My blog about Active Directory and everything else

Goodbye Old Friend

2012-02-03T09:52:00.000-08:00

Last night I had to do one of the toughest things any pet owner ever has to do and that is to make the decision to put my cat down.

My cat was 20 years old and I'd had her for the last 12. She was battling the final stages of kidney failure and had deteriorated badly over the last few days. She also had a small mass in her stomach that was probably cancer. I could have tried to give her more time by giving her IV fluids at home but nothing was guaranteed and I didn't want to put either of us through that.

Growing up I always thought of myself as a dog person. My good friend John and his wife were starting a family in the late 90's and had two cats that they could no longer give all their attention to. I'm not sure how the discussion happened but my brother and I took them both in. At the time we were living in a shitty apartment but had room for them. It ended up being one of the best decisions I've ever made.

Growing up as dog owners we didn't know what cats were like but they both ended up being really great pets. Cats are definitely easier than dogs to take care of and yes although they worked and played on their schedule they still gave the same unconditional love that any beloved pet gives. That is probably the greatest thing about a pet. You give them some attention and care for them and they return it back ten fold.

Max is one of the final links to my youth. When we got her I was recently out of the Army. My brother and I were both starting out with entry level jobs at the time and 12 years later so much has changed but Max was the one constant and I'll miss that a lot. Looking back Max and her sister who died four years earlier taught me that I'm actually a dog & cat person.

I don't know when or if I'll get another pet. Losing them is so tough. I hate going through this every time but I remember all the good years.

My girlfriend Michelle went with me last night and I can't repay or thank her for doing that. It's tough times like that when you really see what a person is made of and she was there for me. Also a special thanks to Dr. Reese at TLC in Leesburg, VA Dr. Reese is a cat owner and lover herself and was very caring and compassionate with Max until the end. I have no idea how Vets deal with that day in and day out but I'm very glad there are those that go into that profession.

Goodbye Old Friend...Thanks for always being there.

Max
1992- Feb 2, 2012

Find Non Replicated Attributes in Active Directory

2011-10-18T11:01:00.000-07:00

The quick hitter series is back and this entry was inspired by a colleague (thanks Funk!)

If you are querying AD you may get inaccurate results if you are querying an attribute that is not replicated between all domain controllers. Two common attributes I see people having issues with are lastlogon and whenchanged. The issue here is suppose you query for lastlogon and get a value. That may not be accurate as there may be a newer value on another DC. On a side note for that issue lastlogontimestamp is usually good enough for most folks...but I digress.

Is there a way to find what attributes are not replicated between DCs? The answer to that is yes and there are various methods to find this information. I once again go to the great ADFIND tool from MVP Joe Richards Joe was recently awarded the MVP for the 10th straight year and that is well deserved.

Adfind has a ton of great shortcuts and one of them is to find non-replicated attributes.

adfind -sc norepl cn -nodn

I only outputted the cn of the object and didn't need the distinguished name so left that off with -nodn

You can see part of the output below. Notice the whenchanged attribute that was mentioned earlier.

systemFlags contains a flag that defines if an attribute is replicated. As you can see in the link if the value 1 is applied to an attribute it will not be replicated. So you could also get fancy with adfind and do something like

adfind -schema -bit -f "&(objectclass=attributeschema)(systemflags:AND:=1)" cn -nodn

That should give you the exact same result as the previous command. I'd personally always go with the shortcuts...they are there to make things easier...thanks Joe :)

Windows Server 8 - GUI on GUI Off

2011-09-26T12:17:00.000-07:00

Before I start I'd love to hear comments on this feature in Windows 8. Do you all think it is a feature that will be widely adopted?

This entry is about a new feature in Windows Server 8. The ability to turn on and turn off the graphical shell.

Prior to Windows 2008 there was no Windows OS that didn't feature a full GUI. Linux folks would often criticize Windows admins for not being talented around the command line. That was true to some extent but there are a lot of Windows admins/engineers who are comfortable around the command line but there were tasks that could only be done via the GUI or were much easier from the GUI.

In Windows 2008 a new feature was introduced called server core

The Server Core installation option is an option that you can use for installing Windows Server 2008 A Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles

Server core was intimidating to a lot of Windows admins not used to administrating or configuring servers from the command line.

Server core was also available in 2008 R2 and introduced a tool called sconfig which made configuration much easier. Other features such as powershell were also added in 2008 R2.

