RE: [ActiveDir] Change in A/D security between 2k and 2k3

Thu, 29 Jan 2004 06:49:19 -0800 

I hate those friggin obscure links Microsoft uses all the time....

--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -----Original Message-----
> From: Michael B. Smith [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, January 29, 2004 8:31 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> 
> http://microsoft.com/mps 
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Wednesday, January 28, 2004 7:58 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> 
> Have a link to the MPS?
> 
> --------------------------------------------------------------
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -----Original Message-----
> > From: Michael B. Smith [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, January 28, 2004 1:24 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> > 
> > 
> > Doing non-GUI provisioning for Exchange is a PITA, at best. 
> > Not to mention poorly documented. I've got way too many lines of 
> > vbscript for my environment, and even so, I couldn't figure 
> out how to 
> > do some of it in script (primarily address list ACEs).
> > 
> > Microsoft's MPS for Exchange 2003 is _slick_. But I haven't had a 
> > chance to spend any time looking under the hood yet.
> > 
> > While you're here -- some info/questions about a tool near/dear to 
> > your heart -- adfind:
> > 
> > It appears to have an off-by-one error (or something) -- it doesn't 
> > seem to display the primary group for a user in the 
> memberOf attribute 
> > (does that mean it isn't there?)
> > 
> > Prolly somewhat related to the above, it doesn't decode 
> primaryGroupID 
> > into a name.
> > 
> > msExchMailboxSecurityDescriptor: â <-- displays a non-printable 
> > character here
> > 
> > It would be nice to be able to suppress the display of blobs (like 
> > msExchRecordedName and mSMQSignCertificates).
> > 
> > Thanks again,
> > Michael
> > 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of joe
> > Sent: Wednesday, January 28, 2004 1:07 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> > 
> > 
> > LOL no problem... Joe's late night troubleshooting service 
> at your... 
> > Well service.
> > 
> > Now we have found we actually have a bunch of garbage in 
> many of our 
> > proxyaddresses attributes... Trying to pull all that out... Another 
> > perl script of course.  Going to have to chat with the 
> people who do 
> > the data provisioning in the morning....
> > 
> > 
> >   joe
> >  
> > 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
> > Smith
> > Sent: Wednesday, January 28, 2004 12:52 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> > 
> > Word.
> > 
> > Word. Word. Word.
> > 
> > Note: those are all four-letter words.
> > 
> > Those other combinations WORK on both Windows 2000 and 
> Windows 2003. 
> > To date, I'd used what the manual and the vendor support 
> staff said to 
> > use. (And no, I don't know why it failed otherwise, and I 
> find myself 
> > not horribly concerned, now that I have something that works.)
> > 
> > Thanks for talking me through this.
> > 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of joe
> > Sent: Wednesday, January 28, 2004 12:07 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> > 
> > 
> > Actually with AD you can specify the bind principal as
> > 
> >     NetBIOS name:  domain\username
> >     UPN             :  [EMAIL PROTECTED]   (Assuming that 
> > is the UPN)
> >     DN              :  cn=user,ou=blah,dc=blah,dc=com
> > 
> > Should be able to do the same with your program as well 
> unless they do 
> > a sanity check on the input and defines sane as DN format only...
> > 
> > You can use the same DN for adfind if you would like as 
> well to test 
> > it. I just usually tell people the netbios form because 
> they are more 
> > familiar with it.
> > 
> > On the PS... We are working it out and yes it does seem to not like 
> > it...
> > 
> > 
> >   joe
> > 
> >  
> > 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
> > Smith
> > Sent: Tuesday, January 27, 2004 11:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> > 
> > Adfind works just dandy on w2k3. I tested it too, with -simple.
> > 
> > Another question on ldap_simple_bind_s()....
> > 
> > What is the format of the DN parameter?
> > 
> > This application has me specify the user as 
> > CN=username,CN=Users,DC=domain,DC=com along with a base DN for the 
> > search (DC=domain,DC=com) whereas adfind needs the base in the same 
> > format, but requires the username parameter in the 
> > netbiosdomainname\username format.
> > 
> > Does adfind rewrite the username or could this be where the 
> change is?
> > 
> > Thanks!
