A-fanatic blog - Past results do not guarantee future performance

Vista without Bitlocker easy to hack

Parzival — Tue, 26 May 2009 12:16:00 GMT

Always use bitlocker.. or be the victim of this easy hack

http://blog.studiographic.nl/?p=251

Group Policy Preferences Ready

Parzival — Tue, 26 May 2009 12:15:00 GMT

Group polilcy Preferences can replace your loginscripts and other scripts.. but are your clients ready for GPP?

http://blog.studiographic.nl/?p=256

Poor man's iSCSI & Bridge Network connections

Parzival — Tue, 26 May 2009 12:14:00 GMT

Creating your own switch within windows

http://blog.studiographic.nl/?p=276

Administrator Lockout

Parzival — Tue, 26 May 2009 12:14:00 GMT

The admin cannot be locked out.. or can he?

http://blog.studiographic.nl/?p=268

“Windows Installer does not permit installation from a Remote Desktop Connection”

Parzival — Tue, 26 May 2009 12:13:00 GMT

http://blog.studiographic.nl/?p=284

Windows 2008R2 features part V: DHCP Split-scope

Parzival — Fri, 27 Feb 2009 15:46:00 GMT

DHCP is the mechanism that gives most client these days the tools (ip address) for connectivity. Most companies however do not realize the importance of the DHCP service and do not cluster nor have another server as standby when the DHCP server fails. If the DHCP server fails, most clients will not receive a new ip address and will seize to work on the network. While clustering is improved in Windows 2008 and sort of made easy for administrators, most of them are reluctant to implement a failover cluster for DHCP. In Windows 2008 R2 we have Split-Scopes, remember the 80-20 rule for DHCP servers, it kinda the same, but then made easy. For this article we have a single domain controller and two Windows 2008R2 servers.

Read entire post>>

Windows 2008R2 features part IV: Managed Service Accounts & Password Reset’s

Parzival — Thu, 12 Feb 2009 08:05:00 GMT

So we have deployed the Managed Service Accounts, and now we want a password policy set on them.. usually the service accounts have a different password policy set, so most of you will probably use PSO’s (Password Setting Object). In my demo I’ve set a new policy stating that the max age of a password is only 10 minutes ( msDS-MaximumPasswordAge: 0:00:10:00). I’ve set the PSO’s msDS-PSOAppliesTo attribute to be the Active Directory Group “Service Accounts” so that all managed service accounts that are member of this group MUST change their password every 10 minutes. For the sanity check, I’ve also created a simple useraccount and added that to the group also. Now we only needed to wait 10 minutes.. When logging in as the user onto the SQL box, I indeed got the message that I needed to change my password. My demo users’ pwdLastSet attribute indeed jumped from : 2/4/2009 4:58:20 PM W. Europe Standard Time; to pwdLastSet: 2/4/2009 5:28:05 PM W. Europe Standard Time;

Read the rest of this entry »

Windows 2008R2 features part III: Managed Service Accounts

Parzival — Thu, 12 Feb 2009 08:04:00 GMT

Password policies can help administrators secure their environment, letting users change their passwords on regular basis makes it harder for hackers to get in to a system by guessing a password. There is one group of accounts though that usually do not have the password policy applied to.. they almost never change their password and when they do.. it is a load of work for the admin, there is service downtime involved.. and after the password has been changed.. it will be not be changed for a long time.. Yes, I’m talking about Service Account.. the accounts administrators usually apply the “Password Never Expires” option to. These accounts usually have more rights to systems, perhaps even local Administrator access to machines (like SQL or mail) or even worse (Don’t tell me you have these in place) Domain Admin rights. Changing passwords for these accounts is crucial to the security of your environment. To make life easier Windows 2008 R2 introduces the Managed Service Accounts, with these, you can easily change the password of an account, and the client computers where these service accounts are operational will change the password in the service configuration.

Read the rest of this entry »

Tourist office and Google Maps combined

Parzival — Thu, 12 Feb 2009 08:03:00 GMT

The strength new media is best showed when it’s simplified and usable by anyone.. take google maps, most people know about it, use it on their computer but if you’re on the go.. they prefer a Tom Tom or other simple device during the trip.

Read the rest of this entry »http://blog.studiographic.nl/?p=73

Securing Wireless with WHS Part II

Parzival — Thu, 12 Feb 2009 08:01:00 GMT

Some of you might be using Windows 7 already and have noticed that the Wireless solution for Windows Home Server does work well with Windows 7. In fact, the computer does not challenge the user for a username or password, but just tells you it cannot connect. This is because Windows 7 has a different default setting for WPA-Enterprise authentication to wireless networks. By default the client computer will try to authenticate the user including the computername. IAS warnings in the eventlog are a result of Windows 7 computers trying to authenticate.