There was no way to convert a server core to a full server if there was a feature that needed to be installed that core didn't support. I'm not sure what the server core adoption rate was. I've seen people speculate 10-15% but have not seen official numbers from Microsoft.

There are a lot of beneifts to server core including greatly reducing the number of reboots and patches needed. MVP Brian McCann has an excellent blog entry on Server Core with stats.

“In some cases, customers can see up to a 60% reduction in patch requirements and the number of reboots on a monthly basis” These are the numbers that back up statements such as that.

Server core is still an option in Windows Server 8.

However for those that still are not comfortable with core there is an option to remove the GUI from a full installation of Windows 8.

As Ned Pyle pointed out in the comments of this AskDS blog this feature is not quite server core. Meaning using these steps doesn't turn your server into core but it does remove many of the GUI features. You will no longer need to worry about admins surfing the internet from your servers. This may end up being the preferred method for deploying Windows Server 8....time will tell.

I first noticed the Server Graphical Shell in the Features list in Windows Server 8. I had not seen this feature in the past.

The feature can be removed by just clearing the check box in the roles and features wizard from server manager.

I've unchecked the box in order to remove the Graphical Shell.

After the server is rebooted and comes back up the GUI shell is gone. Server manager is still available. Things like the MetroUI are now gone.

For fun I tried to surf the net using Internet Explorer

Items like the MMC and snap-in can be added. The server can also be manged remotely.

Suppose an admin later decides later that they want this feature back. It is just as easy as removing except this time the box is checked to add the feature

After a reboot the GUI shell is back.

For those that prefer PowerShell this can also be done in a few lines via PowerShell

I import the server manager module and viewed the features (not required)

From there it is as simple as remove-windowsfeature server-gui-shell

Adding it is just as easy...you guessed it

add-windowsfeature Server-Gui-Shell

Again I'd like to hear comments on this feature. Was it needed since we already have server core or is this a nice middle ground that will be widely adopted?

Thanks for reading.

Windows Server 8 - DNS Management Console

2011-09-21T09:08:00.000-07:00

I have to begin this post with the normal caveat that this is only the developers preview build that I'm testing with and things may change.

When I promoted my Windows Server 8 to become a domain controller I also installed DNS. As most people know AD has to have DNS in order to work. Most places use Microsoft DNS but you can also use BIND and others but I decided to stick with Microsoft.

After the DC was installed and rebooted I was able to access all the normal AD management consoles such as AD Users & Computers, Sites and Services, Domains and Trusts, AD Administrative Center and others.

I went to look at DNS and could not load the DNS management console.

I verified that the DNS feature had been installed.

I tried to add the DNS console via the MMC snap-in but it was missing.

I tried to run the dnsmgmt.msc command and again no luck

This could not be right and I had to be missing something. I decided to go look into the roles and features. Once again I verified that DNS was installed

I went into the features and looked at the Remote Server Administration Tools(RSAT) settings. I noticed that the DNS Server Tools were not checked/installed.

I checked the box to install the tools and just had to verify and install. This feature did not require a server reboot.

I once again tried to add the DNS tools via the MMC snap-in and this time voila it was there

I verified that dnsmgmt.msc would also work from the command line.

As you can see below the DNS management tools are now accessible and this is what it looks like in Windows Server 8 Developers Preview.

Windows Server 8 - Schema Version Quick Hitter

2011-09-20T14:10:00.000-07:00

After being put on ice the quick hitter series is back.

I downloaded one of my favorite active directory tools called ADFIND from MVP Joe Richards

So far adfind seems to work great with Windows Server 8. I have not tested every switch but so far so good.

I really like the adfind shortucts and it is a great way to do things like quickly find the schema verision. adfind -sc schver

As you can see the schema version in Windows Server 8 is 51

There are other ways to find the schema version if you don't have adfind installed. Santhosh has a good blog entry where he outlines other methods such as adsiedit and dsquery.

If you are keeping track or are asked in a trivia/interview situation here are the AD schema versions throughout the OS Versions

Windows Server 8	51
Windows 2008 R2	47
Windows 2008	44
Windows 2003 R2	31
Windows 2003	30
Windows 2000	13

Windows Server 8 & VMware Workstation

2011-09-16T12:08:00.000-07:00

In a previous post I outlined installing Windows Server 8 Developer preview and all the current testing and screenshots have been done in a virtual box environment.

