RE: [ActiveDir] Change in A/D security between 2k and 2k3

[Michael B. Smith]

http://microsoft.com/mps 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Wednesday, January 28, 2004 7:58 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3

Have a link to the MPS?

--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -----Original Message-----
> From: Michael B. Smith [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 28, 2004 1:24 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> 
> Doing non-GUI provisioning for Exchange is a PITA, at best. 
> Not to mention poorly documented. I've got way too many lines of 
> vbscript for my environment, and even so, I couldn't figure out how to 
> do some of it in script (primarily address list ACEs).
> 
> Microsoft's MPS for Exchange 2003 is _slick_. But I haven't had a 
> chance to spend any time looking under the hood yet.
> 
> While you're here -- some info/questions about a tool near/dear to 
> your heart -- adfind:
> 
> It appears to have an off-by-one error (or something) -- it doesn't 
> seem to display the primary group for a user in the memberOf attribute 
> (does that mean it isn't there?)
> 
> Prolly somewhat related to the above, it doesn't decode primaryGroupID 
> into a name.
> 
> msExchMailboxSecurityDescriptor: â <-- displays a non-printable 
> character here
> 
> It would be nice to be able to suppress the display of blobs (like 
> msExchRecordedName and mSMQSignCertificates).
> 
> Thanks again,
> Michael
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of joe
> Sent: Wednesday, January 28, 2004 1:07 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> 
> LOL no problem... Joe's late night troubleshooting service at your... 
> Well service.
> 
> Now we have found we actually have a bunch of garbage in many of our 
> proxyaddresses attributes... Trying to pull all that out... Another 
> perl script of course.  Going to have to chat with the people who do 
> the data provisioning in the morning....
> 
> 
>   joe
>  
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
> Smith
> Sent: Wednesday, January 28, 2004 12:52 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> Word.
> 
> Word. Word. Word.
> 
> Note: those are all four-letter words.
> 
> Those other combinations WORK on both Windows 2000 and Windows 2003. 
> To date, I'd used what the manual and the vendor support staff said to 
> use. (And no, I don't know why it failed otherwise, and I find myself 
> not horribly concerned, now that I have something that works.)
> 
> Thanks for talking me through this.
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of joe
> Sent: Wednesday, January 28, 2004 12:07 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> 
> Actually with AD you can specify the bind principal as
> 
>       NetBIOS name:  domain\username
>       UPN             :  [EMAIL PROTECTED]   (Assuming that 
> is the UPN)
>       DN              :  cn=user,ou=blah,dc=blah,dc=com
> 
> Should be able to do the same with your program as well unless they do 
> a sanity check on the input and defines sane as DN format only...
> 
> You can use the same DN for adfind if you would like as well to test 
> it. I just usually tell people the netbios form because they are more 
> familiar with it.
> 
> On the PS... We are working it out and yes it does seem to not like 
> it...
> 
> 
>   joe
> 
>  
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
> Smith
> Sent: Tuesday, January 27, 2004 11:43 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> Adfind works just dandy on w2k3. I tested it too, with -simple.
> 
> Another question on ldap_simple_bind_s()....
> 
> What is the format of the DN parameter?
> 
> This application has me specify the user as 
> CN=username,CN=Users,DC=domain,DC=com along with a base DN for the 
> search (DC=domain,DC=com) whereas adfind needs the base in the same 
> format, but requires the username parameter in the 
> netbiosdomainname\username format.
> 
> Does adfind rewrite the username or could this be where the change is?
> 
> Thanks!
> 
> Michael
> 
> PS: Exchange hates duplicate proxyAddresses. Whose code let THAT slip 
> by? :-)
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of joe
> Sent: Tuesday, January 27, 2004 11:07 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> 
> Heh, I was done with work faster than I expected. You have got to love 
> perl... :op  We seem to have a small issue with multiple user/contact 
> objects having the same proxy addresses and it is throwing errors on 
> the E2K servers and I had to go find all the dupes out of some 220k 
> objects with the proxyaddresses attribute... There were 64...
> 
> 
> Ok back to the problem at hand; I tested this against one of my W2K3 
> Test DCs running in a VPC session... As expected it worked fine.
> 
> You might want to get a network trace of the traffic between the DC 
> and the server trying to talk to the DC, I am curious.
> If they are indeed using just simple LDAP calls ala ldap_simple_bind_s 
> you will totally see that traffic nearly in clear text in NetMon 
> including the password being sent.
