RE: [ActiveDir] Change in A/D security between 2k and 2k3

[Roger Seielstad]

Have a link to the MPS?

--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -----Original Message-----
> From: Michael B. Smith [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 28, 2004 1:24 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> 
> Doing non-GUI provisioning for Exchange is a PITA, at best. 
> Not to mention poorly documented. I've got way too many lines 
> of vbscript for my environment, and even so, I couldn't 
> figure out how to do some of it in script (primarily address 
> list ACEs).
> 
> Microsoft's MPS for Exchange 2003 is _slick_. But I haven't 
> had a chance to spend any time looking under the hood yet.
> 
> While you're here -- some info/questions about a tool 
> near/dear to your heart -- adfind:
> 
> It appears to have an off-by-one error (or something) -- it 
> doesn't seem to display the primary group for a user in the 
> memberOf attribute (does that mean it isn't there?)
> 
> Prolly somewhat related to the above, it doesn't decode 
> primaryGroupID into a name.
> 
> msExchMailboxSecurityDescriptor: â <-- displays a 
> non-printable character here
> 
> It would be nice to be able to suppress the display of blobs 
> (like msExchRecordedName and mSMQSignCertificates).
> 
> Thanks again,
> Michael
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of joe
> Sent: Wednesday, January 28, 2004 1:07 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> 
> LOL no problem... Joe's late night troubleshooting service at 
> your... Well service.
> 
> Now we have found we actually have a bunch of garbage in many 
> of our proxyaddresses attributes... Trying to pull all that 
> out... Another perl script of course.  Going to have to chat 
> with the people who do the data provisioning in the morning....
> 
> 
>   joe
>  
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Michael B. Smith
> Sent: Wednesday, January 28, 2004 12:52 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> Word.
> 
> Word. Word. Word.
> 
> Note: those are all four-letter words.
> 
> Those other combinations WORK on both Windows 2000 and 
> Windows 2003. To date, I'd used what the manual and the 
> vendor support staff said to use. (And no, I don't know why 
> it failed otherwise, and I find myself not horribly 
> concerned, now that I have something that works.)
> 
> Thanks for talking me through this.
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of joe
> Sent: Wednesday, January 28, 2004 12:07 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> 
> Actually with AD you can specify the bind principal as 
> 
>       NetBIOS name:  domain\username
>       UPN             :  [EMAIL PROTECTED]   (Assuming that 
> is the UPN)
>       DN              :  cn=user,ou=blah,dc=blah,dc=com
> 
> Should be able to do the same with your program as well 
> unless they do a sanity check on the input and defines sane 
> as DN format only... 
> 
> You can use the same DN for adfind if you would like as well 
> to test it. I just usually tell people the netbios form 
> because they are more familiar with it.
> 
> On the PS... We are working it out and yes it does seem to 
> not like it... 
> 
> 
>   joe
> 
>  
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Michael B. Smith
> Sent: Tuesday, January 27, 2004 11:43 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> Adfind works just dandy on w2k3. I tested it too, with -simple.
> 
> Another question on ldap_simple_bind_s()....
> 
> What is the format of the DN parameter?
> 
> This application has me specify the user as 
> CN=username,CN=Users,DC=domain,DC=com along with a base DN 
> for the search (DC=domain,DC=com) whereas adfind needs the 
> base in the same format, but requires the username parameter 
> in the netbiosdomainname\username format.
> 
> Does adfind rewrite the username or could this be where the change is?
> 
> Thanks!
> 
> Michael
> 
> PS: Exchange hates duplicate proxyAddresses. Whose code let 
> THAT slip by? :-)
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of joe
> Sent: Tuesday, January 27, 2004 11:07 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> 
> Heh, I was done with work faster than I expected. You have 
> got to love perl... :op  We seem to have a small issue with 
> multiple user/contact objects having the same proxy addresses 
> and it is throwing errors on the E2K servers and I had to go 
> find all the dupes out of some 220k objects with the 
> proxyaddresses attribute... There were 64... 
> 
> 
> Ok back to the problem at hand; I tested this against one of 
> my W2K3 Test DCs running in a VPC session... As expected it 
> worked fine.
> 
> You might want to get a network trace of the traffic between 
> the DC and the server trying to talk to the DC, I am curious. 
> If they are indeed using just simple LDAP calls ala 
> ldap_simple_bind_s you will totally see that traffic nearly 
> in clear text in NetMon including the password being sent. 
> You will see right where it is failing. 
> 
> Actually let me get on the podium for a minute on the 
> benefits of network tracing and your friendly neighborhood 
> LDAP apps... It is good to do to understand what calls the 
> LDAP is making to see how bad or how good it is. You will 
> find a lot of LDAP apps make a lot of unnecessary calls 
> (<cough>e2k<cough>)and do a lot of unnecessary 
> authentications. I would say one of my favorite "screwups" is 
> an app that authenticates people and the way it does it is it 
> binds with an app ID to do a search of the user's dn and then 
> unbinds and rebinds with the user's dn... This is great, 2 
> authentications for every one needed. Anyway, if you can find 
> the time, it is always good to look at the apps and profile 
> the traffic they generate and the queries they use so you can 
> catch those stupid objectclass=something queries 
> (<cough>e2k<cough>) and other inefficient things 
> (<cough>e2k<cough>). You can also do this by cranking up 
> various debugging on your DC but you usually don't want to do 
> that with a prod box. NetMON is much lighter... 