I also run VMware workstation and was running VMware workstation 7.1. I currently don't have a dedicated Hyper-V box at home but that will change in the future when I'm running Windows 8 as my desktop OS.

I tried installing Windows Server 8 on VMware 7.1

Initially it looked like it was going to start installing. Since Windows 8 was not an option I chose Windows 2008 R2 as the OS.

As you can see I also tried Windows 7 with no luck. I also tried other scenarios and they all didn't work. I figured this was a pre-beta release of Windows 8 so no big deal but I was a bit disappointed. If anyone has gotten this to work please comment.

On Septmember 14 VMware released Workstation 8

I decided to spend the $99 for the upgrade. Once I received the verification email I went to the download site and noticed there was only one executable for the full version and no upgrade version.

I wasn't sure if the full version would work or even let me download it. The VMware workstation team on twitter was really helpful and let me know to install the full version. It would uninstall 7.1 and then install 8.0 without losing any virtual machines. That worked fine so now the moment of truth would VMware workstation 8 support Windows Server 8 Developers Preview.

I started off with a typical install

This version still could not detect the OS but I'm guessing that will change in future release and as Windows 8 gets close to RTM.

I chose Windows Server 2008 R2 as my guest OS.

There is no license key for this version of Windows 8 so that is left blank.

I named my machine and set the location. I just use an external drive attached via USB 3.0. I would like a better storage system but I also don't want to break the bank.

I gave myself 40 GB and finished the process of configuring the virtual machine.

After reboot I was stuck in an endless loop telling me that the product key could not be read from the answer file. This had me worried as there is no product key

The endless loop was no fun so I shut the machine down and looked at the configuration again. I noticed the floppy drive there and I definitely don't need that. I removed the floppy drive

After removal of the floppy drive the installation proceeded with no issues.

There are some features such as cloning that I like in VMware that I don't get in Virtualbox but both are adequate for testing Windows 8 right now.

Thanks to the @vmw_workstation guys for their tips.

The normal caveat applies and that is that this is still a pre-beta release of Windows 8....but have fun.

Not sure if I'll be going to VMware workstation 9 down the road. I may have all Windows 8 boxes with Hyper-V by then :)

Windows Server 8 - Fine-Grained Password Policies

2011-09-15T12:05:00.000-07:00

BACKGROUND

In the old days (Windows 2000 and Windows 2003) an Active Directory domain could only have one password and account lockout policy per domain for domain accounts.

The group policy with the password settings had to be linked at the domain level(common method people used was to set the policy in the default domain policy).

What options where there if you wanted a different policy for certain users or certain groups? For example what if you wanted service accounts to have a stricter policy? There were not many options. Organizations could try and create their own filter (not recommended) or use a third party tool (not native, not cheap, and needs plenty of testing).

In some cases organizations would create a new domain because they wanted different policies. I was never involved in a new domain just for a password policy but I've heard of it happening.

PASSWORD POLICIES IN WINDOWS 2008

Microsoft introduced a new feature in Windows 2008 called Fine Grained Password Policies (FGPP). The domain functional level has to be at Windows 2008 for this feature to work.

FGPP's allowed organizations to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of groups and users in a domain.

The link above is a step by step guide for configuring FGPP's. There are also some other good FGPP references that I refer to.

Sean's FGPP Walkthrough
Florian's Windows Server 2008 And Its FGPP's
Florian's How To Create FGPP Setting Objects

As you can see in Florian and Sean's great blog entries setting up fine-grained passwords was not the easiest thing to do. Admins had to use ADSI Edit to configure it and the entire process was not admin/user friendly.

There were some third party tools that could make this process easier but again that involved another tool.

WINDOWS SERVER 8 FGPP IMPLEMENTATION

As noted in my previous post there are a lot of improvements in Windows Server 8. Once again a feature is now exposed using the Active Directory Administrative Center (ADAC).

To start open ADAC and navigate to the System container. From there navigate to the Passwords Settings Container and right click and select New > Password Settings

As you can see I named my Password Setting Object(PSO) and I set a precedence level. Precedence is used if there are multiple PSO's applied, the lower precedent will win. I'd try to limit the number of PSO's in a domain.

I've set the minimum length at 14 which is more stringent/strict compared to my normal domain policy which is 8 characters. I want the service accounts to have stronger passwords.

