As an MVP we have MVP leads that share information and are our main connection to the MVP program. Recently my MVP lead sent out a great Q&A that I wanted to share. I checked with her to make sure this is not NDA information and it was not. (thanks Michelle!)
There are still a lot of organizations that still believe that they should wait for a service pack before deploying a new Server OS. If you were around 10 years ago or more you might remember that Windows NT had seven service packs (1-6a). Windows 2000 had four service packs With that many service packs you can see why some old timers still think waiting for service packs is the way to go.
The days of four, six ,or more service packs are probably gone forever. I can't speak for the future of the Microsoft development life-cycle; but with major releases being released every four years and R2 releases every two years there is not much room for service packs. In addition Microsoft does a really great job with patch Tuesday patches and zero-day patches when applicable.
The point here is you can tell your manager that there is no reason to wait for a service pack. Windows 2012 is ready now. It is ready to be tested and deployed now. I'm in the field just like the rest of you. Looking forward to this journey.
Tuesday, October 2, 2012
Monday, September 17, 2012
TechGate Conference - Speaking Review
I spoke at the TechGate conference sponsored by Microsoft this weekend. My topic was new Active Directory features in Windows Sever 2012.
I first want to thank Andy and DeLise from Microsoft. The Microsoft facilities were outstanding and we were treated well. This was my first speaking engagement at a conference like this and I'm honored that they allowed me to speak. I know they had a lot of people that wanted slots and glad I was selected for one of the featured slots.
The room was packed and some people had to stand. There were some lessons learned on my part that I want to share for others that may be starting out on their speaker journey. I would also love to hear tips from others that have been doing this for a while.
Lessons Learned
- 50 minutes is not enough time to give a talk with demos about Active Directory features in Windows 2012. I should have either cut out sections or not attempted demos. I definitely rushed a bit at the end.
- The crowd was about 80 percent developers/those not familiar with AD and 20 percent were IT pros that knew AD. I let that fluster me for the first few slides. When I asked how many people are familiar with dcpromo and only 4 people raised their hands I was thinking "oh shit" in my head....once I got over that I was fine.
- I tried to switch between the PowerPoint presentation view (slides with notes on my laptop monitor and slide show on projector) and the duplicate screens (for the demos). Next time I will just use duplicate screens at all times and have my notes on the side.
- Dynamic Access Control is a great feature but I can tell that it's going to take a lot time for IT Pros to understand and "get it". I might try and present 50 minutes just on that feature next time...but that might not be enough time either.
- Thanks to the lady in the back, the MCS engineer and a few others that did have a good working knowledge of AD...the questions and back and forths with you all was great.
- I have seen speakers at other conferences having conversations after their talks in the hallways. That happened to me too. That was great, met some really great and enthusiastic people.
- Thanks to my co-workers Shumbey, Nate, and Kurt for coming.
- Thanks to my AD buddies (Mark especially) who sat through some dry runs.
Overall I give myself a B- I learned a lot and hope to go back in the spring. Someday I want to be as good as Dean Wells (he had the #1 talk at TechEd North America 2012)....I know that won't happen but it is a good goal to strive for :)
Labels:
Windows Server 2012
Tuesday, September 4, 2012
Windows 2012 AD Schema Version
I previously posted "quick-hitter" blogs about the schema versions in Windows 8 Developers Preview, Windows Server 8 Beta
Windows Server 2012 was released today!! The schema version did not change from the RC version. The final version is 56
I once again used adfind to quickly find the schema version.
MVP Brian Arkills posted a link to the changes made in adprep in Windows 2012 from version 48 to 56. You can find that here
Windows Server 2012: Changes made by adprep.exe
You can download an evaluation copy of Windows Server 2012 and go start to learn and have fun. This will be an OS that most of us will be using for the next 10+ years and it is an exciting day for those of us in the Windows Server world. Thanks to all the hard work put in by the many people at Microsoft that made today happen.
Windows Server 2012 was released today!! The schema version did not change from the RC version. The final version is 56
I once again used adfind to quickly find the schema version.
The final Active Directory Schema version table is listed below.
Windows Server 2012 | 56 |
Windows 2008 R2 | 47 |
Windows 2008 | 44 |
Windows 2003 R2 | 31 |
Windows 2003 | 30 |
Windows 2000 | 13 |
MVP Brian Arkills posted a link to the changes made in adprep in Windows 2012 from version 48 to 56. You can find that here
Windows Server 2012: Changes made by adprep.exe
You can download an evaluation copy of Windows Server 2012 and go start to learn and have fun. This will be an OS that most of us will be using for the next 10+ years and it is an exciting day for those of us in the Windows Server world. Thanks to all the hard work put in by the many people at Microsoft that made today happen.
Labels:
Active Directory,
quick-hitters,
Windows Server 2012
Thursday, August 23, 2012
Find Inactive Users using Powershell
This is a quick hitter that came about when I was chatting with a few friends online. We were talking about finding inactive users using powershell. We also wanted to output their userid(samaccountname) and their last logon time.
In this case the LastLogonTimeStamp attribute was good enough for this query. Note that this attribute is replicated but it is 9-14 days behind the current date
For full disclosure this is something I'd usually use oldcmp for but in this case the customer wasn't allowing third party tools.
