RE: [ActiveDir] UserName & Psswd Script
PLEASE TAKE ME OFF YOUR LIST I AM GETTING HUNDREDS OF UNSOLICITED EMAILS, THX PETE
-- Original message -- From: <[EMAIL PROTECTED]> > Why a script? > > Why not: > "Net use * \\server\share /u:server\user *" > > i.e. connect using an account defined locally on the machine named > 'server'. > > > neil > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue > Sent: 13 June 2006 16:19 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] UserName & Psswd Script > > I need to map to a windows standalone server from a domain machine with > a different username and password other than the domain account. Anyone > care to share a script? > > Thank you, > Z.V. > >
; List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > > > PLEASE READ: The information contained in this email is confidential and > intended for the named recipient(s) only. If you are not an intended > recipient of this email please notify the sender immediately and delete your > copy from your system. You must not copy, distribute or take any further > action in reliance on it. Email is not a secure method of communication and > Nomura International plc ('NIplc') will not, to the extent permitted by law, > accept responsibility or liability for (a) the accuracy or completeness of, > or (b) the presence of any virus, worm or similar malicious or disabling > code in, this message or any attachment(s) to it. If verification of this > email is sought then please request a ha
rd copy. Unless otherwise stated > this email: (1) is not, and should not be treated or relied upon as, > investment research; (2) contains views or opinions that are solely those of > the author and do not necessarily represent those of NIplc; (3) is intended > for informational purposes only and is not a recommendation, solicitation or > offer to buy or sell securities or related financial instruments. NIplc > does not provide investment services to private customers. Authorised and > regulated by the Financial Services Authority. Registered in England > no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, > London, EC1A 4NP. A member of the Nomura group of companies. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Group membership question
PLEASE TAKE ME OFF YOUR LIST = I AM GETTING HUNDREDS OF UNSOLICITED MESSAGES, THX PETE -- Original message -- From: "joe" <[EMAIL PROTECTED]> No it is a value in an attribute. A child object would be an object that has a group as its parent... I.E. cn=group,ou=someou,dc=dom,dc=com and the child object of cn=somethingelse,cn=group,ou=someou,dc=com,dc=com In the default schema, the only objectclass that can be instantiated as an object under a group is objectClass classStore. You can determine that by looking at the possibleInferiors attribute of the group object. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Tuesday, June 13, 2006 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group membership question Sorry if this is a daft question, but I can't find an answer anywhere: Is a User considered a Child object of a Group to which it is a member? Cheers Danny
RE: [ActiveDir] Machine Password Changes
take me off your list, thx -- Original message -- From: "Kennedy, Jim" <[EMAIL PROTECTED]> I think it would be best that SomeProduct should go in SomeTrashCan. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/580.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Monday, June 12, 2006 10:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Machine Password Changes Everyone, Our Public Libraries use a software package that handles their patron logins and billing called SomeProduct. The company that makes SomeProduct includes in their suite, a product called SomeDiskProtection. SomeDiskProtection is similar to Windows Disk Protection, GoBack and Deep Freeze. Its a product that upon reboot, restores the PC to its previously saved state. The problem with this of course is that while the PC is up and running during the day, if it changes its machine account password, the next time the PC is rebooted, its back to the old password which results in PCs that cant log onto the domain. Weve now spent a week on the phone with SomeCompany and they tell us that their only solution is to completely disable machine password changes for the PCs running their software. I want to ask you all what you think of this solution. How much of a security risk do you think it is? Can you think if a workaround? The frustrating thing is that Windows Disk Protection has a way of handling this. It disables automatic machine password changes, but every time the PC has its saved state updated, it performs a manual password change so that at least its being changed SOMETIMES. According to SomeCompany, they have absolutely no plans or desire to update their software to support similar functionality. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] AD integration
pse take me off your list, thx -- Original message -- From: "joe" <[EMAIL PROTECTED]> > The answer to this one is of course it depends. > > At first blush it sounds like a single threaded app. Depending on the > vendor, this may be the best/safest thing to do. :) > > As for best practices. I don't think there are any best practices for how > many domains you should pull data from at a time. It would again depend > entirely on the app and what it is supposed to be doing and the dangers > exposed in doing it. > > For a "relatively" fast application that works well in single and > multidomain environments I could see cases where it is better to pull from > the GC or better to set up a thread pool and pull from x domains at once or > a combination. Certainly the thread pool solutions are the m ore scalable > solutions but they are also the much harder to do right and the more costly > solutions. Most customers chose apps on how cheap they are first, then later > they start to realize the shortcomings that made them cheaper. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR > Sent: Monday, June 12, 2006 8:31 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] AD integration > > Just a quick question. Is anyone aware of any "best practice" > documentation of how a product ought to integrate with AD (e.g. to pull > out user data for its own use). > > Failing that, can anyone comment on what they think of a model that can > on ly pull data out of one domain at a time so for a >1 domain forest > needs to make a connection to each domain in turn, pull down that > information and then load it into SQL server. Am I crazy in thinking > that anyone following this model has probably just found out that their > old NT4 domain integration code "kinda works" and did the bare minimum > tidying up before halting any further work? > > -- > Robert Moir > Microsoft MVP for Windows Servers & Security > Senior IT Systems Engineer > Luton Sixth Form College > Right vs. Wrong | Good vs. Evil > God vs. the devil | What side you on? > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir .org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Moving Certificates between separate AD infrastructures
Thanks for all the responses. I'm investigating several tools and actually tracked down the logic to implement the operation. For those that are interested here's the code. I think the below code is a bit inefficient because the only example I could find was taking a cert stored in a text file and then transforming it into a byte array before placing it in the directory. I think the userCertificate is already a byte array so I could probably just ensure I'm using the appropriate variable type for storage and import it directly into the foreign directory rather then importing it into a CAPICOM memory store and then changing it back into a byte array.