Next I'm going to select "Add" in the Directly Applies to box. In this example I am going to apply the PSO to a group named ServiceAccounts. I could have also selected user accounts here.

Once I'm done with creating and applying the PSO to the group I can verify that the password is set. I navigate to my Service account user that is a member of the ServiceAccount group. I right click and select "View resultant password settings"

The resultant password setting box is presented. It returns the Service Accounts PSO that I created.

There is also another option for user accounts. In ADAC you will notice a Password Settings pane.

PSOs can be directly assigned to user accounts. I'd recommend using groups when possible but the option is there.

So now the PSO is created in applied...but does it work. Can I still use an 8 character password for this account? If it worked correctly the 8 character password should no longer be accepted. I tried a 10 character complex password

Success Full Success!! It would be nice if the error message was more verbose. For example telling the user that they need a 14 character password based off the PSO settings.

One other area I think admins will continue to ask for is the ability to have a different password policy per OU (not just users and groups).

They can't get every feature into every release but this is a huge step forward. Nice job Microsoft AD Team! I think this will help organizations and now more folks will use FGPP. (just remember the domain functional level has to be at 2008 or higher)

Also remember this is a pre-Beta release so things can change. Having said that Steve Ballmer said over 500,000 copies have already been downloaded....the WIndows 8 buzz is on for sure :)

Windows Server 8 - Active Directory Recycle Bin

2011-09-14T13:30:00.001-07:00

The active directory recycle bin was a welcome addition in 2008 R2. Prior to Windows 2008 R2 there were no easy ways to fully restore an AD object and keep all their attributes intact.

There was the system state/authoritative restore method
There was the tombstone reanimation method that didn't restore all the attributes but it was fast.
There were also some third party tools that could help.

So the options were not great and recovering deleted objects could be a pain. Admins rejoiced when they first heard of the AD recycle bin. The forest functional level had to be at Windows 2008 R2 but it was a major incentive to get there.

The AD recycle bin had to be enabled using Powershell and objects could only be restored using Powershell. Microsoft released a good AD recycle bin step by step guide for 2008 R2

Ned Pyle from the Microsoft AD team also had a great blog entry on the askds blog

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting
Notice how to enable the feature and restore objects.

There were third party tools that put a GUI wrapper around the recycle bin but I'm referring to a native build.

So as you can see the AD Recycle Bin in 2008 R2 was very good step forward but it could be better. The Microsoft AD team heard the need for improving the feature and the feature has been improved.

It gets much better in Windows Server 8. The Active Directory Administrative Center (ADAC) has a lot of improvements and one of the big ones is being able to restore objects from the GUI. Powershell still works too but this will be easier for a lot of folks.

The AD Recycle Bin can now be enabled from ADAC

It can also be enabled by right clicking the domain and enabling it there

Warning alerting the user that once the Recycle Bin is enabled it can't be disabled...no turning back.

Note: In a production Windows Server 2008 R2 domain at Microsoft, the Active Directory Recycle Bin feature increased the size of the AD DS database by an additional 15 to 20 percent of the original database size.

I'm guessing those stats are still accurate and will update the blog if I find out anything new.

Once the enable recycle bin is chosen and the changes have replicated then the feature will work after a refresh of ADAC.

I have a test user with many attributes populated and a member of a group that I'm going to delete.

So now the user is deleted but how do I get it back. In ADAC I navigate to the Deleted Objects Node. As you can see the deleted user is there. I can right click and restore the object, restore to another location, locate parent, or view properties.

The deleted objects node in ADAC is the new hotness :)

As you can see I restored the object back to its original location and it is back with all attributes populated.

Anyone who has been in a pressure filled situation trying to get a user or object back in a hurry (especially if a VIP is involved) will really like this.

There will be follow ups to this post about other new features in ADAC and other test scenarios. Job well done Microsoft AD Team!!

Windows Server 8 - Active Directory DCPROMO error

2011-09-14T09:15:00.000-07:00

In my previous post I went over installing my first Windows Server 8 box.

Since one of my skill sets is Active Directory my next step was to promote this box to become a domain controller.

As noted in the previous post this is an early pre-Beta release so there are going to be features that are not fully developed.

During dcpromo you can select your domain and forest functional levels.