The main problem I was having was the output of LastLogonTimeStamp via powershell. The date doesn't get automatically converted from its native 64 bit format. Luckily the Microsoft team has included the LastLogonDate which is the conversion of the LastLogonTimestamp. MVP Richard Mueller has a great explanation of the LastLogonDate attribute in Powershell It is important to emphasize that LastLogonDate is not an actual Active Directory attribute. LastLogonDate was key otherwise it makes this query more complex because we would have had to include a conversion into the command.
For the query I went with the search-adaccount cmdlet. We were looking for accounts that had not been active within 90 days
search-adaccount -usersonly -accountinactive -timespan "76" | select-object samaccountname, lastlogondate
If you want to export that to a CSV then that command can be piped into export-csv
search-adaccount -usersonly -accountinactive -timespan "76" | select-object samaccountname, lastlogondate | export-csv Users.csv
Why did I choose 76 instead of 90? That goes back to the DS blog about lastlogontimestamp being up to 14 days behind.
Active Directory Administrative Center also has some handy built-in searches that can help if you prefer a GUI
Update Good friend and Microsoft PFE Eric J suggested that I add a screenshot with the Windows 2012 version of ADAC and the powershell history viewer output. Great suggestion Eric!
The powershell command in the history viewer is interesting. I like the version above a lot better :)
The issue I have with the ADAC method is that it doesn't allow the user to export the findings and include the LastLogonTimeStamp date in a converted form.
I'm looking forward to other suggestions comments on how to improve this powershell command. Remember we are talking quick-hitter one liner here.
In this case the LastLogonTimeStamp attribute was good enough for this query. Note that this attribute is replicated but it is 9-14 days behind the current date
For full disclosure this is something I'd usually use oldcmp for but in this case the customer wasn't allowing third party tools.
The main problem I was having was the output of LastLogonTimeStamp via powershell. The date doesn't get automatically converted from its native 64 bit format. Luckily the Microsoft team has included the LastLogonDate which is the conversion of the LastLogonTimestamp. MVP Richard Mueller has a great explanation of the LastLogonDate attribute in Powershell It is important to emphasize that LastLogonDate is not an actual Active Directory attribute. LastLogonDate was key otherwise it makes this query more complex because we would have had to include a conversion into the command.
For the query I went with the search-adaccount cmdlet. We were looking for accounts that had not been active within 90 days
search-adaccount -usersonly -accountinactive -timespan "76" | select-object samaccountname, lastlogondate
If you want to export that to a CSV then that command can be piped into export-csv
search-adaccount -usersonly -accountinactive -timespan "76" | select-object samaccountname, lastlogondate | export-csv Users.csv
Why did I choose 76 instead of 90? That goes back to the DS blog about lastlogontimestamp being up to 14 days behind.
Active Directory Administrative Center also has some handy built-in searches that can help if you prefer a GUI
Update Good friend and Microsoft PFE Eric J suggested that I add a screenshot with the Windows 2012 version of ADAC and the powershell history viewer output. Great suggestion Eric!
The powershell command in the history viewer is interesting. I like the version above a lot better :)
Get-ADObject -LDAPFilter:"(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(lastLogonTimestamp<=129888720000000000)(!lastLogonTimestamp=*)))" -Properties:allowedChildClassesEffective,allowedChildClasses,lastKnownParent,sAMAccountType,systemFlags,userAccountControl,displayName,description,whenChanged,location,managedBy,memberOf,primaryGroupID,objectSid,msDS-User-Account-Control-Computed,sAMAccountName,lastLogonTimestamp,lastLogoff,mail,accountExpires,msDS-PhoneticCompanyName,msDS-PhoneticDepartment,msDS-PhoneticDisplayName,msDS-PhoneticFirstName,msDS-PhoneticLastName,pwdLastSet,operatingSystem,operatingSystemServicePack,operatingSystemVersion,telephoneNumber,physicalDeliveryOfficeName,department,company,manager,dNSHostName,groupType,c,l,employeeID,givenName,sn,title,st,postalCode,managedBy,userPrincipalName,isDeleted,msDS-PasswordSettingsPrecedence -ResultPageSize:"100" -ResultSetSize:"20201" -SearchBase:"DC=MK2012,DC=com" -SearchScope:"Subtree" -Server:"w2012DC1.MK2012.com"
The issue I have with the ADAC method is that it doesn't allow the user to export the findings and include the LastLogonTimeStamp date in a converted form.
I'm looking forward to other suggestions comments on how to improve this powershell command. Remember we are talking quick-hitter one liner here.
Labels:
Active Directory,
Powershell,
quick-hitters
Friday, July 20, 2012
Is It a Domain Controller
I recently went into our test lab and there was a guy working in there and he asked me.
The guy wasn't trying to be an ass but trying to learn AD and the lab is a perfect place for it. We have a lot of VMs in our lab and I didn't know what box he was on when I walked in.
My initial thought was to tell him to look for admin tools etc but then after a second I realized not every box has the admin tools installed. Then I thought look for the AD Domain Services and see if they are started. That thought lasted for a half second. We still have 2003 DCs too so if he was on one of those then no services.
The answer I gave him was to run:
If the sysvol share is present then it is a domain controller.
I started thinking of other ways and reached out to some friends and asked what they would have suggested for this quick question.
One suggestion by my friend Troy was to run
netdom query dc
I thought that was a good one and team that with hostname so that the person knows the name of the machine works great.