> > 
> > Michael
> > 
> > PS: Exchange hates duplicate proxyAddresses. Whose code let 
> THAT slip 
> > by? :-)
> > 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of joe
> > Sent: Tuesday, January 27, 2004 11:07 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> > 
> > 
> > Heh, I was done with work faster than I expected. You have 
> got to love 
> > perl... :op  We seem to have a small issue with multiple 
> user/contact 
> > objects having the same proxy addresses and it is throwing 
> errors on 
> > the E2K servers and I had to go find all the dupes out of some 220k 
> > objects with the proxyaddresses attribute... There were 64...
> > 
> > 
> > Ok back to the problem at hand; I tested this against one 
> of my W2K3 
> > Test DCs running in a VPC session... As expected it worked fine.
> > 
> > You might want to get a network trace of the traffic between the DC 
> > and the server trying to talk to the DC, I am curious.
> > If they are indeed using just simple LDAP calls ala 
> ldap_simple_bind_s 
> > you will totally see that traffic nearly in clear text in NetMon 
> > including the password being sent.
> > You will see right where it is failing. 
> > 
> > Actually let me get on the podium for a minute on the benefits of 
> > network tracing and your friendly neighborhood LDAP apps... 
> It is good 
> > to do to understand what calls the LDAP is making to see how bad or 
> > how good it is. You will find a lot of LDAP apps make a lot of 
> > unnecessary calls (<cough>e2k<cough>)and do a lot of unnecessary 
> > authentications. I would say one of my favorite "screwups" 
> is an app 
> > that authenticates people and the way it does it is it 
> binds with an 
> > app ID to do a search of the user's dn and then unbinds and rebinds 
> > with the user's dn... This is great, 2 authentications for 
> every one 
> > needed. Anyway, if you can find the time, it is always good 
> to look at 
> > the apps and profile the traffic they generate and the queries they 
> > use so you can catch those stupid objectclass=something queries
> > (<cough>e2k<cough>) and other inefficient things 
> (<cough>e2k<cough>). 
> > You can also do this by cranking up various debugging on 
> your DC but 
> > you usually don't want to do that with a prod box. NetMON is much 
> > lighter...
> > 
> > Just so I don't go away without insulting at least one 
> person.... If 
> > you call yourself an admin and DO NOT know how to use some sort of 
> > network analysis/sniffer tool, you really need to do your 
> job and go 
> > learn one. This is invaluable for solving problems around AD and 
> > computers in general.
> > Otherwise when you get that weird issue where some network 
> switch or 
> > router is throwing away UDP packets from the Kerberos 
> authentication 
> > process you will have to have someone who knows how to do 
> the job come 
> > in and do it. It is also very handy for DNS issues.
> > 
> > 
> > 
> > [Tue 01/27/2004 22:54:00.81]
> > F:\DEV\cpp\OldCmp>Adfind -h vw2k3a -default -f name=administrator 
> > -simple -u vtest\testuser -up Password1
> > 
> > AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
> > 
> > Using server: VW2K3a.vtest.local
> > Base DN: DC=vtest,DC=local
> > 
> > dn:CN=Administrator,CN=Users,DC=vtest,DC=local
> > >objectClass: top
> > >objectClass: person
> > >objectClass: organizationalPerson
> > >objectClass: user
> > >cn: Administrator
> > >description: Built-in account for administering the computer/domain
> > >distinguishedName: CN=Administrator,CN=Users,DC=vtest,DC=local
> > >instanceType: 4
> > >whenCreated: 20031026153618.0Z
> > >whenChanged: 20031230164947.0Z
> > >uSNCreated: 8194
> > >memberOf: CN=TestUni,CN=Users,DC=vtest,DC=local
> > >memberOf: CN=Group Policy Creator Owners,CN=Users,DC=vtest,DC=local
> > >memberOf: CN=Domain Admins,CN=Users,DC=vtest,DC=local
> > >memberOf: CN=Enterprise Admins,CN=Users,DC=vtest,DC=local
> > >memberOf: CN=Schema Admins,CN=Users,DC=vtest,DC=local
> > >memberOf: CN=Administrators,CN=Builtin,DC=vtest,DC=local
> > >uSNChanged: 28711
> > >name: Administrator
> > >objectGUID: {AE5284F2-257D-479D-8776-F46BDAE17028}
> > >userAccountControl: 66048
> > >badPwdCount: 0
> > >codePage: 0
> > >countryCode: 0
> > >badPasswordTime: 127122886467739888
> > >lastLogoff: 0
> > >lastLogon: 127172765879264320
> > >pwdLastSet: 127115734585121920
> > >primaryGroupID: 513
> > >objectSid: S-1-5-21-1851711904-3339057820-1962739558-500
> > >adminCount: 1
> > >accountExpires: 9223372036854775807
> > >logonCount: 32
> > >sAMAccountName: Administrator
> > >sAMAccountType: 805306368
> > >objectCategory: 
> > CN=Person,CN=Schema,CN=Configuration,DC=vtest,DC=local
> > >isCriticalSystemObject: TRUE
> > >lastLogonTimestamp: 127172765879264320
> > 
> > 
> > 1 Objects returned
> > 
> > [Tue 01/27/2004 22:55:04.82]
> > F:\DEV\cpp\OldCmp>
> > 
> > 
> > 
> >  
> > 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Tuesday, January 27, 2004 10:44 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> > 
> > I would have to say no, ldap_bind_s is still fine and dandy. 