Initially I was ready to go straight to Windows Server 8 levels and why not, it is a lab and we are all learning at this point.

Windows Server 8 Functional Levels selected

Before dcpromo completes a prerequisite check is conducted. As you can see I receive an error

The error is

The specified value '5' is not valid for the argument 'Domain level'

I then went back and changed the functional levels to 2008 R2

Once that is done the promotion did complete and I now have my first Windows Server 8 Domain Controller.

This is a known bug so no reason to report it up the Microsoft chain. Again...this is an early pre-Beta release.

Enjoy and have fun with your new Windows Server 8 Domain Controller :)

Installing Windows Server 8 Developer Preview

2011-09-14T07:18:00.000-07:00

The Microsoft BUILD Conference is happening this week out in California.

Microsoft is using this conference to mainly talk about the next version of Windows which is Windows 8. There have been some leaked copies of Windows 8 but this week Microsoft released the first official release.

The release is a pre-beta released called the Developers Preview and it is not feature complete and still has some things that need to be fixed but it does give us an image to download and start testing and having fun with.

You can download the image from Microsoft.

I don't have a dedicated hyper-v box at home so I'm using VirtualBox I did try and install it using VMWare Workstation 7.1 but had errors. I may write another blog just on that experience. Again important to note again this is an early version.

If you are running Windows 7 you can also boot into Windows 8 and Scott Hanselman has a great blog entry on setting that up.

Guide to Installing and Booting Windows 8 Developer Preview off a VHD

I personally prefer virtual machines so that is the method I used.

So off we go for the screenshots of the install

Three Options to select from; for this initial install I'm going with the full install. Future posts will focus on the Server Core and Features On Demand versions.

Obligatory EULA which I fully read :)

Choose Custom (advanced installation)

I usually use around 40 GB for my virtual machines but you technically only need 32 GB of disk space. Additional information on the system requirements can be found here:

Windows Server 8 Developer Preview - System Requirements

The familiar installing Windows dialogue box. Glad some things don't change.

Getting close to being finished.

Enter a password

Moment of truth has arrived, initial screen for Windows Server 8. It gets me excited as I know I'll be spending years of my life using this OS but this is my first install.

There are two screens you will see when initially working with Windows 8. The first is the MetroUI that a lot of people have seen in previews on the Windows 8 blog and other sources. This is the tile interface

MetroUI GUI in Windows Server 8 Developers Preview

You can use the Windows Key to get to the more familiar desktop

It is a new OS with a lot of graphical changes that are going to take time to get used to it. For old timers over 35 like me the transition from NT to Windows 2000 was also dramatic. Remember going from server manager and user manager to AD Users and Computers.

I'm guessing there is a Group Policy to disable MetroUI and that will be a future posts but for now I'm leaving it on and getting used to it.

Group Policy for Beginners

2011-04-28T08:10:00.000-07:00

I previously blogged about resources to learn more about Group Policy.

Microsoft released a 26 page document today titled

Group Policy for Beginners

Looks really good, and a great way for those new to group policy to start learning. I still recommend the books and links that I previously outlined.

I know not everyone that works with AD also does Group Policy work but a large majority do.

Thanks

Mike

Microsoft Premier Field Engineering Platform Reporting Tool

2011-03-09T08:47:00.000-08:00

Microsoft has released an updated MPS Reports Tool.

Microsoft Premier Field Engineering Platform Reporting Tool

If you open a call with Microsoft you will often be told to upload the MPS reports. The reports can take a while to run to I always recommend running them before hand or as you are calling.

Password Hotfix from Microsoft site not working

2011-02-14T13:57:00.000-08:00

Just wanted to post this for those that are not on the AD/TechNet Forums daily

This is just a repost from the moderators; I'll update the blog posting when the issue is fixed

Password for hotfix downloaded from Microsoft website is not working

When you try to download a hotfix from Microsoft web site, the hotfix may not be able to be extracted properly with the password included in the email from hotfix@microsoft.com.

We apologize for the inconvenience that this issue may have brought to you. Microsoft is aware of this problem and is trying our best to fix it as soon as possible. You may wait for a while and then try to download hotfix again. If it’s urgent, please contact us by calling:

ITPro 800-936-4900
Consumer 800-936-5700

Or visit http://support.microsoft.com for regional support phone numbers. Hotfix request is free of charge.

When this issue is resolved, we will also update it in the forum.