My buddy Eric had a good one, it is a bit more involved because it would require the person to know about AD ports...but if they are learning they should know some of these. Use netstat -ano and look for AD ports (88, 389, 3268, and others)
netstat -ano or netstat -ano | findstr /i listening
There are a lot of ways to do this. You could look for SRV records. If ADUC was installed you could have them check there for the DC.
If you also look at the drop down when you login and it has no local server name then that is another good indication. In this case he was already logged in.
So what answers would you have given? Are there quicker easier ways that you would have told someone just starting out with AD to check if they are at a domain controller?
Update from Kurt (thanks for your service in the Army...in war zones). I posed this question to a mid-level AD admin. His response was "run dcpromo, it will tell you if it is a DC". That is true and something I didn't think of in the 5 second response. This is why I love AD...so many ways to do something and a lot of great solutions.
My only caveat about this method is that if someone was being careless didn't read and clicked next next and finished the wizard then they could also be demoting a DC....I'm hoping people using AD can read :)
In the example below the computer is obviously a DC.
Note: The dcpromo method won't work in Windows 2012...because they killed that off...more on that in future posts. I'm guessing very few folks are currently running Windows 2012 in production. Example of start > run > dcpromo on a Windows 2012 DC below.
If I'm on a machine how do I know if it is a Domain ControllerThese are often my favorite types of questions. No time to check Bing/Google, no time to check a book. Just a quick question that is answered in seconds. By the way in those situations it is also ok to say "I don't know" or "I'll get back to you". A lot of times you will see people blowing smoke and making stuff up.
The guy wasn't trying to be an ass but trying to learn AD and the lab is a perfect place for it. We have a lot of VMs in our lab and I didn't know what box he was on when I walked in.
My initial thought was to tell him to look for admin tools etc but then after a second I realized not every box has the admin tools installed. Then I thought look for the AD Domain Services and see if they are started. That thought lasted for a half second. We still have 2003 DCs too so if he was on one of those then no services.
The answer I gave him was to run:
net share
If the sysvol share is present then it is a domain controller.
I started thinking of other ways and reached out to some friends and asked what they would have suggested for this quick question.
One suggestion by my friend Troy was to run
netdom query dc
I thought that was a good one and team that with hostname so that the person knows the name of the machine works great.
netstat -ano or netstat -ano | findstr /i listening
There are a lot of ways to do this. You could look for SRV records. If ADUC was installed you could have them check there for the DC.
If you also look at the drop down when you login and it has no local server name then that is another good indication. In this case he was already logged in.
So what answers would you have given? Are there quicker easier ways that you would have told someone just starting out with AD to check if they are at a domain controller?
Update from Kurt (thanks for your service in the Army...in war zones). I posed this question to a mid-level AD admin. His response was "run dcpromo, it will tell you if it is a DC". That is true and something I didn't think of in the 5 second response. This is why I love AD...so many ways to do something and a lot of great solutions.
My only caveat about this method is that if someone was being careless didn't read and clicked next next and finished the wizard then they could also be demoting a DC....I'm hoping people using AD can read :)
In the example below the computer is obviously a DC.
Note: The dcpromo method won't work in Windows 2012...because they killed that off...more on that in future posts. I'm guessing very few folks are currently running Windows 2012 in production. Example of start > run > dcpromo on a Windows 2012 DC below.
Update 2: Krzystof had a great suggestion in the comments and that was to use systeminfo
systeminfo /i "os configruation"
Labels:
Active Directory,
quick-hitters
Friday, July 13, 2012
Speaking at Microsoft TechGate Conference on 9/15
This mainly applies to readers that are in the DC, Virginia, and Maryland region as I don't think anyone is going to fly in for this :)
Microsoft is sponsoring TechGate 2012 on September 15, 2012 at their Reston, VA office. There are 15 sessions and five workshops so it should be a good day. It will also not be 100 degrees every day by that time so come out if you can.
You can find more information and register for the conference here:
As you can see I will be speaking about new Active Directory features in Windows Server 2012. I'm really looking forward to it. l'm also hoping to devote 10 minutes at the end to discuss what features folks would like to see in R2 or future versions. That is feedback I'll take back to the AD team during the MVP summit in early 2013.
I'm really looking forward to meeting other members of the DC IT community in a few months.
Microsoft is sponsoring TechGate 2012 on September 15, 2012 at their Reston, VA office. There are 15 sessions and five workshops so it should be a good day. It will also not be 100 degrees every day by that time so come out if you can.
You can find more information and register for the conference here:
As you can see I will be speaking about new Active Directory features in Windows Server 2012. I'm really looking forward to it. l'm also hoping to devote 10 minutes at the end to discuss what features folks would like to see in R2 or future versions. That is feedback I'll take back to the AD team during the MVP summit in early 2013.
I'm really looking forward to meeting other members of the DC IT community in a few months.
Labels:
Microsoft News
Monday, July 2, 2012
MVP Award - Year Four
I woke up yesterday to great news that I've been awarded the MVP award in Directory Services for the fourth year. I have previously written blogs with long thank you lists so I won't do that again. Just a continued huge thanks to everyone I mentioned in those two blog entries. I've learned from a lot of people and glad to help others.
My favorite part about being an MVP is the MVP summit and I'm really looking forward to going to Seattle again in the late winter.