NEW better improved BLOG SITE!

Parzival — Thu, 29 Jan 2009 20:51:00 GMT

Got dizzy on this page.. me too..

Check

blog.studiographic.nl for the rest and updated materials!

Windows 2008 Features (DFSRMIG)

Parzival — Wed, 28 Jan 2009 09:41:00 GMT

The introduction of Windows 2008 brought us the famous Read-Only domain controller, the domain controller without passwords (unless explicitly approved) and one-way replication. That one-way replication also applied to the SYSVOL share. Sysvol is replicated by either FRS or DFSR depending on the initial setup of the domain. If you have upgraded your domain from Windows 2000 or Windows 2003 to Windows 2008 SYSVOL is still using FRS to replicate. When you have initially deployed Windows 2008 and set...(read more)

Windows 2008R2 features part II: Recycle Bin

Parzival — Tue, 27 Jan 2009 21:20:00 GMT

Windows 2008 R2 Active Directory introduces the Recycle Bin option. If you deployed Windows 2008 R2 or upgraded your domain to the Windows 2008 R2 schema and you think the recycle bin is active, you are wrong. You have to specifically enable the recycle bin feature.

So upgrade your forestlevel and run the following command within a poweshell console:

Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=DirectoryService,CN=Windows NT,CN=Services,CN=Configuration,DC=rootdomain,dc=local'

-Scope Forest -Target 'rootdomain.local'

Note: Indeed the above command is a powershell command, also a new feature in Windows 2008 R2, Active Directory powershell.

So what does the above mentioned command do: If you delete an object from this point onwards the object does not get tombstoned and stripped from most attributes but it will be transformed to a recycled-object. Link valued attributes are maintained both from and to the deleted object. This was not possible in the previous versions of the schema.

So we have a user with several attributes setup, called John Doe:

He has several options set, like streetaddress, loginscript etc. He is also a member of the group Group1. And now we delete the user from the ADUC command console.

If we want to look at the deleted object the old way of searching for it does not work anymore (http://support.microsoft.com/kb/258310) . Instead there is a hidden container called: CN=Deleted Objects, DC=<domain>.

We can retrieve this container using ldp.exe. Start LDP.exe and create a connection to the AD server. Bind using current credentials and select Options and select Controls. In the load predefined option select Return Recycled Objects. Then select view tree. Enter: CN=Deleted Objects,CN=<domain> and click OK.

Now we see the deleted John Doe object and on the right the attributes that are usually deleted.

There are multiple ways to restore the userobject. It is possible via the LDP console by removing the TRUE value of the isDeleted attribute (click modify on the object and select edit, in the attribute field type isDeleted, leave the value option empty and select Delete under Operation and hit enter. In the attribute field type distinguishedName and type the DN in the value field, under operation select Replace).

However you might find it easier to use the new poweshell commandlets, first to find the deleted object(s).

Get-AdObject –Filter {displayname –eq “John”} –IncludeDeletedObjects

To restore, simply pipe the above mentioned command to the restore command: Restore-ADObject

Get-AdObject –Filter {displayname –eq “John”} –IncludeDeletedObjects | RestoreADObject

Off course it is also possible to restore entire OU’s and the objects beneath it..

[update]

So many wonder how the group membership of users are restored during the reanimation (or restoring) of a recycle bin object.. (aswell as other backlinks).. It seems the backlinks are not deleted as they normally would have been. Although the forward link (Group Member) is deleted, the memberOf attribute (back-ward link) is not. Or in Microsoft terms:

We simply added a taxonomy to the link table which gives us the ability to preserve the link data while deactivating the link when an object is deleted.

To view the MemberOf of a deleted object you can use a powershell commandlet that Ned Pyle gave to me:

PS C:\> get-adobject -filter {lastknownparent -eq "ou=recycletest,dc=adatum,dc=com"} -searchbase "cn=deleted objects,dc

adatum,dc=com" -includedeletedobjects -properties *

userPrincipalName : whoops@adatum.com

CanonicalName : adatum.com/Deleted Objects/whoops

DEL:2563a106-b3ef-4338-b0ec-ead7cac88178

Created : 1/28/2009 8:57:58 AM

codePage : 0

modifyTimeStamp : 1/28/2009 10:27:59 AM

instanceType : 4

pwdLastSet : 128776246785482438

Description :

lastLogoff : 0

givenName : whoops

badPwdCount : 0

userAccountControl : 66048

whenCreated : 1/28/2009 8:57:58 AM

lastLogon : 0

Name : whoops

DEL:2563a106-b3ef-4338-b0ec-ead7cac88178

ObjectClass : user

accountExpires : 9223372036854775807

badPasswordTime : 0

isDeleted : True

sAMAccountName : whoops

DisplayName : whoops

DistinguishedName : CN=whoops\0ADEL:2563a106-b3ef-4338-b0ec-ead7cac88178,CN=Deleted Objects,DC=adatum,DC=

com

uSNCreated : 63465

ObjectCategory :