THANK YOU AGAIN - MVP Award

2010-07-02T08:12:00.000-07:00

I found out yesterday that I was awarded the MVP for Active Directory/Directory Services again.

I thanked the world last year so I won't do that again but just read that post and I'll say "ditto".

The first year of being and MVP was really great with the highlight definitely being the MVP summit and I'm looking forward to that again in early 2011.

Thanks to everyone on the TechNet Forums and the Experts Exchange forums that helps and contributes to this great community. I try my best to help but I also learn a ton which is great for me.

Also again thanks to all the smart people within Microsoft and the MVP community that inspire me. People like joe, Laura, Brian D., Jorge, Sander, Mark P, Paul, Marcin, Chris D, Meinolf, Brandon, Dean, Florian, Darren, Eric J, Crandall brothers, Mark H, Rick S, etc....the list goes on and on and on.

Thanks to everyone again and see you all here on the blog or on one of the forums.

ADMT 3.2 Released!!

2010-06-18T18:31:00.000-07:00

Those that are on the various message boards or are thinking about an upcoming migration then this post is for you.

ADMT 3.2 has been released

Active Directory Migration Tool version 3.2

The key thing from that page is this:

Supported Operating Systems: Windows Server 2008 R2

So you can now run ADMT on a 2008 R2 box. Now time to migrate :)

If you live near Atlanta, GA and like AD

2010-05-17T18:27:00.000-07:00

Gary Olsen's Atlanta Active Directory User Group is teaming up with three other Atlanta user groups to present

TechStravaganza 2010

The Free event is on Friday June 4th, 2010 and has some really great speakers including Active Directory MVP Sean Deuby and Group Policy MVP Jeremy Moskowitz

I wish I wasn't ten hours from Atlanta but I highly recommend anyone in the vicinity go to this great event. Free food, great topics, and a training day...can't beat that :)

You can find the entire agenda here

New DNS PowerShell Module

2010-03-30T07:18:00.000-07:00

My friend Chris Dent has realeased a new DNS module for powershell.

DnsShell - Alpha Release

Chris is one of my favorite people on the boards and he knows a lot about Power Shell, Active Directory, and DNS and he is once again proving why he is such an asset to the community.

If you have some time test it out, I know Chris would like the feedback.

Thanks

Mike

Repadmin Whitepaper - another great updated document

2010-03-16T11:21:00.000-07:00

Yesterday I mentioned the updated Forest recovery whitepaper.

Today Microsoft has released another update to what I consider one of the most important AD related whitepapers.

Troubleshooting replication with repadmin

This document describes how to use the Repadmin.exe tool to monitor, diagnose, and troubleshoot common replication problems in your Active Directory environment.

Updated with new commands for managing read-only domain controllers in Windows Server 2008 and Windows Server 2008 R2

While the forest recovery paper is important many of us thankfully won't have to deal with a scenario where every domain controller in the forest goes down.

Repadmin and troubleshooting replication is key in any active directory domain. That is why I think this is one of the must have white papers on any AD admin/engineers desk.

...and to my employer...yes this is one white paper that I had to print out :)

Thanks

Mike

Updated Microsoft Forest Recovery White Paper

2010-03-15T13:10:00.000-07:00

I haven't read this entire document all the way through yet but I'm going to. Disaster recovery is something that most of us don't practice or plan for enough.

Planning for Active Directory Forest Recovery

"This paper is a best-practice recommendation for recovering an Active Directory® directory service forest, if forest-wide failure has rendered all domain controllers in the forest incapable of functioning normally. The steps, which you must customize for your particular environment, describe how to recover the entire Active Directory forest to a point in time before the critical malfunction. They also ensure that none of the restored domain controllers replicates from a domain controller with potentially dangerous data."

Guido Grillenmeier and Gil Kirkpatrick also have a really great AD disaster recovery whitepaper that is worth reading (published with NetPro was still around).

Thanks

Mike

THANK YOU SECRET SERVICE - ID Theft Old School Style

2010-03-05T12:25:00.000-08:00

I wanted to take a moment and dedicate an entry to thanking the US Secret Service.

Those that know me in “real life” know that my apartment was robbed in August of 2008. It sucked liked you can imagine. To come home after work and have every electronic device and other items gone and having the place totally trashed obviously sucks.

At the time the local police didn’t find the person that did it and closed the case. They let me know in a letter.