> You will see right where it is failing. 
> 
> Actually let me get on the podium for a minute on the benefits of 
> network tracing and your friendly neighborhood LDAP apps... It is good 
> to do to understand what calls the LDAP is making to see how bad or 
> how good it is. You will find a lot of LDAP apps make a lot of 
> unnecessary calls (<cough>e2k<cough>)and do a lot of unnecessary 
> authentications. I would say one of my favorite "screwups" is an app 
> that authenticates people and the way it does it is it binds with an 
> app ID to do a search of the user's dn and then unbinds and rebinds 
> with the user's dn... This is great, 2 authentications for every one 
> needed. Anyway, if you can find the time, it is always good to look at 
> the apps and profile the traffic they generate and the queries they 
> use so you can catch those stupid objectclass=something queries
> (<cough>e2k<cough>) and other inefficient things (<cough>e2k<cough>). 
> You can also do this by cranking up various debugging on your DC but 
> you usually don't want to do that with a prod box. NetMON is much 
> lighter...
> 
> Just so I don't go away without insulting at least one person.... If 
> you call yourself an admin and DO NOT know how to use some sort of 
> network analysis/sniffer tool, you really need to do your job and go 
> learn one. This is invaluable for solving problems around AD and 
> computers in general.
> Otherwise when you get that weird issue where some network switch or 
> router is throwing away UDP packets from the Kerberos authentication 
> process you will have to have someone who knows how to do the job come 
> in and do it. It is also very handy for DNS issues.
> 
> 
> 
> [Tue 01/27/2004 22:54:00.81]
> F:\DEV\cpp\OldCmp>Adfind -h vw2k3a -default -f name=administrator 
> -simple -u vtest\testuser -up Password1
> 
> AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
> 
> Using server: VW2K3a.vtest.local
> Base DN: DC=vtest,DC=local
> 
> dn:CN=Administrator,CN=Users,DC=vtest,DC=local
> >objectClass: top
> >objectClass: person
> >objectClass: organizationalPerson
> >objectClass: user
> >cn: Administrator
> >description: Built-in account for administering the computer/domain
> >distinguishedName: CN=Administrator,CN=Users,DC=vtest,DC=local
> >instanceType: 4
> >whenCreated: 20031026153618.0Z
> >whenChanged: 20031230164947.0Z
> >uSNCreated: 8194
> >memberOf: CN=TestUni,CN=Users,DC=vtest,DC=local
> >memberOf: CN=Group Policy Creator Owners,CN=Users,DC=vtest,DC=local
> >memberOf: CN=Domain Admins,CN=Users,DC=vtest,DC=local
> >memberOf: CN=Enterprise Admins,CN=Users,DC=vtest,DC=local
> >memberOf: CN=Schema Admins,CN=Users,DC=vtest,DC=local
> >memberOf: CN=Administrators,CN=Builtin,DC=vtest,DC=local
> >uSNChanged: 28711
> >name: Administrator
> >objectGUID: {AE5284F2-257D-479D-8776-F46BDAE17028}
> >userAccountControl: 66048
> >badPwdCount: 0
> >codePage: 0
> >countryCode: 0
> >badPasswordTime: 127122886467739888
> >lastLogoff: 0
> >lastLogon: 127172765879264320
> >pwdLastSet: 127115734585121920
> >primaryGroupID: 513
> >objectSid: S-1-5-21-1851711904-3339057820-1962739558-500
> >adminCount: 1
> >accountExpires: 9223372036854775807
> >logonCount: 32
> >sAMAccountName: Administrator
> >sAMAccountType: 805306368
> >objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=vtest,DC=local
> >isCriticalSystemObject: TRUE
> >lastLogonTimestamp: 127172765879264320
> 
> 
> 1 Objects returned
> 
> [Tue 01/27/2004 22:55:04.82]
> F:\DEV\cpp\OldCmp>
> 
> 
> 
>  
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, January 27, 2004 10:44 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> I would have to say no, ldap_bind_s is still fine and dandy. 
> Taking that away would break nearly every UNIX LDAP app written it 
> would appear as they all like it because it is simple. It would also 
> break many Windows Apps that were ported from UNIX because they didn't 
> know better.
> 
> If you want to do a simple test, grab adfind and do this
> 
> Adfind -h domaincontroller -default -f name=someobjectname -simple -u 
> domain\user -up userpassword
> 
> Ex:
> 
> [Tue 01/27/2004 22:41:29.41]
> F:\DEV\cpp\OldCmp>Adfind -h w2kasdc1 -default -f name=joe -simple -u 
> joehome\joebob -up test
> 
> AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
> 
> Using server: w2kasdc1.joehome.com
> Base DN: DC=joehome,DC=com
> 
> dn:CN=joe,CN=Users,DC=joehome,DC=com
> >directReports: CN=$$jricha34,CN=Users,DC=joehome,DC=com
> >managedObjects: CN=_DIST_TestGroup,OU=Test,DC=joehome,DC=com
> >accountExpires: 127193976000000000
> >badPasswordTime: 127182179962809320
> >badPwdCount: 0
> >codePage: 0
> >cn: joe
> >countryCode: 0
> >instanceType: 4
> >lastLogoff: 0
> >lastLogon: 127193024241243522
> >lockoutTime: 0
> >logonCount: 91
> >logonHours: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF
> >msNPAllowDialin: TRUE
> >distinguishedName: CN=joe,CN=Users,DC=joehome,DC=com
> >objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=joehome,DC=com
> >objectClass: top
> >objectClass: person
> >objectClass: organizationalPerson
> >objectClass: user
> >objectGUID: {DF6AC5DC-3EBA-41FD-8893-E1ED7FAA5929}