Modified : 1/28/2009 10:27:59 AM

adminCount : 1

sDRightsEffective : 15

dSCorePropagationData : {1/28/2009 9:51:53 AM, 1/28/2009 9:14:02 AM, 12/31/1600 7:00:00 PM}

objectSid : S-1-5-21-3745455507-831683003-5792042-1129

countryCode : 0

nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity

ObjectGUID : 2563a106-b3ef-4338-b0ec-ead7cac88178

Deleted : True

logonCount : 0

CN : whoops

DEL:2563a106-b3ef-4338-b0ec-ead7cac88178

LastKnownParent : OU=recycletest,DC=adatum,DC=com

ProtectedFromAccidentalDeletion : False

whenChanged : 1/28/2009 10:27:59 AM

createTimeStamp : 1/28/2009 8:57:58 AM

primaryGroupID : 513

msDS-LastKnownRDN : whoops

memberOf : {CN=Domain Admins,CN=Users,DC=adatum,DC=com}

uSNChanged : 63535

For more information on deleted objects and restoring them you can go see Jorge’s presentation: http://blogs.dirteam.com/blogs/jorge/archive/2009/01/20/speaker-at-techdays-2009.aspx

Windows 2008R2 features part I: Offline domain join

Parzival — Tue, 27 Jan 2009 11:57:00 GMT

Since Windows NT4, clients who wanted to join a domain always needed a direct connection to the domain, either via VPN, dial-in or direct connection. New in Windows 2008 R2 is the option for an offline domain join.. how does this work.. ? read on!

A new program is introduced called djoin.exe. We can use djoin.exe to join a computer to the domain without actually having a connection to it.

How does this work?

1. Logon to a system that already is a member of the domain with an account that is allowed to join computers to the domain

2. Use djoin.exe to create a text file (the blob) that contains all information for the computer to join the domain when it is online.

3. On the new computer use djoin.exe to import the blob

4. Reboot the new computer when it’s connected to the network

By default, computer accounts are created in the Computers OU, however we might not want the new machines to be placed in that OU. If this is the case, create a new OU and make sure the account that you run djoin under has sufficient rights to it. To provision a new computer, use the following command: djoin /provision /domain <domainname> /machine <machinename> /savefile blob.txt

The command will create a new computer object and a file called blob.txt.

Optionally you can specify the OU using the parameter /Machineou <OUname> else the default Computers OU is used.

If the computer account object is already created, you can use the /reuse option.

If your domain controller is not yet running Windows Server 2008 R2, use the /downlevel command.

Copy the created blob file to the new client and run the import command. Even though it is a text file, the blob is not really human readable, it’s certainly not in xml format…

The command to import the blob is: djoin /requestODJ /loadfile blob.txt /windowspath %systemroot% /localos

Now the /localOs option can be a bit scary. If you accidentally run this command on a domain controller, it will result in a broken Active Directory Domain Controller that you can only demote/promote to bring it back to where it was.

Our client machine has a base install of Windows 7 and is renamed to CL2 in this case before using the new command:

Make sure your start the command prompt with Administrative privileges, otherwise the join will fail:

After a (manual) reboot, the computer joined the domain:

The main question if off course: why would you want this?

The procedure involves a non-human readable blob, and no passwords. You can easily pre-create all the blob files and distribute them to for example supplier of workstations. They can provision the laptops for you. You would not have to give them accounts and you do not have to give them access to your environment.

And Microsoft's reason:
For example, an organization might need to deploy many virtual machines in a datacenter. Offline domain join makes it possible for the virtual machines to be joined to the domain when they initially start after the installation of the operating system. No additional restart is required to complete the domain join. This can significantly reduce the overall time required for wide-scale virtual machine deployments.

Now if you want to deploy computers using a Unattend.xml file, you can also specify the Offline Domain join in there:

Today: Unwanted patch day

Parzival — Fri, 24 Oct 2008 08:00:00 GMT

Oke we have CAPS-LOCK DAY, independance day.. and today is Unwanted patch day..

please take note of: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

and patch your Windows systems A.S.A.P...