Fast forward to last month and I received a message from a secret service agent in the Washington D.C. field office telling me that I’m potentially a victim of ID theft. Like most people that come to this blog I’m fairly good at protecting private information on my computer. I run security measures and have anti-spyware/virus running. I use complex passwords, etc. So my first thought went back to the robbery.

When the agent called me back he told me that they had found some of my old military documents and student loan documents during a raid on a local house. It turns out the guy that robbed me had gone and stolen the master key from several apartment complexes and then broke in after that. I always thought it could have been inside job from someone that either worked or had worked for the apartment complex because there was no forced entry but now I found out why it was so clean.

In the immediate aftermath of the robbery I knew all my physical stuff was gone but I didn’t realize that he had taken my documents. There was crap all over the place and every drawer was dumped (like you see in a movie or TV show) so in terms of documents I didn’t know what was missing (mistake 1)

However that day I did remember all the lifelock commercials and signed up for their service within 30 minutes of the robbery. Some things I wish I would have done differently now looking back and hopefully lessons learned for people reading this.

Scan and backup all important documents and take those backups off site or backup to the cloud (many services available). I did backup to encrypted hard drives but those were all in my apartment. One of the things that saved me is that he didn’t take my external hard drives. All three he just unplugged and tossed to the ground but he may have not known what they were. (if he would have taken those it would have been a much harder thing to deal with)

Get renters insurance if you live in an apartment. My number 1 mistake in my opinion. I thought that because I lived in a decent neighborhood I didn’t need it and never got it. It was only around $125 a year once I got it after the robbery

Take an inventory of all your documents. I had documents in some file folders in different places and that is why I didn’t realize they were missing. I didn’t have good inventory control

If you can afford an alarm system get one; but what I’ve realized is just a siren is probably good enough. The local police don’t come to alarm calls with lights and sirens unless there is eminent danger. I once made it home in 20 minutes during a false alarm (I got an alarm system after the robbery). I beat the cops to the place. I understand why they don’t come with lights/sirens but the robber won’t know if the alarm system is armed or not.

If you can’t afford an alarm system or don’t want to pay just get the stickers and put them up. Easy enough to get them from eBay

Sign up for some sort of monitoring service. I went with lifelock because that is what I could remember the day I got robbed but there are a lot of good companies that do this.

Encrypt anything you don’t want seen if your computer gets stolen. I don’t encrypt everything (for instance my music); but documents and anything of real value gets encrypted

Get some sort of small safe for important documents (passports, birth certificates, etc). These are not super expensive. For an apartment you can get one fairly cheap. It may not bolt to the ground and he may have taken it but it would have been hard for this amateur to break into it.

The one thing I’m still torn on is a gun. I didn’t have one in the apartment because I thought anyone that broke in while I was there would get to me before I could go for the gun (small one bedroom). This guy also went through every nook and cranny of the place and would have found the gun if I had it out. What if I would have walked in on him during it and he had my gun…could have been ugly. If I would have had it in a safe then he would have taken the safe but that would have been much safer.

So far it looks like my ID hasn’t been stolen or used. I’m still monitoring the situation and have put out alerts to my creditors.

The secret service agent was very cool and is going to get my documents back to me. He also told me the local police are going after the guy on all the robbery charges but the secret service is going after him on Federal charges for the ID thefts. The agent said “we hope to put him in jail for a long time”. Again THANKS to this agent and the entire secret service!!

I hope no one that reads this ever has to go through a robbery but in the end the important thing is that people are safe and things can be replaced (I know that is a cliché but it is true)

...last but not least, if anyone knows how to get fingerprint dust out of a carpet please comment and let me know :)

Great new Microsoft/AD Blog

2009-11-12T10:20:00.000-08:00

My friend Rich and his brothers Jared and Chris have started a really great blog that deals with Active Directory and Microsoft technologies. I highly recommed adding this blog to your reading list or favorite RSS reader.

http://cbfive.com/blog/

They already have a good number of entries up so enjoy and I'm sure you will agree that Rich, Jared, and Chris have done a really great job.

Congrats CB5!!!

My Friend Wrote a Book

2009-10-22T13:25:00.001-07:00

This is one of my non-technical posts...I know I know I need some current tech content...coming soon I promise :)

I have a biological brother very close in age but growing up I also had another really good friend that I considered (and still consider) to be just as much of a brother to me.