This is an exciting time for Active Directory. Windows 2012 is being released later this year. Windows Azure Active Directory is coming online. We will have a lot to learn but that is the fun part for me.
My favorite part about being an MVP is the MVP summit and I'm really looking forward to going to Seattle again in the late winter.
This is an exciting time for Active Directory. Windows 2012 is being released later this year. Windows Azure Active Directory is coming online. We will have a lot to learn but that is the fun part for me.
Labels:
MVP Award
Thursday, May 24, 2012
Outstanding Cloud & Identity Talk
I generally don't post videos or presentations as blog entries but this is one I haven't seen posted by a lot of folks and is a must watch for anyone in the Identity, Active Directory, Directory Services field.
The main reason I love this talk is because the presenter. Microsoft's Kim Cameron Kim is the Chief Architect of Identity in the Identity and Access Division at Microsoft. In other words when it comes to anything Active Directory/DS. Kim is "the man"
Vittorio had an excellent blog about Kim (Kim was retiring when that blog was written but has come back and he talked about that in this presentation)
This is a twenty minute Kim's keynote from the European Identity & Cloud Conference 2012.
Some things I liked
The main reason I love this talk is because the presenter. Microsoft's Kim Cameron Kim is the Chief Architect of Identity in the Identity and Access Division at Microsoft. In other words when it comes to anything Active Directory/DS. Kim is "the man"
Vittorio had an excellent blog about Kim (Kim was retiring when that blog was written but has come back and he talked about that in this presentation)
This is a twenty minute Kim's keynote from the European Identity & Cloud Conference 2012.
Some things I liked
- Use the efficiencies of the cloud to enable efficiencies in identity
- The Cloud Motor Runs on Identity
- Identity Management as a service is an inevitability
- There ae other vendors who have similar directories...not as good of course :)
There are a lot of people that talk about the cloud and give talks. This is one from a guy who truly knows his stuff. Kim also has an excellent blog entry that goes with this video.
I'm personally excited that AD and Directory Services types can evolve our skills and have work for years to come.
Labels:
AD Legends
Monday, April 16, 2012
New MCSE - Personal FAQs
As most blog readers know Microsoft has brought back the MCSE & MCSA certifications and titles. For those newer to the field the MCSE was one of Microsoft's most popular certifications and tracks. I'm on the AD/Server side of the house so for me this goes back to an MCSE in Windows NT, 2000, & 2003.
With the 2008 tracks Microsoft did away with the MCSE & MCSA and introduced the MCITP an MCTS tracks and certifications.
The MCSE and MCSA are back again but this time they stand for
Microsoft Certified Solutions Expert
Microsoft Certified Solutions Associate
The Microsoft Learning team has put together a nice page with a lot of information.
There are also some good videos on the site and the Microsoft Learning YouTube Channel
There was a lot of great information on the site, but I still had questions and after asking around I noticed others had the same questions. MSLearning has a Twitter Account and that is where I learned a lot more about the new certs and the future. I compiled some of my FAQs here:
With the 2008 tracks Microsoft did away with the MCSE & MCSA and introduced the MCITP an MCTS tracks and certifications.
The MCSE and MCSA are back again but this time they stand for
Microsoft Certified Solutions Expert
Microsoft Certified Solutions Associate
The Microsoft Learning team has put together a nice page with a lot of information.
There are also some good videos on the site and the Microsoft Learning YouTube Channel
There was a lot of great information on the site, but I still had questions and after asking around I noticed others had the same questions. MSLearning has a Twitter Account and that is where I learned a lot more about the new certs and the future. I compiled some of my FAQs here:
MK FAQ 1 : What happens if I have the MCITP:SA do I need to start from scratch?
So that was good news, as you can see the MCITP:SA will automatically receive the new MCSA: Windows Server 2008 Certification.
MK FAQ 2 : What happens if I have the MCITP:EA?
This was interesting because the MCITP: EA and MCITP: SA will both have the same MCSA: WS2008 title. I was hoping for two certs as I have both :)
Note: It was common for people to get both the MCITP:EA and MCITP:SA certifications.
MK FAQ 3 : When will our transcripts be updated?
According to the twitter conversation above transcripts should change on April 24, 2012.
UPDATE: Blog reader let me know in the comments that his transcript was updated on 4/17/2012. Nice job by Microsoft getting ahead of schedule.
MK FAQ 4 : What happens to our old certifications?
This one I really like a lot! I like that old certs will enter a legacy state and be stated that way on the official Microsoft transcript.
I also like that new exams and certifications will also retire. It makes people need to stay somewhat current and re-certify. Other companies already use the model the most famous probably being Cisco.
I know there are going to be cynics out there that remember MCSE's being referred to as "paper tigers" or MCSEs that got their certs through brain dumps and that made us all look bad but Microsoft is definitely moving in the right direction in my opinion.
I'll take an analogy from the Army. Every Army soldier goes through bootcamp and has "basic" skills but there is a lot more training and experience needed to become a Ranger or Special forces and deal with the advanced issues/topics. That is how I look at a lot of these certs (from any company). They are a good step but getting an MCSA or MCSE doesn't mean someone knows everything....it is an ongoing process.
One of my AD Heroes is Joe Richards and he once rated himself a 6 out of 10 in AD. Again it is a lifelong learning process...no one knows it all not even a guy like Joe (love how humble and cool he is)
I'd like to hear from the community. What do you think about the new changes and updates?