> >objectSid: S-1-5-21-1275210071-789336058-1957994488-218285
> >primaryGroupID: 513
> >pwdLastSet: 127189408129723189
> >name: joe
> >sAMAccountName: joe
> >sAMAccountType: 805306368
> >telephoneNumber: 555
> >userAccountControl: 512
> >userParameters: m:                    d
> >uSNChanged: 1257854
> >uSNCreated: 1163453
> >whenChanged: 20040123043244.0Z
> >whenCreated: 20021022040334.0Z
> 
> 
> 1 Objects returned
> 
> [Tue 01/27/2004 22:42:19.51]
> F:\DEV\cpp\OldCmp>
> 
> 
> 
> I am looking at a work issue right now, if I get done soon I will spin 
> up my W2K3 test environment and test it, but again I would be shocked 
> to death if it didn't work.
> 
>   joe
> 
>  
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
> Smith
> Sent: Tuesday, January 27, 2004 10:36 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> The application does indeed use LDAP.
> 
> It _appears_ that the issue is the API ldap_simple_bind_s. 
> 
> MSDN documentation says that nothing Microsoft supplies uses that API 
> in Windows XP. One may reasonably extrapolate that to include Windows 
> 2003. But I can't find anything that states that the API was 
> deprecated between Windows 2000 and Windows 2003. Or between windows 
> 2000 sp3 to sp4 (although there are minor hints).
> 
> I've turned on auditing (hours ago) and almost nothing shows
> -- either success or failure. I don't know what it takes to trigger an 
> audit event, but a simple ldap query doesn't seem to do it, or a 
> failed ldap_simple_bind_s.
> 
> I've suggested (requested) a change to ldap_bind_s but is there 
> documentation somewhere that I am missing that says ldap_simple_bind_s 
> will no longer work properly?
> 
> Thanks for your hint, it got me headed down the proper path.
> 
> Michael
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> GRILLENMEIER,GUIDO (HP-Germany,ex1)
> Sent: Tuesday, January 27, 2004 2:48 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> yes, there are various security changes in Win2k3, incl. 
> different default ACLs on various objects.
> 
> But as you've created a special account for the app, you shouldn't 
> need to enable anonymous LDAP operations on your
> Win2k3 DCs => however, the app needs to leverage the credentials 
> correctly to bind to the LDAP server (the DC).
> 
> The real question is: what does the app really do? Do they even 
> perform LDAP queries or do they use some NT4 APIs to read data from AD 
> (I've seen this too many times, although the vendor swore they were 
> not).
> You need to understand what the App does, before you can apply the 
> correct security - as you've mentioned, often you don't require to 
> change anything if all the app requires is to list user accounts or 
> groups etc.
> 
> A good place to start to help figure out this issue is
> AUDITING: go to your Default DC policy and enable "Audit directory 
> service access" for success and failure (preferrably in a lab, 
> ofcourse). Then start up your mis-behaving Application, wait for it to 
> fail and take some time to wade through the security Eventlogs => 
> often you can find a particular AD object (incl. the DN) which an app 
> tries to access when it fails.  This gives you new options to check 
> out the permissions really required by the app (or to tell the vendor 
> how to correct a problem in their application).
> 
> /Guido
> 
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
> Smith
> Sent: Dienstag, 27. Januar 2004 16:51
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> I run an application (ModusGate by Vircom, if anyone cares) that 
> requires "read access" (their phrasing) to A/D for LDAP queries.
>  
> In Windows 2000, this was easily done in ADU&C -- create a user,
> View->Advanced, properties on the domain, Security tab, add
> the user and
> grant "READ".
>  
> I can do exactly the same thing in Windows 2003, but it doesn't work 
> anymore (and, in fact, the way I read the permissions I shouldn't even 
> need to do it with the change in the default permissions). The ONLY 
> account that works is the Administrator account. I can create an 
> account, add it to domain admins, enterprise admins, blah blah blah -- 
> so it looks just like Administrator and it still fails. So, I presumed 
> it was User Rights -- so I add this account and give it the same 
> everything there too (in Domain Controller Policy and Domain Policy). 
> Still no joy.
>  
> Applied change suggested in KB 326690. Still no joy.
>  
> Vircom is baffled as well, they say.
>  
> Any hints or suggestions for me?
>  
> Thanks.
>  
> .+-wÈi0g-í+YbémPiæ0æ-í+bíÚf.+-j!ç> 0j!åoræyØIíV+v*
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> .  .+-j! > 0j! or yïíIãV+v*
> 
> List 
> info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/ .  .+-j! 
>  0j! or yïíIãV+v*
> 
> List info 
>   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> .+w  ííY P  íí .+-j! > 0j! or
> yïíIãV+v*
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> .+-wi0-+YbmPi0-+bÚf.+-j!> 0j!orØyØIV+v*
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

â²Ø~ˆm¶ŸÿÃrØyØ¢¸?™¨¥–+-†ÙŠËE
m¶ŸÿÃrØyØ¢¸?–+-}ª¡¶bâ²Ör¯zm§ÿðà     
šŠV«r¯yÊ&ý§-Š÷4™¨¥iËb½çb®Šà