> > Taking that away would break nearly every UNIX LDAP app written it 
> > would appear as they all like it because it is simple. It 
> would also 
> > break many Windows Apps that were ported from UNIX because 
> they didn't 
> > know better.
> > 
> > If you want to do a simple test, grab adfind and do this
> > 
> > Adfind -h domaincontroller -default -f name=someobjectname 
> -simple -u 
> > domain\user -up userpassword
> > 
> > Ex:
> > 
> > [Tue 01/27/2004 22:41:29.41]
> > F:\DEV\cpp\OldCmp>Adfind -h w2kasdc1 -default -f name=joe 
> -simple -u 
> > joehome\joebob -up test
> > 
> > AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
> > 
> > Using server: w2kasdc1.joehome.com
> > Base DN: DC=joehome,DC=com
> > 
> > dn:CN=joe,CN=Users,DC=joehome,DC=com
> > >directReports: CN=$$jricha34,CN=Users,DC=joehome,DC=com
> > >managedObjects: CN=_DIST_TestGroup,OU=Test,DC=joehome,DC=com
> > >accountExpires: 127193976000000000
> > >badPasswordTime: 127182179962809320
> > >badPwdCount: 0
> > >codePage: 0
> > >cn: joe
> > >countryCode: 0
> > >instanceType: 4
> > >lastLogoff: 0
> > >lastLogon: 127193024241243522
> > >lockoutTime: 0
> > >logonCount: 91
> > >logonHours: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF
> > >msNPAllowDialin: TRUE
> > >distinguishedName: CN=joe,CN=Users,DC=joehome,DC=com
> > >objectCategory: 
> > CN=Person,CN=Schema,CN=Configuration,DC=joehome,DC=com
> > >objectClass: top
> > >objectClass: person
> > >objectClass: organizationalPerson
> > >objectClass: user
> > >objectGUID: {DF6AC5DC-3EBA-41FD-8893-E1ED7FAA5929}
> > >objectSid: S-1-5-21-1275210071-789336058-1957994488-218285
> > >primaryGroupID: 513
> > >pwdLastSet: 127189408129723189
> > >name: joe
> > >sAMAccountName: joe
> > >sAMAccountType: 805306368
> > >telephoneNumber: 555
> > >userAccountControl: 512
> > >userParameters: m:                    d
> > >uSNChanged: 1257854
> > >uSNCreated: 1163453
> > >whenChanged: 20040123043244.0Z
> > >whenCreated: 20021022040334.0Z
> > 
> > 
> > 1 Objects returned
> > 
> > [Tue 01/27/2004 22:42:19.51]
> > F:\DEV\cpp\OldCmp>
> > 
> > 
> > 
> > I am looking at a work issue right now, if I get done soon 
> I will spin 
> > up my W2K3 test environment and test it, but again I would 
> be shocked 
> > to death if it didn't work.
> > 
> >   joe
> > 
> >  
> > 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
> > Smith
> > Sent: Tuesday, January 27, 2004 10:36 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> > 
> > The application does indeed use LDAP.
> > 
> > It _appears_ that the issue is the API ldap_simple_bind_s. 
> > 
> > MSDN documentation says that nothing Microsoft supplies 
> uses that API 
> > in Windows XP. One may reasonably extrapolate that to 
> include Windows 
> > 2003. But I can't find anything that states that the API was 
> > deprecated between Windows 2000 and Windows 2003. Or 
> between windows 
> > 2000 sp3 to sp4 (although there are minor hints).