Labels:
Certification
Wednesday, April 4, 2012
Security Compliance Manager 2.5 Released
Ned Pyle wrote a blog entry in January on the Microsoft askds blog about Security Compliance Manager 2.5 Beta
The tool has been officially released and is no longer in beta.
From the download center
We are pleased to announce that version 2.5 is released and now available for download from the Microsoft Download Center!Download SCM 2.5 now
I've been testing 2.5 Beta and really glad that it is now out of beta as it will be much easier to get the tool approved for use where I work.
You can read about the key features & benefits on the Microsoft site so I won't copy and paste them again here.
There will be follow up blog posts with more info and screen shots from the tool.
Labels:
Active Directory,
Security
Friday, March 30, 2012
Active Directory Administrative Center Twitter Question
I recently saw a question on Twitter about the Active Directory Administrative Center (ADAC)
Twitter is a site everyone knows but more and more it is a great place for tech information and sharing in the community. There are a lot of good tweets on Active Directory and links to information. There is also a fair amount of spam/bad links. Those are usually easy to spot though (picture is a "sexy" model for example)
Thanks a lot to @SamErde for letting me use his post for this blog.
I added the screenshot from a Windows Server 8 Beta box just to show that the location for adding the Navigation Nodes has changed.
That is great but what does that really get me? I am able to view objects in the remote domain due to the default nature of AD allowing read access to most objects.
After the addition has replicated I then try to update the user account from ADAC again. This time you will notice that the fields are not grayed out and I can make changes.
Twitter is a site everyone knows but more and more it is a great place for tech information and sharing in the community. There are a lot of good tweets on Active Directory and links to information. There is also a fair amount of spam/bad links. Those are usually easy to spot though (picture is a "sexy" model for example)
Thanks a lot to @SamErde for letting me use his post for this blog.
ADAC was released with Windows 2008 R2. It has gained some traction but currently it is definitely still not the GUI tool of choice for Active Directory Administration. AD Users & Computers still wins but that may change in Windows 8 when features like the AD Recycle Bin and Fine-Grained Passwords are brought into ADAC giving both of those features a much needed GUI.
In order to truly test I created three forests in my lab and created a forest trusts between the first forest and the other two forests. I did see TechNet articles that this could be done but I like to verify.
I'm not just a blogger I also work in this world and I know setting up the trusts can be a pain. You have to have proper ports open That is often easier said than done. Become friends with the firewall admins :) You also need to ensure that name resolution is working. I used conditional forwarders to resolve the domain names in DNS. Stub zones and secondary zones would also work.
There are a lot of posts and resources about setting up trusts. If you run into issues look at the basics first
- For potential port blockages tools like telnet, portqry, wireshark, and netmon are really good starting points.
- For DNS issues nslookup is a good place to start troubleshooting. (wireshark/netmon are good there too)
At this point the forest trusts have been setup and the two way trusts are functional. The first thing we need to do is to try and add one of the other domains in ADAC.
Add Navigation Nodes in ADAC - Windows Server 2008 R2
|
I'm going to use Windows 2008 R2 for the rest of the examples. I select add navigation nodes from there I can add another domain.
Adding domain in another forest to ADAC via Navigation Node |
Once I add the domain from the trusted forest I can now see it in ADAC
Remote domain from trusted forest now appears in ADAC |
I'm not able to make any changes which is a good thing. The fact that the forest trust exists doesn't give any rights to administer the remote domain.
Notice in the screenshot below, I attempt to update/edit a user in the remote forest/domain. I'm unable to make any changes but can read his info.
Attempting to update a user |
Without any rights I can't really do much. In this case I want the same account to be able the objects in both forests.
There are several options here but I added my admin account into the Built-In Administrators group in the remote domain.
My admin account has been added into the Administrators group in the remote domain |
Wishlist: I would like the ability to add another domain in the navigation node but also specify alternate credentials when I do that. That would be handy if an admin has a separate admin account in the remote forest/domain. I'm still researching that and will update the blog if I find something.
There is a good article about ADAC on TechNet that is worth reading.
What are your thoughts on ADAC. For those at 2008 R2 is it gaining traction in your environments?
Labels:
Active Directory,
ADAC
Thursday, March 22, 2012
LastLogonTimestamp for Group Members
I was recently working in a secure environment and one of the issues was way too many domain admin accounts. This is not a problem just in secure environment. I've yet to encounter a federal organization that does an outstanding job of limiting the number of domain admins. I've seen Joe Richards write about working at a Fortune 5 company where they ran with less than 5 domain administrators. More and more organizations are trying to limit domain admins. I doubt we will ever get to a point where less than five is the norm but things are getting better...slowly but surely.
The first step the security team took was to identify members of the domain admin group and the last time they logged in. This is a good initial step to remove those that haven't logged on or used their accounts. If someone hasn't used their domain admin account in 120 days or longer then I would question if they need the account.
Some folks on the security team were manually going and using a box that had the additional account info tab from the acctinfo.dll. They were then looking at lastlogon box within the tab and manually entering that into a spreadsheet. I knew there were easier ways to do this so I stepped in to help out.
