RE: [ActiveDir] [OT] Change in A/D security between 2k and 2k3

[joe]

LOL.

Ok, we just found a ton of duped x400 addresses so I will answer this and then I am 
off to take some drugs (Labatts) and go to sleep...

Our provisioning is pretty much ok, our data is what sucks. :op  Though I do have some 
choice words for the process of doing the info entry on web pages and flat files (they 
call them data bases...shhh don't tell anyone) on mainframes, ftping the data from 
mainframe to wintel, then processing the work, and then the mainframe pulling a 
results file back from wintel to mainframe via ftp... 

Speaking of mainframes... I had a startling conversation a day or so ago about our 
conference rooms which have managed to have the actual information for the real world 
mailboxes getting WAY out of sync with the <QUOTE>Authoritative</QUOTE> Mainframe Data 
<cough>flat file<cough> Base. I made the silly suggestion of keeping the info we keep 
in the mainframe on the actual conference room user objects in AD where Zeus intended 
and you would think I went up and kicked the manager's baby frog or something. Oh my 
god no... The world needs that data to be on the mainframe because the mainframe is 
the only thing that could truly be authoritative because it is... Well a mainframe and 
mainframes are built to be authoritative... I mean come on, ever meet a mainframe who 
didn't seem impressive and authoritative. Just sitting in the corner humming like you 
aren't even there or something... Yep, I'm telling you... That is authoritative, how 
dare the world get out of sync from its authoritative data... It is the world's fault, 
not the mainframe, not the data. 



Anyway back to your off topic request... :op



Adfind... Its just this tool you know... [1]

Re: One Off Error....

There are NO errors!!! Heh. Primary group membership is not maintained in the memberof 
attribute for several reasons...

1. Nothing is maintained in the memberof attribute, it is a generated attribute. The 
information is really in the members attribute of groups. People discover this when 
they think they can add users to groups because they have full control over a 
userid... Heheh Hello, we call this security! Allowing you to do that would be bad. 

2. You will note that primary groups do not have the users who have that group as a 
primary group listed in the members attribute. This is due to the implementation of DN 
style multivalue attributes... Multivalued LVR attributes which should be ringing 
bells in your head... Think of this. In W2K you have more than 5k members in a group, 
you live on the edge of having the opportunity to experience unique results... Now 
take say one of my domains... 110k users... All of them in Domain Users... Umm yeah, I 
already live on the edge of having the opportunity to experience unique results, I 
don't need more. I especially don't need a lack of replication and is a unique result 
I can do without. So they store primary group membership info as a RID in the user's 
primaryGroupID attribute.... So groups aren't stored in the user object... Well except 
that one so wait... You can change the group a user is in.... Hmmm. What if I make 
myself an Exchange Domain Server.... Hmmmmmmmmmmmmm :op


Re: Decode primaryGroupID into a name...

Correct. It doesn't. That takes me having to figure out the domain SID, tacking on the 
RID, then doing a SID lookup. It is in the todo for someday, but I can live without it 
in ADFIND because it is in memberof which is oriented towards group schtuff.... Also 
it is kind of slow compared to everything else I do, I don't like slow. No time for 
slow for this work stuff. Slow is for hammocks and other things like that. 


Re: msExchMailboxSecurityDescriptor: â <-- displays a non-printable character here

You will recall my special feelings for Exchange.... And a smiley face is indeed 
printable because I can see that you sent it to me... :op 

Actually I intend to do something about that as well some day. Along with 
ntsecuritydescriptor which isn't normally displayed because AD doesn't return it with 
the normal * return set, you have  to ask specially for it. I actually have enough 
from Robbie and Richard's good book (not that silly stuff Robbie is doing now...) to 
display that info but again time flies like an arrow and fruit flies like a banana...


Re: It would be nice to be able to suppress the display of blobs 

Hey blobs are data 2! Generally 0's and 1's that you normally like just fine. 