> 
> Just so I don't go away without insulting at least one 
> person.... If you call yourself an admin and DO NOT know how 
> to use some sort of network analysis/sniffer tool, you really 
> need to do your job and go learn one. This is invaluable for 
> solving problems around AD and computers in general. 
> Otherwise when you get that weird issue where some network 
> switch or router is throwing away UDP packets from the 
> Kerberos authentication process you will have to have someone 
> who knows how to do the job come in and do it. It is also 
> very handy for DNS issues. 
> 
> 
> 
> [Tue 01/27/2004 22:54:00.81]
> F:\DEV\cpp\OldCmp>Adfind -h vw2k3a -default -f 
> name=administrator -simple -u vtest\testuser -up Password1
> 
> AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
> 
> Using server: VW2K3a.vtest.local
> Base DN: DC=vtest,DC=local
> 
> dn:CN=Administrator,CN=Users,DC=vtest,DC=local
> >objectClass: top
> >objectClass: person
> >objectClass: organizationalPerson
> >objectClass: user
> >cn: Administrator
> >description: Built-in account for administering the computer/domain
> >distinguishedName: CN=Administrator,CN=Users,DC=vtest,DC=local
> >instanceType: 4
> >whenCreated: 20031026153618.0Z
> >whenChanged: 20031230164947.0Z
> >uSNCreated: 8194
> >memberOf: CN=TestUni,CN=Users,DC=vtest,DC=local
> >memberOf: CN=Group Policy Creator Owners,CN=Users,DC=vtest,DC=local
> >memberOf: CN=Domain Admins,CN=Users,DC=vtest,DC=local
> >memberOf: CN=Enterprise Admins,CN=Users,DC=vtest,DC=local
> >memberOf: CN=Schema Admins,CN=Users,DC=vtest,DC=local
> >memberOf: CN=Administrators,CN=Builtin,DC=vtest,DC=local
> >uSNChanged: 28711
> >name: Administrator
> >objectGUID: {AE5284F2-257D-479D-8776-F46BDAE17028}
> >userAccountControl: 66048
> >badPwdCount: 0
> >codePage: 0
> >countryCode: 0
> >badPasswordTime: 127122886467739888
> >lastLogoff: 0
> >lastLogon: 127172765879264320
> >pwdLastSet: 127115734585121920
> >primaryGroupID: 513
> >objectSid: S-1-5-21-1851711904-3339057820-1962739558-500
> >adminCount: 1
> >accountExpires: 9223372036854775807
> >logonCount: 32
> >sAMAccountName: Administrator
> >sAMAccountType: 805306368
> >objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=vtest,DC=local
> >isCriticalSystemObject: TRUE
> >lastLogonTimestamp: 127172765879264320
> 
> 
> 1 Objects returned
> 
> [Tue 01/27/2004 22:55:04.82]
> F:\DEV\cpp\OldCmp>
> 
> 
> 
>  
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, January 27, 2004 10:44 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> I would have to say no, ldap_bind_s is still fine and dandy. 
> Taking that away would break nearly every UNIX LDAP app 
> written it would appear as they all like it because it is 
> simple. It would also break many Windows Apps that were 
> ported from UNIX because they didn't know better. 
> 
> If you want to do a simple test, grab adfind and do this
> 
> Adfind -h domaincontroller -default -f name=someobjectname 
> -simple -u domain\user -up userpassword 
> 
> Ex:
> 
> [Tue 01/27/2004 22:41:29.41]
> F:\DEV\cpp\OldCmp>Adfind -h w2kasdc1 -default -f name=joe 
> -simple -u joehome\joebob -up test
> 
> AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
> 
> Using server: w2kasdc1.joehome.com
> Base DN: DC=joehome,DC=com
> 
> dn:CN=joe,CN=Users,DC=joehome,DC=com
> >directReports: CN=$$jricha34,CN=Users,DC=joehome,DC=com
> >managedObjects: CN=_DIST_TestGroup,OU=Test,DC=joehome,DC=com
> >accountExpires: 127193976000000000
> >badPasswordTime: 127182179962809320
> >badPwdCount: 0
> >codePage: 0
> >cn: joe
> >countryCode: 0
> >instanceType: 4
> >lastLogoff: 0
> >lastLogon: 127193024241243522
> >lockoutTime: 0
> >logonCount: 91
> >logonHours: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF
> >msNPAllowDialin: TRUE
> >distinguishedName: CN=joe,CN=Users,DC=joehome,DC=com
> >objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=joehome,DC=com
> >objectClass: top
> >objectClass: person
> >objectClass: organizationalPerson
> >objectClass: user
> >objectGUID: {DF6AC5DC-3EBA-41FD-8893-E1ED7FAA5929}
> >objectSid: S-1-5-21-1275210071-789336058-1957994488-218285
> >primaryGroupID: 513
> >pwdLastSet: 127189408129723189
> >name: joe
> >sAMAccountName: joe
> >sAMAccountType: 805306368
> >telephoneNumber: 555
> >userAccountControl: 512
> >userParameters: m:                    d
> >uSNChanged: 1257854
> >uSNCreated: 1163453
> >whenChanged: 20040123043244.0Z
> >whenCreated: 20021022040334.0Z
> 
> 
> 1 Objects returned
> 
> [Tue 01/27/2004 22:42:19.51]
> F:\DEV\cpp\OldCmp>
> 
> 
> 
> I am looking at a work issue right now, if I get done soon I 
> will spin up my W2K3 test environment and test it, but again 
> I would be shocked to death if it didn't work. 