Thanks,
Dave
Sub main()
Dim objStore As New Store, objUtilities As New CAPICOM.Utilities, adSysInfo, objForeignUser As IADsUser, objcert As Certificate
Set adSysInfo = CreateObject("Adsysteminfo")Set objUser = GetObject("LDAP://" & adSysInfo.UserName)Set objProvider = GetObject("LDAP:")Set objForeignUser = objProvider.OpenDSObject("LDAP://x.x.x.x/cn=Dave,ou=internal,ou=users,ou=xxx,dc=,dc=,dc=xxx", "xxx", "xx", ADS_SECURE_AUTHENTICATION)
'MsgBox objUser.usercertificate.Countobjcer = objUser.usercertificate(0)objStore.Open CAPICOM_MEMORY_STORE, "My", CAPICOM_STORE_OPEN_READ_WRITEobjStore.Import objcerSet objcert = objStore.Certificates(1)binEnCert = objcert.Export(CAPICOM_ENCODE_BINARY)arrEnCert = objUtilities.BinaryStringToByteArray(binEnCert)
objForeignUser.PutEx 3, "userCertificate", Array(arrEnCert)objForeignUser.SetInfo
End Sub
[ActiveDir] Moving Certificates between separate AD infrastructures
I have a DOD customer that is looking to break off a piece of the organization to stand up its own agency. The DOD customer is currently deployed in an Active Directory infrastructure with a PKI infrastructure deployed and smartcards in use. Shortly, the customers will be moved to a completely new AD infrastructure at their own request. Unfortunately, the organization will not immediately deploy new certs and smart cards to the staff due to logistics issues. Smartcard access to DOD systems is an absolute requirement. Disruption to the user community must be kept to an absolute minimum. The organization would like continue to use the existing certs and smartcards with the new infrastructure. My question is, assuming that the PKI infrastructure can support the old certs, is there a way to automate the movement of user certs during the migration process? Can we automate the publishing of the old certificate from the old directory into the new directory? Is there existing migration tools out there that does this (i.e. Quest, Bindview)? Does ADMT do this by default? I've been reviewing the ADMT documentation and I haven't seen a mention of migrating user certificates yet. I was thinking to develop some code using CAPICOM to do this; however, I didn't want to reinvent the wheel. A second question would be do both the values in the userCertificate and userSMIMECertificate properties have to go? Thanks in advance, Dave
[ActiveDir] userCertificate Property in Active Directory
Thanks, I think I figured it out. For those interested here's the bit of code.
Thanks,Dave
Set objAdsysinfo = CreateObject("ADSystemInfo")Set objMe = GetObject("LDAP://" & objAdsysinfo.UserName)objCer = objMe.usercertificate(0)myStore.Open CAPICOM_MEMORY_STORE, "My", CAPICOM_STORE_OPEN_READ_WRITEmyStore.Import objCerSet objCert = myStore.Certificates(1)MsgBox objCert.IssuerName
[ActiveDir] userCertificate Property in Active Directory
Is there a way to retrieve the certificate information such as issuer name, subject name, valid from and to date, etc. from the userCertificate property in the directory using either _vbscript_ or VB.Net? I can read the property and see the values; however, I'm unsure of how to deal with the x509 DER encoded information. I've tried the following code:
objMe = New DirectoryEntry("LDAP://cn=Waller\, David (Contractor),OU=Users,OU=x,DC=xx,DC=,DC=xxx")MsgBox(objMe.Properties.Item("samAccountName").Value)certStor = CByte(objMe.Properties.Item("userCertificate").Value)objCert = New X509Certificate(certStor)
However, I appear to be doing something wrong with the byte conversion when obtaining the property. Has anyone done this before, who can give me some guidance? I'd prefer to use _vbscript_ and CAPICOM; however, I'm more then willing to use the system.cryptography.x509certificates class if that's the way to do it. I haven't found much information available on the web or newsgroups.
Thanks,
Dave Waller
RE: [ActiveDir] (OT) Trust Issues
Normally, I would look at the restrict anonymous configuration if experiencing communication issues between NT 4.0 systems and >= 2000 systems. A setting of 2 seems to break legacy communication. Thanks, Dave Waller Booz Allen Hamilton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Monday, September 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] (OT) Trust Issues Scenario I have a forest that is a root place holder and two child domains. Domain.Com; Child1.Domain.com; Child2.Domain.com. The forest is in Windows Server 2003 Forest mode. Domain.com is all Windows Server 2003 SP1 Child1.domain.com is all Windows Server 2003 SP1 Child2.domain.com is all Windows Server 2003 SP1 bar one DC. Child1 and Child2 both have trusts to a Windows NT4.0 sp 6.0a domain. The Problem When I upgrade the last DC to W2K3 Service Pack 1 in Child2.Domain.com it breaks the trust to the NT4.0 environment and I am at a loss as to why. Child1.domain.com continues to function correctly and the trust does not break. All domains in the forest run the same security principles and nothing appears in the event logs. Removal of SP1 reverses the issue and all trusts are restored - without the need to recreate them. The only error message I get is when I go to validate the trust: Verification of the trust between the domain xyz and the domain 123 was unsuccessful because: Access is Denied. All accounts used are Domain Admins. Any suggestions? The issue is not currently critical as I have removed the Service Pack, but I will need to reapply the Service Pack soon, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