Anyway and almost seriously, some blobs are nice to see such as logon times, etc which 
can be sort of worked out by looking at them... See the problem is that I refuse to 
let MS make me hard code attributes. I should be able to read from the schema how to 
properly handle these like I did with SIDS/GUIDS (and MS was no help there either 
thankyouverymuch). The first versions of ADFIND had me manually updating tables of how 
to deal with things... I started getting requests to add custom schema attributes and 
in the words of one of my favorite TV heroes (Aeryn Sun) - Frell that. So I sat down 
and noodled out a way to figure out programmatically what was a sid attribute and what 
was a GUID attribute so I could decode them as I thought they were some of the more 
important binary fields to decode and I personally wanted that functionality and in 
terms of feature sets that get coded in, I have an in with the programmer... So we 
have gotten to where we are and every time you turn around there you are. I have some 
urges building concerning ADFIND so the dust cover will be coming off of it sometime 
in the next couple of months and I will tackle it again and maybe put some of these 
types of things in... In the meanwhile, I am working out in my head feature sets and 
program flow of oldcmpNT and olduser and maybe if everyone is nice an olduserNT as 
well... Also Service driven versions of oldcmp and olduser but only because I think I 
will charge for those just because I probably can. :o)  Any companies out there that 
currently produce expensive tools that you sell for doing migrations and reporting and 
cleanup and such, I am willing to be bribed not to plant corn... Err write these 
freeware tools. :o)  Just put me on the payroll as Idea Guy Emeritus or something. I 
don't need an office, well not a big one. Nor too many windows. A pool table and a 
pinball machine are pretty much mandatory though. 


Good night!
 
   joe




[1] Paraphrased from a storyline near and dear to my heart...

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Wednesday, January 28, 2004 1:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

Doing non-GUI provisioning for Exchange is a PITA, at best. Not to mention poorly 
documented. I've got way too many lines of vbscript for my environment, and even so, I 
couldn't figure out how to do some of it in script (primarily address list ACEs).

Microsoft's MPS for Exchange 2003 is _slick_. But I haven't had a chance to spend any 
time looking under the hood yet.

While you're here -- some info/questions about a tool near/dear to your heart -- 
adfind:

It appears to have an off-by-one error (or something) -- it doesn't seem to display 
the primary group for a user in the memberOf attribute (does that mean it isn't there?)

Prolly somewhat related to the above, it doesn't decode primaryGroupID into a name.

msExchMailboxSecurityDescriptor: â <-- displays a non-printable character here

It would be nice to be able to suppress the display of blobs (like msExchRecordedName 
and mSMQSignCertificates).

Thanks again,
Michael

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Wednesday, January 28, 2004 1:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3


LOL no problem... Joe's late night troubleshooting service at your... Well service.

Now we have found we actually have a bunch of garbage in many of our proxyaddresses 
attributes... Trying to pull all that out... Another perl script of course.  Going to 
have to chat with the people who do the data provisioning in the morning....


  joe
 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Wednesday, January 28, 2004 12:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

Word.

Word. Word. Word.

Note: those are all four-letter words.

Those other combinations WORK on both Windows 2000 and Windows 2003. To date, I'd used 
what the manual and the vendor support staff said to use. (And no, I don't know why it 
failed otherwise, and I find myself not horribly concerned, now that I have something 
that works.)

Thanks for talking me through this.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Wednesday, January 28, 2004 12:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3


Actually with AD you can specify the bind principal as 

        NetBIOS name:  domain\username
        UPN             :  [EMAIL PROTECTED]   (Assuming that is the UPN)
        DN              :  cn=user,ou=blah,dc=blah,dc=com

Should be able to do the same with your program as well unless they do a sanity check 
on the input and defines sane as DN format only... 

You can use the same DN for adfind if you would like as well to test it. I just 
usually tell people the netbios form because they are more familiar with it.

On the PS... We are working it out and yes it does seem to not like it... 


  joe

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, January 27, 2004 11:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

Adfind works just dandy on w2k3. I tested it too, with -simple.

Another question on ldap_simple_bind_s()....

What is the format of the DN parameter?

This application has me specify the user as CN=username,CN=Users,DC=domain,DC=com 
along with a base DN for the search (DC=domain,DC=com) whereas adfind needs the base 
in the same format, but requires the username parameter in the 
netbiosdomainname\username format.

Does adfind rewrite the username or could this be where the change is?

Thanks!

Michael

PS: Exchange hates duplicate proxyAddresses. Whose code let THAT slip by? :-)

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Tuesday, January 27, 2004 11:07 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3


Heh, I was done with work faster than I expected. You have got to love perl... :op  We 
seem to have a small issue with multiple user/contact objects having the same proxy 
addresses and it is throwing errors on the E2K servers and I had to go find all the 
dupes out of some 220k objects with the proxyaddresses attribute... There were 64... 


Ok back to the problem at hand; I tested this against one of my W2K3 Test DCs running 
in a VPC session... As expected it worked fine.

You might want to get a network trace of the traffic between the DC and the server 
trying to talk to the DC, I am curious. If they are indeed using just simple LDAP 
calls ala ldap_simple_bind_s you will totally see that traffic nearly in clear text in 
NetMon including the password being sent. You will see right where it is failing. 

