Re: [ActiveDir] Who Am I request
Using ldp.exe; rootDSE query for supportedExtension will you the OID: 4 supportedExtension: 1.3.6.1.4.1.1466.20037 = ( LDAP_SERVER_START_TLS_OID ); 1.3.6.1.4.1.1466.101.119.1 = ( LDAP_TTL_REFRESH_OID ); 1.2.840.113556.1.4.1781 = ( LDAP_SERVER_FAST_BIND_OID ); 1.3.6.1.4.1.4203.1.11.3 = ( LDAP_SERVER_WHO_AM_I_OID ); Then it's (post bind to be useful) Browse - Extended Op and paste in the OID (1.3.6.1.4.1.4203.1.11.3) with no Data value. Lee Flight On Mon, 22 Jan 2007, Joe Kaplan wrote: It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to try it. :) Joe R.: When will this be added to Adfind (or is it already)? Joe K. - Original Message - From: Dmitri Gavrilov [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 22, 2007 9:07 AM Subject: RE: [ActiveDir] Who Am I request ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx Lee Flight __ Lee Flight ([EMAIL PROTECTED]) Tel: +44 (0)116 252 2257 IT Services, Computer Centre, University of Leicester Leicester LE1 7RH, United Kingdom List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
One example that I would highlight that can muddy the water in attempting tracking of resolvable SIDs is that the SID might be from an Authority that does not resolve by a native windows mechanism/api e.g. an SD that contains a SID from the SECURITY_RESOURCE_MANAGER_AUTHORITY (S-1-9-etc). I had not seen an example of this until a few months ago when I noticed such SID appearing in DSACLS output in an Exchange 2007 deployment[1]. Lee Flight [1] See Table 3 in http://technet.microsoft.com/en-us/library/315d9c42-1ab4-4ef4-9292-12cdcb9c98cf.aspx On Sun, 7 Jan 2007, joe wrote: Because as mentioned in my post, this is a very difficult and complex task given the current security infrastructure. There is nothing maintaining backlinks into where specific SIDs are used for ACLing. Even so, as Wook and Deji and I all mentioned, there are times where something could have a SID in an ACL and be perfectly valid but some sort of burb or in progress issue causes the SID to be temporarily unavailable. This kind of thing happens pretty regularly and people don't tend to catch it because MSFT, intelligently, didn't go through and scrub the ACLs when this occurred. If they did, people would be posting all of the time how some group or user or other security principal lost access to something or in the case of DENY ACEs all of a sudden had access to something. It is a very fine line between being helpful and being destructive. In order to implement this so it was effective and efficient I would visualize something that would have to track ALL uses of SIDs (not just file system or AD) with a backlink table and would somehow get notifications when a security principal was truly deleted and it was intended to be so and wouldn't be coming back (i.e. someone didn't pull a whoops). The first is extremely involved but likely possible from a technical standpoint though it would cause bloat somewhere where that info is stored. The second is near impossible, IMO, because it involves people not screwing up and I don't expect to see that day happen. A couple of other items to think about, you have more than ACes that have the SIDs in a security descriptor, you also have the owner and the group. You don't just want to zap the old value out, you want something there, what do you put there? Administrators? LocalSystem? What? Now what if you want to go clean all those up and reassign them to someone else? You are in the same place you were when you had the old missing user/group object. I have posted this before (slightly different because then it included DNs), but here is a portion of the list list of objects that can have SIDs embedded: 1. Windows Security Descriptors - this includes any kernel securable objects that can accept a security descriptor as well as many other objects that have customized ACL-like definitions like the customSD for event logs. A partial list of the official securable objects off the top of my head: O Active Directory Objects O SAM Objects (users and groups on member machines) O File System Objects (files/directories) O Threads/Processes O Synchronization objects (mutexes, events, semaphores, timers) O Job Objects O Network shares O Printers O Services O As of 2003 SP1 the Service Control Manager itself O Registry keys O Windows Desktops and Windows Stations O Access tokens O File Mapping objects O Pipes (named or anonymous) Basically anything that allows you to pass in a SECURITY_ATTRIBUTES structure when creating the object plus more 2. Microsoft supplied Windows based applications. This includes things like ADAM, SQL Server, Exchange, SharePoint, etc etc etc ad nauseum. 3. Third party applications that run on Windows and were written properly to take advantage of Windows security. This list could be long and wide, there are hundreds of thousands of Windows applications out there. 