For this exercise I keyed off the LastLogonTimeStamp (LLTS) The lastlogontimestamp can be off by 9-14 days. The link to the askds blog entry on LLTS does a great job of explaining it. If 9-14 days is not acceptable then you would have to query lastlogon on every DC. Lastlogon does not replicate and that is why every DC would have to be queried.
For the examples I'm in my lab domain which is mkw2k8R2.com and I only have three users in the domain admin group. I've only logged in with one of those users.
One problem with the CSVDE method is how it handles the output. LastLogonTimeStamps are Integer8 (64-bit numbers) that CSVDE can't handle. You will notice in methods 1-3 those tools did a good job of decoding the attribute.
Elizabeth Greene has a really good blog entry that has a formula you can use in excel to convert it into a readable date.
Notice in the screenshot the difference between the native format in cell C2 and what it looks like after I applied the formula
repadmin /showattr dc1root dc=mkw2k8r2,dc=com /subtree /filter:"(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" /attrs:lastlogontimestamp
I really like methods 1-3 the best. There are other methods that I have not included here but I figured five is a good start for anyone. Some other things you might see out there
The first step the security team took was to identify members of the domain admin group and the last time they logged in. This is a good initial step to remove those that haven't logged on or used their accounts. If someone hasn't used their domain admin account in 120 days or longer then I would question if they need the account.
Some folks on the security team were manually going and using a box that had the additional account info tab from the acctinfo.dll. They were then looking at lastlogon box within the tab and manually entering that into a spreadsheet. I knew there were easier ways to do this so I stepped in to help out.
For this exercise I keyed off the LastLogonTimeStamp (LLTS) The lastlogontimestamp can be off by 9-14 days. The link to the askds blog entry on LLTS does a great job of explaining it. If 9-14 days is not acceptable then you would have to query lastlogon on every DC. Lastlogon does not replicate and that is why every DC would have to be queried.
For the examples I'm in my lab domain which is mkw2k8R2.com and I only have three users in the domain admin group. I've only logged in with one of those users.
Method 1 - Using ADFIND
Regular blog users will not be surprised to find out that I used adfind from Joe Richards for method 1.
adfind -default -f "memberof=cn=domain admins,cn=users,dc=mydomain,dc=mysuffix" samaccountname lastlogontimestamp -tdc -nodn -csv
Method 2 - Using Quest AD Powershell Cmdlets
Many people that started with powershell and AD years ago are probably familiar with the free AD cmdlets from Quest.
get-qaduser -memberof "domain admins" | select-object samaccountname, lastlogontimestamp
Method 3 - Using Microsoft's AD Powershell v2 Cmdlets
With the introduction of Windows 2008 R2 and Windows 7 Microsoft introduced the AD module for Windows Powershell. There is already a lot of good information about the AD Module for Powershell so I won't go over that here. I also admit I'm not a powershell master/guru.
get-aduser -LDAPFilter "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -property lastlogondate | ft samaccountname, lastlogondate
If you noticed I used lastlogondate which is not an actual AD attribute. My friend Richard Mueller had a good writeup on lastlogondate. See the link and Richard's answer for more info on lastlogondate which is essentially the same as lastlogontimestamp
Method 4 - Using CSVDE
CSVDE is what you call an old school tool. Those that have been around AD for years have definitely used the tool at some point. It was around before adfind and powershell.
csvde -f c:\userslogon.csv -r "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -l samaccountname, lastllogontimestamp
One problem with the CSVDE method is how it handles the output. LastLogonTimeStamps are Integer8 (64-bit numbers) that CSVDE can't handle. You will notice in methods 1-3 those tools did a good job of decoding the attribute.
Elizabeth Greene has a really good blog entry that has a formula you can use in excel to convert it into a readable date.
Notice in the screenshot the difference between the native format in cell C2 and what it looks like after I applied the formula
Method 5 - Using Repadmin
This method I first saw used in the blog from the askds team that I linked to earlier and I'll link to again here
Other Methods
- VBScript - Richard is the king in this category and if you want to use VBScript I recommend testing his scripts out.
- Powershell v1 without AD cmdlets - remember when I said I was not a powershell guru yet. I'm guessing that is something that can be done but haven't tried to do it yet. The AD cmdlets from Microsoft and Quest both work for me so I try to stick to them.
You can use these examples and modify them if you are looking for other groups. There are other/better ways to identify old/stale accounts in a domain if you want to do it domain wide. More to come on that.
I'm really looking forward to hearing from readers and the community on other methods for doing this. If there are better ways to do it in Powershell please leave a comment and I'll definitely update the blog.
Inactive Domain Admins beware....you will be removed :)
Labels:
Active Directory,
adfind,
Powershell
Monday, March 19, 2012
Windows Server 8 AD Cloning, Virtualization, and Snapshots Warning
Windows Server 8 Beta has a lot of nice features. Two features that are getting a lot of buzz in the Active Directory World are the ability to easily clone domain controllers and the support to restore Active Directory using snapshots.
Using snapshots can cause USN Rollback and other problems. Mark Ramey from the Microsoft AD team has an excellent blog entry that you can read for more info.
I added the word Warning to the title of this blog because I've seen a few blogs, posts, and articles that may lead people to believe that this can all be done with a few mouse clicks. This is not the case, it is not hard but there are some major prerequisites and steps that people have to be aware of.
A few screenshots from my lab using VMware workstation. These options exist in most hypervisor products.