Actually let me get on the podium for a minute on the benefits of network tracing and 
your friendly neighborhood LDAP apps... It is good to do to understand what calls the 
LDAP is making to see how bad or how good it is. You will find a lot of LDAP apps make 
a lot of unnecessary calls (<cough>e2k<cough>)and do a lot of unnecessary 
authentications. I would say one of my favorite "screwups" is an app that 
authenticates people and the way it does it is it binds with an app ID to do a search 
of the user's dn and then unbinds and rebinds with the user's dn... This is great, 2 
authentications for every one needed. Anyway, if you can find the time, it is always 
good to look at the apps and profile the traffic they generate and the queries they 
use so you can catch those stupid objectclass=something queries (<cough>e2k<cough>) 
and other inefficient things (<cough>e2k<cough>). You can also do this by cranking up 
various debugging on your DC but you usually don't want to do that with a prod box. 
NetMON is much lighter... 

Just so I don't go away without insulting at least one person.... If you call yourself 
an admin and DO NOT know how to use some sort of network analysis/sniffer tool, you 
really need to do your job and go learn one. This is invaluable for solving problems 
around AD and computers in general. Otherwise when you get that weird issue where some 
network switch or router is throwing away UDP packets from the Kerberos authentication 
process you will have to have someone who knows how to do the job come in and do it. 
It is also very handy for DNS issues. 



[Tue 01/27/2004 22:54:00.81]
F:\DEV\cpp\OldCmp>Adfind -h vw2k3a -default -f name=administrator -simple -u 
vtest\testuser -up Password1

AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003

Using server: VW2K3a.vtest.local
Base DN: DC=vtest,DC=local

dn:CN=Administrator,CN=Users,DC=vtest,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: Administrator
>description: Built-in account for administering the computer/domain
>distinguishedName: CN=Administrator,CN=Users,DC=vtest,DC=local
>instanceType: 4
>whenCreated: 20031026153618.0Z
>whenChanged: 20031230164947.0Z
>uSNCreated: 8194
>memberOf: CN=TestUni,CN=Users,DC=vtest,DC=local
>memberOf: CN=Group Policy Creator Owners,CN=Users,DC=vtest,DC=local
>memberOf: CN=Domain Admins,CN=Users,DC=vtest,DC=local
>memberOf: CN=Enterprise Admins,CN=Users,DC=vtest,DC=local
>memberOf: CN=Schema Admins,CN=Users,DC=vtest,DC=local
>memberOf: CN=Administrators,CN=Builtin,DC=vtest,DC=local
>uSNChanged: 28711
>name: Administrator
>objectGUID: {AE5284F2-257D-479D-8776-F46BDAE17028}
>userAccountControl: 66048
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 127122886467739888
>lastLogoff: 0
>lastLogon: 127172765879264320
>pwdLastSet: 127115734585121920
>primaryGroupID: 513
>objectSid: S-1-5-21-1851711904-3339057820-1962739558-500
>adminCount: 1
>accountExpires: 9223372036854775807
>logonCount: 32
>sAMAccountName: Administrator
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=vtest,DC=local
>isCriticalSystemObject: TRUE
>lastLogonTimestamp: 127172765879264320


1 Objects returned

[Tue 01/27/2004 22:55:04.82]
F:\DEV\cpp\OldCmp>



 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 27, 2004 10:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

I would have to say no, ldap_bind_s is still fine and dandy. Taking that away would 
break nearly every UNIX LDAP app written it would appear as they all like it because 
it is simple. It would also break many Windows Apps that were ported from UNIX because 
they didn't know better. 

If you want to do a simple test, grab adfind and do this

Adfind -h domaincontroller -default -f name=someobjectname -simple -u domain\user -up 
userpassword 

Ex:

[Tue 01/27/2004 22:41:29.41]
F:\DEV\cpp\OldCmp>Adfind -h w2kasdc1 -default -f name=joe -simple -u joehome\joebob 
-up test

AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003

Using server: w2kasdc1.joehome.com
Base DN: DC=joehome,DC=com

dn:CN=joe,CN=Users,DC=joehome,DC=com
>directReports: CN=$$jricha34,CN=Users,DC=joehome,DC=com
>managedObjects: CN=_DIST_TestGroup,OU=Test,DC=joehome,DC=com
>accountExpires: 127193976000000000
>badPasswordTime: 127182179962809320
>badPwdCount: 0
>codePage: 0
>cn: joe
>countryCode: 0
>instanceType: 4
>lastLogoff: 0
>lastLogon: 127193024241243522
>lockoutTime: 0
>logonCount: 91
>logonHours: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF
>msNPAllowDialin: TRUE
>distinguishedName: CN=joe,CN=Users,DC=joehome,DC=com
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joehome,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectGUID: {DF6AC5DC-3EBA-41FD-8893-E1ED7FAA5929}
>objectSid: S-1-5-21-1275210071-789336058-1957994488-218285
>primaryGroupID: 513
>pwdLastSet: 127189408129723189
>name: joe
>sAMAccountName: joe
>sAMAccountType: 805306368
>telephoneNumber: 555
>userAccountControl: 512
>userParameters: m:                    d
>uSNChanged: 1257854
>uSNCreated: 1163453
>whenChanged: 20040123043244.0Z
>whenCreated: 20021022040334.0Z


1 Objects returned

[Tue 01/27/2004 22:42:19.51]
F:\DEV\cpp\OldCmp>



I am looking at a work issue right now, if I get done soon I will spin up my W2K3 test 
environment and test it, but again I would be shocked to death if it didn't work. 

  joe

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, January 27, 2004 10:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

The application does indeed use LDAP.

It _appears_ that the issue is the API ldap_simple_bind_s. 

MSDN documentation says that nothing Microsoft supplies uses that API in Windows XP. 
One may reasonably extrapolate that to include Windows 2003. But I can't find anything 
that states that the API was deprecated between Windows 2000 and Windows 2003. Or 
between windows 2000 sp3 to sp4 (although there are minor hints).

I've turned on auditing (hours ago) and almost nothing shows -- either success or 
failure. I don't know what it takes to trigger an audit event, but a simple ldap query 
doesn't seem to do it, or a failed ldap_simple_bind_s.

I've suggested (requested) a change to ldap_bind_s but is there documentation 
somewhere that I am missing that says ldap_simple_bind_s will no longer work properly?

Thanks for your hint, it got me headed down the proper path.

Michael

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO 
(HP-Germany,ex1)
Sent: Tuesday, January 27, 2004 2:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

yes, there are various security changes in Win2k3, incl. different default ACLs on 
various objects.

But as you've created a special account for the app, you shouldn't need to enable 
anonymous LDAP operations on your Win2k3 DCs => however, the app needs to leverage the 
credentials correctly to bind to the LDAP server (the DC).

The real question is: what does the app really do? Do they even perform LDAP queries 
or do they use some NT4 APIs to read data from AD (I've seen this too many times, 
although the vendor swore they were not).
You need to understand what the App does, before you can apply the correct security - 
as you've mentioned, often you don't require to change anything if all the app 
requires is to list user accounts or groups etc.

A good place to start to help figure out this issue is AUDITING: go to your Default DC 
policy and enable "Audit directory service access" for success and failure 
(preferrably in a lab, ofcourse). Then start up your mis-behaving Application, wait 
for it to fail and take some time to wade through the security Eventlogs => often you 
can find a particular AD object (incl. the DN) which an app tries to access when it 
fails.  This gives you new options to check out the permissions really required by the 
app (or to tell the vendor how to correct a problem in their application).

/Guido


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Dienstag, 27. Januar 2004 16:51
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Change in A/D security between 2k and 2k3

I run an application (ModusGate by Vircom, if anyone cares) that requires "read 
access" (their phrasing) to A/D for LDAP queries.
 
In Windows 2000, this was easily done in ADU&C -- create a user,
View->Advanced, properties on the domain, Security tab, add the user and
grant "READ".
 
I can do exactly the same thing in Windows 2003, but it doesn't work anymore (and, in 
fact, the way I read the permissions I shouldn't even need to do it with the change in 
the default permissions). The ONLY account that works is the Administrator account. I 
can create an account, add it to domain admins, enterprise admins, blah blah blah -- 
so it looks just like Administrator and it still fails. So, I presumed it was User 
Rights -- so I add this account and give it the same everything there too (in Domain 
Controller Policy and Domain Policy). Still no joy.
 
Applied change suggested in KB 326690. Still no joy.
 
Vircom is baffled as well, they say.
 
Any hints or suggestions for me?
 
Thanks.
 
.+-wÈi0g-í+YbémPiæ0æ-í+bíÚf.+-j!ç0j!åoræyØIíV+v*
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.  .+-j! 0j! or yïíIãV+v* 

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
.  .+-j! 0j! or yïíIãV+v* 

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
.+w  ííY P  íí .+-j! 0j! or yïíIãV+v* 

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
.  .+-j! 0j! or yïíIãV+v* 

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/