastLogonTimestamp: 127172765879264320


1 Objects returned

[Tue 01/27/2004 22:55:04.82]
F:\DEV\cpp\OldCmp>



 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 27, 2004 10:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

I would have to say no, ldap_bind_s is still fine and dandy. Taking that away would 
break nearly every UNIX LDAP app written it would appear as they all like it because 
it is simple. It would also break many Windows Apps that were ported from UNIX because 
they didn't know better. 

If you want to do a simple test, grab adfind and do this

Adfind -h domaincontroller -default -f name=someobjectname -simple -u domain\user -up 
userpassword 

Ex:

[Tue 01/27/2004 22:41:29.41]
F:\DEV\cpp\OldCmp>Adfind -h w2kasdc1 -default -f name=joe -simple -u joehome\joebob 
-up test

AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003

Using server: w2kasdc1.joehome.com
Base DN: DC=joehome,DC=com

dn:CN=joe,CN=Users,DC=joehome,DC=com
>directReports: CN=$$jricha34,CN=Users,DC=joehome,DC=com
>managedObjects: CN=_DIST_TestGroup,OU=Test,DC=joehome,DC=com
>accountExpires: 127193976000000000
>badPasswordTime: 127182179962809320
>badPwdCount: 0
>codePage: 0
>cn: joe
>countryCode: 0
>instanceType: 4
>lastLogoff: 0
>lastLogon: 127193024241243522
>lockoutTime: 0
>logonCount: 91
>logonHours: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF
>msNPAllowDialin: TRUE
>distinguishedName: CN=joe,CN=Users,DC=joehome,DC=com
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joehome,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectGUID: {DF6AC5DC-3EBA-41FD-8893-E1ED7FAA5929}
>objectSid: S-1-5-21-1275210071-789336058-1957994488-218285
>primaryGroupID: 513
>pwdLastSet: 127189408129723189
>name: joe
>sAMAccountName: joe
>sAMAccountType: 805306368
>telephoneNumber: 555
>userAccountControl: 512
>userParameters: m:                    d
>uSNChanged: 1257854
>uSNCreated: 1163453
>whenChanged: 20040123043244.0Z
>whenCreated: 20021022040334.0Z


1 Objects returned

[Tue 01/27/2004 22:42:19.51]
F:\DEV\cpp\OldCmp>



I am looking at a work issue right now, if I get done soon I will spin up my W2K3 test 
environment and test it, but again I would be shocked to death if it didn't work. 

  joe

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, January 27, 2004 10:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

The application does indeed use LDAP.

It _appears_ that the issue is the API ldap_simple_bind_s. 

MSDN documentation says that nothing Microsoft supplies uses that API in Windows XP. 
One may reasonably extrapolate that to include Windows 2003. But I can't find anything 
that states that the API was deprecated between Windows 2000 and Windows 2003. Or 
between windows 2000 sp3 to sp4 (although there are minor hints).

I've turned on auditing (hours ago) and almost nothing shows -- either success or 
failure. I don't know what it takes to trigger an audit event, but a simple ldap query 
doesn't seem to do it, or a failed ldap_simple_bind_s.

I've suggested (requested) a change to ldap_bind_s but is there documentation 
somewhere that I am missing that says ldap_simple_bind_s will no longer work properly?

Thanks for your hint, it got me headed down the proper path.

Michael

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO 
(HP-Germany,ex1)
Sent: Tuesday, January 27, 2004 2:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

yes, there are various security changes in Win2k3, incl. different default ACLs on 
various objects.

But as you've created a special account for the app, you shouldn't need to enable 
anonymous LDAP operations on your Win2k3 DCs => however, the app needs to leverage the 
credentials correctly to bind to the LDAP server (the DC).

The real question is: what does the app really do? Do they even perform LDAP queries 
or do they use some NT4 APIs to read data from AD (I've seen this too many times, 
although the vendor swore they were not).
You need to understand what the App does, before you can apply the correct security - 
as you've mentioned, often you don't require to change anything if all the app 
requires is to list user accounts or groups etc.

A good place to start to help figure out this issue is AUDITING: go to your Default DC 
policy and enable "Audit directory service access" for success and failure 
(preferrably in a lab, ofcourse). Then start up your mis-behaving Application, wait 
for it to fail and take some time to wade through the security Eventlogs => often you 
can find a particular AD object (incl. the DN) which an app tries to access when it 
fails.  This gives you new options to check out the permissions really required by the 
app (or to tell the vendor how to correct a problem in their application).

/Guido


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Dienstag, 27. Januar 2004 16:51
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Change in A/D security between 2k and 2k3

I run an application (ModusGate by Vircom, if anyone cares) that requires "read 
access" (their phrasing) to A/D for LDAP queries.
 
In Windows 2000, this was easily done in ADU&C -- create a user,
View->Advanced, properties on the domain, Security tab, add the user and
grant "READ".
 
I can do exactly the same thing in Windows 2003, but it doesn't work anymore (and, in 
fact, the way I read the permissions I shouldn't even need to do it with the change in 
the default permissions). The ONLY account that works is the Administrator account. I 
can create an account, add it to domain admins, enterprise admins, blah blah blah -- 
so it looks just like Administrator and it still fails. So, I presumed it was User 
Rights -- so I add this account and give it the same everything there too (in Domain 
Controller Policy and Domain Policy). Still no joy.
 
Applied change suggested in KB 326690. Still no joy.
 
Vircom is baffled as well, they say.
 
Any hints or suggestions for me?
 
Thanks.
 
.+-wÈi0g-í+YbémPiæ0æ-í+bíÚf.+-j!ç0j!åoræyØIíV+v*
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.  .+-j! 0j! or yïíIãV+v* 

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
.  .+-j! 0j! or yïíIãV+v* 

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
.+w  ííY P  íí .+-j! 0j! or yïíIãV+v* 

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
â²Ø~ˆm¶ŸÿÃrØyØ¢¸?™¨¥–+-†ÙŠËE
m¶ŸÿÃrØyØ¢¸?–+-}ª¡¶bâ²Ör¯zm§ÿðà     
šŠV«r¯yÊ&ý§-Š÷4™¨¥iËb½çb®Šà