> 
>   joe
> 
>  
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Michael B. Smith
> Sent: Tuesday, January 27, 2004 10:36 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> The application does indeed use LDAP.
> 
> It _appears_ that the issue is the API ldap_simple_bind_s. 
> 
> MSDN documentation says that nothing Microsoft supplies uses 
> that API in Windows XP. One may reasonably extrapolate that 
> to include Windows 2003. But I can't find anything that 
> states that the API was deprecated between Windows 2000 and 
> Windows 2003. Or between windows 2000 sp3 to sp4 (although 
> there are minor hints).
> 
> I've turned on auditing (hours ago) and almost nothing shows 
> -- either success or failure. I don't know what it takes to 
> trigger an audit event, but a simple ldap query doesn't seem 
> to do it, or a failed ldap_simple_bind_s.
> 
> I've suggested (requested) a change to ldap_bind_s but is 
> there documentation somewhere that I am missing that says 
> ldap_simple_bind_s will no longer work properly?
> 
> Thanks for your hint, it got me headed down the proper path.
> 
> Michael
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> GRILLENMEIER,GUIDO (HP-Germany,ex1)
> Sent: Tuesday, January 27, 2004 2:48 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> yes, there are various security changes in Win2k3, incl. 
> different default ACLs on various objects.
> 
> But as you've created a special account for the app, you 
> shouldn't need to enable anonymous LDAP operations on your 
> Win2k3 DCs => however, the app needs to leverage the 
> credentials correctly to bind to the LDAP server (the DC).
> 
> The real question is: what does the app really do? Do they 
> even perform LDAP queries or do they use some NT4 APIs to 
> read data from AD (I've seen this too many times, although 
> the vendor swore they were not).
> You need to understand what the App does, before you can 
> apply the correct security - as you've mentioned, often you 
> don't require to change anything if all the app requires is 
> to list user accounts or groups etc.
> 
> A good place to start to help figure out this issue is 
> AUDITING: go to your Default DC policy and enable "Audit 
> directory service access" for success and failure 
> (preferrably in a lab, ofcourse). Then start up your 
> mis-behaving Application, wait for it to fail and take some 
> time to wade through the security Eventlogs => often you can 
> find a particular AD object (incl. the DN) which an app tries 
> to access when it fails.  This gives you new options to check 
> out the permissions really required by the app (or to tell 
> the vendor how to correct a problem in their application).
> 
> /Guido
> 
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Michael B. Smith
> Sent: Dienstag, 27. Januar 2004 16:51
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> I run an application (ModusGate by Vircom, if anyone cares) 
> that requires "read access" (their phrasing) to A/D for LDAP queries.
>  
> In Windows 2000, this was easily done in ADU&C -- create a user,
> View->Advanced, properties on the domain, Security tab, add 
> the user and
> grant "READ".
>  
> I can do exactly the same thing in Windows 2003, but it 
> doesn't work anymore (and, in fact, the way I read the 
> permissions I shouldn't even need to do it with the change in 
> the default permissions). The ONLY account that works is the 
> Administrator account. I can create an account, add it to 
> domain admins, enterprise admins, blah blah blah -- so it 
> looks just like Administrator and it still fails. So, I 
> presumed it was User Rights -- so I add this account and give 
> it the same everything there too (in Domain Controller Policy 
> and Domain Policy). Still no joy.
>  
> Applied change suggested in KB 326690. Still no joy.
>  
> Vircom is baffled as well, they say.
>  
> Any hints or suggestions for me?
>  
> Thanks.
>  
> .+-wÈi0g-í+YbémPiæ0æ-í+bíÚf.+-j!ç> 0j!åoræyØIíV+v*
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> .  .+-j! > 0j! or yïíIãV+v* 
> 
> List 
> info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> .  .+-j! > 0j! or yïíIãV+v* 
> 
> List info 
>   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> .+w  ííY P  íí .+-j! > 0j! or 
> yïíIãV+v* 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> .+-wi0-+YbmPi0-+bÚf.+-j!> 0j!orØyØIV+v*
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/