***WARNING*** You can't just use the GUI and start cloning and taking snapshots without causing issues in a domain/forest with multiple DCs. You can't manually copy the virtual machine files. VMWare workstation 8 and the current VMWare products don't support these features.
To take advantage of these features the virtualization host must support VM Generation ID. I'm guessing by the time Windows 8 is released all major vendors will support this but that means most folks will have to upgrade their hypervisor.
Microsoft currently has two really good documents that are a must read for anyone interested in these new features
Test Lab Guide: Demonstrate Virtualized Domain Controller (VDC) in Windows Server "8" Beta
Understand and Troubleshoot Virtualized Domain Controller (VDC) in Windows Server "8" Beta - written by Ned Pyle - Outstanding document!!
I won't repeat the documents but some important sections
Steps to deploy a cloned virtualized domain controller
For those that are fans of the GUI
Steps to restore a DC snapshot
You can read the the documents to get a lot more info. Ned's document is 162 pages...Ned is the king of documentation and writing :)
As I start using this feature more and eventually use this in production in the future I hope to write more on these features. I won't try to replicate Ned's excellent document but there is going to be more to come.
Using snapshots can cause USN Rollback and other problems. Mark Ramey from the Microsoft AD team has an excellent blog entry that you can read for more info.
I added the word Warning to the title of this blog because I've seen a few blogs, posts, and articles that may lead people to believe that this can all be done with a few mouse clicks. This is not the case, it is not hard but there are some major prerequisites and steps that people have to be aware of.
A few screenshots from my lab using VMware workstation. These options exist in most hypervisor products.
Cloning in VMware Workstation 8 |
Snapshot in VMWare Workstation 8 |
***WARNING*** You can't just use the GUI and start cloning and taking snapshots without causing issues in a domain/forest with multiple DCs. You can't manually copy the virtual machine files. VMWare workstation 8 and the current VMWare products don't support these features.
To take advantage of these features the virtualization host must support VM Generation ID. I'm guessing by the time Windows 8 is released all major vendors will support this but that means most folks will have to upgrade their hypervisor.
Microsoft currently has two really good documents that are a must read for anyone interested in these new features
Test Lab Guide: Demonstrate Virtualized Domain Controller (VDC) in Windows Server "8" Beta
Understand and Troubleshoot Virtualized Domain Controller (VDC) in Windows Server "8" Beta - written by Ned Pyle - Outstanding document!!
I won't repeat the documents but some important sections
Steps to deploy a cloned virtualized domain controller
1. Create the customized DcCloneConfig.xml file on a source domain controller
2. Detect incompatible programs on the source domain controller
3. Ensure the PDC emulator runs Windows Server "8" Beta, is not the clone source, and is available
4. Authorize the source domain controller for cloning
5. Shutdown the source domain controller and copy its disk
6. Create a new clone virtual machine using the copied disks
7. Start the source and cloned domain controller, then allow cloning to occur
For those that are fans of the GUI
There is no task-oriented graphical management program for VDC cloning in Windows Server "8" Beta; the provisioning steps are performed manually or using Windows PowerShell
Steps to restore a DC snapshot
1. Take snapshot of DC
2. Create a new Group Policy
3. Validate GP replication (SYSVOL replication)
4. Restore DC Snapshot
You can read the the documents to get a lot more info. Ned's document is 162 pages...Ned is the king of documentation and writing :)
As I start using this feature more and eventually use this in production in the future I hope to write more on these features. I won't try to replicate Ned's excellent document but there is going to be more to come.
Labels:
virtualization,
Windows 8 Beta
Thursday, March 15, 2012
HSPD-12 and Active Directory Domains -Documents Updated
Microsoft has updated their documentation regarding HSPD-12 Logical Access Authentication and Active Directory Domains
These documents are probably going to be more valuable to those that support federal customers in the US but they are a good read for anyone planning to deploy smart cards in their environment.
For those not familiar with HSPD-12 in a nut shell it is a mandate for federal organizations to issue common ID/Smart cards to their users. This comes into play in the Active Directory arena as the cards are used for login using two-factor authentication/smart card login. The two-factors in this case are:
These documents are probably going to be more valuable to those that support federal customers in the US but they are a good read for anyone planning to deploy smart cards in their environment.
For those not familiar with HSPD-12 in a nut shell it is a mandate for federal organizations to issue common ID/Smart cards to their users. This comes into play in the Active Directory arena as the cards are used for login using two-factor authentication/smart card login. The two-factors in this case are:
- Something the user has - the smart card
- Something the user knows - PIN
Everyone has seen this referenced in the Account tab of a user in AD Users & Computers.
Those in the military or who have supported US Military customers will hear the term CAC Card used for their smart cards. Those supporting civilian agencies/.gov will hear the term PIV Card for their smart cards.
You can get the updated Microsoft documentation here:
Kurt Hudson has a good quote about the documents on the Windows PKI Blog
Included within this document are detailed steps to configure Windows Server 2008 R2 Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), Windows® 7, and Microsoft® Office 2010 to perform traditional UPN based smart card logon, explicit smart card logon (client authentication certificate mapped to multiple accounts), explicit cross-forest smart card logon and NIST SP800-78-3 compliant S/MIME email exchanges.Smart card/HSPD-12 adoption within agencies varies. DoD has definitely been the leader in this space. There are other agencies that I've been at that are also rolling but there are also those that haven't even started issuing smart cards to the majority of their users yet. I'm not naming names here :)
Labels:
Miscellaneous,
Security
Tuesday, March 13, 2012
Windows Server 8 Member Server - ADAC Recycle Bin
Windows Server 8 Beta was released a few weeks ago and I understand that many organizations may be hesitant to start deploying domain controllers.