4. Third party applications that run on Windows and were written incorrectly to take advantage of Windows security. These apps don't use Windows security descriptors, they use custom security structures that are based on Windows Security Descriptors or are completely different but rely on SIDs. An example here would be how the event log security stuff was implemented in K3 which uses a basic Windows Security Descriptor SDDL format type that isn't quite standard. 5. Ditto #4 but running on non-Windows platforms. 6. Applications that use the groups for something other than security but still use the SID for identification purposed to avoid rename issues. For instance an IM app that uses groups for contact lists or an email app using groups for mail distribution. Numbers 3-6 are exceptionally hard to trace because in all but limited cases, it is pretty much guaranteed no well known well used interface is available to enumerate this info. You are completely dependent on how well you understand your environment and how well you know the underpinnings of what is running in that environment. 7. Any attribute
Re: [ActiveDir] ADAM silent install
Hi I think the problem is with But the user installing the ADAM instance is already member of administrators. The ADAM answer file reader does not seem to check that; if it sees the Administrator parameter in the answer file it assumes that the user running the install is not an ADAM administrator and as this is a unique instance installing the LDIFs will not be possible due to lack of permissions to modify the local schema. It might be possible to circumvent this using an explicit SourceUsername and SourcePassword in the answer file, but I think your workaround is more secure. Lee Flight On Thu, 23 Nov 2006 [EMAIL PROTECTED] wrote: Hi I am trying to install ADAM unattended to be used for publishing Oracle DB's. I would like to grant administrators from the local computer as ADAM administrator and I would like to import some of the accompanying LDF files. ; Specifies the Administrators within the AD\AM instance. Administrator=MYCOMPUTER\Administrators ; The following line specifies the .ldf files to import into the ADAM schema. ImportLDIFFiles=MS-InetOrgPerson.ldf MS-User.ldf However the installs fails when I specify both options. The error message is that the user have to be administrator to import .ldf files. But the user installing the ADAM instance is already member of administrators. My current workaround is to comment out the ImportLDIFFiles statement and import them after the instance has been created. Just wondered if this was a known problem. /kkh List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] ADAM on XP Pro
I had an exchange with a vendor who was planning on a similar approach: http://groups.google.co.uk/group/microsoft.public.windows.server.active_ directory/browse_frm/thread/83248bf50f9f76ec/2aac67203f612e2a my summary, see the end of the archived thread, was that they should talk to Microsoft about this use of the replication model as it did not seem appropriate use of a multimaster replication model to me. Even if we had RO ADAM instances I still think it would be a pain to manage... let us know how you get on Thanks Lee Flight On Wed, 4 Oct 2006, Tony Murray wrote: Thanks Dmitri Yes, my security concern was with regard to laptop theft. As you say, these are ADAM and not AD accounts, so the risk of compromise is localised to the application. Good tip about EFS (even if I'm not a big fan of it generally). There may be other options (e.g. hardware encryption). I will give some further thought to the potential replication issues you mention when I know more about the application - I haven't managed to get my hands on it yet :-) Tony -- Original Message -- From: Dmitri Gavrilov [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Wed, 4 Oct 2006 20:18:28 -0700 ADAM on XP is no different from ADAM on w2k3 security-wise. The big differences are that it is throttled somewhat perf-wise, and also there's no auditing. I do not see any serious security problems with this approach. Unless you are thinking that somebody steals the laptop, cracks the DIT open and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In any case, these are ADAM users, not windows... The only problem will be replication -- instances will complain that they are unable to replicate when in offline mode. Perhaps this can be resolved by creating a separate site for every instance and setting up manual links to the hub instance. Hmm. Not sure. I guess it depends on how long they'll stay offline. KCC is not really optimized to work well in such scenarios. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, October 04, 2006 7:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADAM on XP Pro I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3. I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line. In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set. I had always understool ADAM on XP to be used for a personal data store (http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45 77-bf7c-ba4b08df48431033.mspx?mfr=true). Any thoughts on this? Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