> > 
> > I've turned on auditing (hours ago) and almost nothing shows
> > -- either success or failure. I don't know what it takes to 
> trigger an 
> > audit event, but a simple ldap query doesn't seem to do it, or a 
> > failed ldap_simple_bind_s.
> > 
> > I've suggested (requested) a change to ldap_bind_s but is there 
> > documentation somewhere that I am missing that says 
> ldap_simple_bind_s 
> > will no longer work properly?
> > 
> > Thanks for your hint, it got me headed down the proper path.
> > 
> > Michael
> > 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > GRILLENMEIER,GUIDO (HP-Germany,ex1)
> > Sent: Tuesday, January 27, 2004 2:48 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
> > 
> > yes, there are various security changes in Win2k3, incl. 
> > different default ACLs on various objects.
> > 
> > But as you've created a special account for the app, you shouldn't 
> > need to enable anonymous LDAP operations on your
> > Win2k3 DCs => however, the app needs to leverage the credentials 
> > correctly to bind to the LDAP server (the DC).
> > 
> > The real question is: what does the app really do? Do they even 
> > perform LDAP queries or do they use some NT4 APIs to read 
> data from AD 
> > (I've seen this too many times, although the vendor swore they were 
> > not).
> > You need to understand what the App does, before you can apply the 
> > correct security - as you've mentioned, often you don't require to 
> > change anything if all the app requires is to list user accounts or 
> > groups etc.
> > 
> > A good place to start to help figure out this issue is
> > AUDITING: go to your Default DC policy and enable "Audit directory 
> > service access" for success and failure (preferrably in a lab, 
> > ofcourse). Then start up your mis-behaving Application, 
> wait for it to 
> > fail and take some time to wade through the security Eventlogs => 
> > often you can find a particular AD object (incl. the DN) 
> which an app 
> > tries to access when it fails.  This gives you new options to check 
> > out the permissions really required by the app (or to tell 
> the vendor 
> > how to correct a problem in their application).
> > 
> > /Guido
> > 
> > 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
> > Smith
> > Sent: Dienstag, 27. Januar 2004 16:51
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] Change in A/D security between 2k and 2k3
> > 
> > I run an application (ModusGate by Vircom, if anyone cares) that 
> > requires "read access" (their phrasing) to A/D for LDAP queries.
> >  
> > In Windows 2000, this was easily done in ADU&C -- create a user,
> > View->Advanced, properties on the domain, Security tab, add
> > the user and
> > grant "READ".
> >  
> > I can do exactly the same thing in Windows 2003, but it 
> doesn't work 
> > anymore (and, in fact, the way I read the permissions I 
> shouldn't even 
> > need to do it with the change in the default permissions). The ONLY 
> > account that works is the Administrator account. I can create an 
> > account, add it to domain admins, enterprise admins, blah 
> blah blah -- 
> > so it looks just like Administrator and it still fails. So, 
> I presumed 
> > it was User Rights -- so I add this account and give it the same 
> > everything there too (in Domain Controller Policy and 
> Domain Policy). 
> > Still no joy.
> >  
> > Applied change suggested in KB 326690. Still no joy.
> >  
> > Vircom is baffled as well, they say.
> >  
> > Any hints or suggestions for me?
> >  
> > Thanks.
> >  
> > .+-wÈi0g-í+YbémPiæ0æ-í+bíÚf.+-j!ç> > 0j!åoræyØIíV+v*
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ    : http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> > 
> > .  .+-j! > > 0j! or yïíIãV+v*
> > 
> > List 
> > info   : http://www.activedir.org/mail_list.htm
> > List FAQ    : http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> > 
> > List info   : 
> > http://www.activedir.org/mail_list.htm
> > List FAQ    : http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 
> 40mail.activedir.org/ .  .+-j! 
> >  0j! or yïíIãV+v*
> > 
> > List info 
> >   : http://www.activedir.org/mail_list.htm
> > List FAQ    : http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> > .+w  ííY P  íí .+-j! > > 0j! or
> > yïíIãV+v*
> > 
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ    : http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> > .+-wi0-+YbmPi0-+bÚf.+-j!> > 0j!orØyØIV+v*
> > 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> .+-wi0-+YbmPi0-+bÚf.+-j!> 0j!orØyØIV+v*
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to