One nice thing is that some of the new features can easily run on a member server or workstation and work fine in your current domains. You don't need to convince anyone about a schema update or new Windows 8 Domain Controllers right now. Enjoy the new features with no risk (I'd argue there is not a lot of risk in adding a domain controller but I understand leadership wanting to wait on domain controllers)
One of those features is the AD Recycle Bin GUI. That is a nice addition that system administrators have been asking for since 2008 R2 was released. Your forest does have to be at 2008 R2 Forest Functional Level to enable the recycle bin.
Many people enabled and used the AD Recycle Bin in 2008 R2 There are even some 3rd party tools that can help and put a GUI front end around the Recycle Bin. In my opinion the GUI in Windows Server 8 is much nicer and is definitely a reason to add a Windows Server 8 member server now.
In my lab I have a 2008 R2 (forest functional level 2008 R2) Domain Controller and a Windows Server 8 Beta member server.
SIDE NOTE: As you can see my test domain is named USMCThanksForYourService.mil I've heard there might be some Marines stationed in Afghanistan reading this entry so a heartfelt thanks for all you all do. It takes a lot of courage to be in the military right now and you all are on the front lines. THANK YOU!!
SIDE NOTE II: . Any other military members reading my blog? Leave a comment, I'd love to hear from you.
So people don't think I'm cheating I'll first verify that the Recycle Bin is not enabled by using the powershell command Get-ADOptionalFeature -Filter {name -like "*Recycle Bin*"} If EnabledScopes is empty that indicates the Recycle Bin has not been enabled.
I also join the Windows Server 8 Beta machine to the domain.
Once the server is added to the USMCThanksForYourService.mil domain I have to install the Remote Server Administration Tools (RSAT) Feature for Active Directory so I can have access to the necessary AD tools and fetures.
Once the RSAT tools have been installed you are ready to use Active Directory Administrative Center (ADAC) against your 2008 R2 domain.
Just want to confirm that the AD Recycle Bin has been enabled. Notice this time the same command yielded an entry in "EnabledScopes"...success
One nice thing is that some of the new features can easily run on a member server or workstation and work fine in your current domains. You don't need to convince anyone about a schema update or new Windows 8 Domain Controllers right now. Enjoy the new features with no risk (I'd argue there is not a lot of risk in adding a domain controller but I understand leadership wanting to wait on domain controllers)
One of those features is the AD Recycle Bin GUI. That is a nice addition that system administrators have been asking for since 2008 R2 was released. Your forest does have to be at 2008 R2 Forest Functional Level to enable the recycle bin.
Many people enabled and used the AD Recycle Bin in 2008 R2 There are even some 3rd party tools that can help and put a GUI front end around the Recycle Bin. In my opinion the GUI in Windows Server 8 is much nicer and is definitely a reason to add a Windows Server 8 member server now.
In my lab I have a 2008 R2 (forest functional level 2008 R2) Domain Controller and a Windows Server 8 Beta member server.
Windows 2008 R2 Domain |
SIDE NOTE: As you can see my test domain is named USMCThanksForYourService.mil I've heard there might be some Marines stationed in Afghanistan reading this entry so a heartfelt thanks for all you all do. It takes a lot of courage to be in the military right now and you all are on the front lines. THANK YOU!!
SIDE NOTE II: . Any other military members reading my blog? Leave a comment, I'd love to hear from you.
So people don't think I'm cheating I'll first verify that the Recycle Bin is not enabled by using the powershell command Get-ADOptionalFeature -Filter {name -like "*Recycle Bin*"} If EnabledScopes is empty that indicates the Recycle Bin has not been enabled.
AD Recycle Bin not enabled |
I also join the Windows Server 8 Beta machine to the domain.
Adding Windows 8 Server to the domain |
Once the server is added to the USMCThanksForYourService.mil domain I have to install the Remote Server Administration Tools (RSAT) Feature for Active Directory so I can have access to the necessary AD tools and fetures.
Adding Roles and Features in Server Manager |
Adding RSAT Features |
Adding RSAT Features Part II |
You can enable the AD Recycle Bin from the GUI now instead of the old way using Powershell
Selecting ADAC from Server Manager in Windows 8 |
Enabling the AD Recycle Bin from Windows Server 8 Member Server ADAC |
AD Recycle Bin Confirmation 1 |
AD Recycle Bin Enabled - Confirmation |
A quick tutorial of the new feature now that it is enabled and the member server is up and ready to go.
As you can see there is a user named Dakota Meyer who is in the group "MedalofHonor"
A young contractor was really excited and lost his mind and accidentally deleted the account. Luckily the USMC leadership had allowed this Windows 8 Member Server and Dakota's account would be restored in a few clicks.
In ADAC Navigate to the Deleted Objects Container |
Notice the deleted user is listed. Right click on the user for Restore Options |
In ADAC we confirm that the user has been successfully restored
|
Labels:
Windows 8 Beta
Subscribe to:
Posts (Atom)