He wrote a book this year about the journey of his family and specifically a small town called Howardsville

Kevin JOB WELL DONE!! I know this was something you have wanted to do for years. It is a huge accomplishment to write a book. I have issues writing blog entries and you finished an entire book!!

The book is called HOWARDSVILLE: The Journey of an African-American Community in Loudoun County, Virginia

The local newspaper also wrote an article about the book earlier this year

Article on Howardsville and Kevin's book

A few things not mentioned in that article. They do mention Kevin's Uncle Richard. What they don't mention there is that Richard never made the trip home from Vietnam. He made the ultimate sacrifice for our country. I didn't realize growing up what a big deal that was but now after serving I do know.

The author also mentioned that Kevin and I probably would not have the close friendship if we would grown up in a different era. That is probably true and it is a shame that it was like that for so many years but I really think things are changing for the better. We still have a ways to go but progress has been made.

I can still remember in high school having the most honest discussions about race and it really opened my eyes. I'm definitely a better person for having Kevin as a friend/brother all these years.

So Kevin time for you and the family to move back from Bermuda :)....again Great Job on the book and when do I get a signed copy hahaha

...ok back to thinking about technical content

Geek Network In Europe

2009-10-02T12:23:00.001-07:00

My friend Eric went over to Germany for a customer visit and met up with one of our friends in the AD community. Anyone that reads my blog should know and follow Florian's blog too.

Not only are these guys some of the best Active Directory guys around but really cool people and good friends.

Check out Florian's post and pictures

The Geek Network at the Volksfest

New blog posts also coming from me...been very busy lately.

Thanks
Mike

Extend the AD Delegation Control Wizard

2009-08-24T10:32:00.000-07:00

I often see questions in the newsgroups about wanting to delegate control of AD. An example of this would be to delegate control of an OU for example.

Delegation is important because you don't want to just give any "admin" user domain admin rights. They key is to try and limit domain admin and other elevated rights.

There is a delegation of control wizard that is started by right clicking on the OU (I'll be using an OU for this entire blog entry example)and selecting Delegate Control

When you run the wizard you get 11 choices by default at the OU level:

Where does this list of tasks come from and can it be extended?

That list is built from a file called delegwiz.inf That file is located in the \Inf folder. In my case it is in c:\windows\inf.

That file can be modified and Microsoft has a great article that gives you a new file to use and outlines the steps required to make the modifications. That is part of their Best Practices for Active Directory Administration: Appendices

For this blog entry we will specifically use:

Appendix O: Active Directory Delegation Wizard File

As you can see in Appendix O, you copy the contents to notepad and you will replace the current delegwiz.inf file with your new file. As they point out make sure to backup your current file.

After you make the changes you will now notice that you have many more choices compared to the original 11 you got by default.

There are also more advanced ways to delegate control in AD and there are some good third party tools that are also good. Some of those methods will be covered in future blog posts.

Group Policy Recommendations

2009-07-30T11:36:00.000-07:00

From the mailbag.

Thiago sent me an email via the blog with a question about learning more about group policy. From Thiago's email

"...Im planning to buy in Amazon the Active Directory Book made by Brian Desmond MVP DS ( http://briandesmond.com/ad4/ ) But I would like to have your suggestion to a book that give me a inside about AD and Group Policy....because I don't wanna keep reading that basic concepts. Want more that "how to create GPO, how GPP works, how to map drives..."

Brian Desmond's book does have a group policy section in it and that is a good place to start. I highly recommend Brian's book to anyone that works with AD. All four books in my recommendation section are great. Brian, Laura, and Kouti's books will help everyone.

There are however some resources I'd recommend for group policy specifically because that is what Thiago asked about.

First thing I'd recommend is to have some sort of lab setup if you can. That can be as simple as a virtual DC and one workstation to start with. As you are reading and learning about group policy it helps to test and play and experiment.

BOOKS

There are a few group policy specific books and both are good. The first one I'd recomend is

Group Policy: Fundamentals, Security, and Troubleshooting by Group Policy MVP Jeremey Moskowitz

That is the 4th edition of Jermey's group policy book and at close to 800 pages you will learn about group policy.

The next book is Microsoft's Group Policy Resource Kit by Derek Melber

This one I use as a reference and it has a lot of great info too. If money is tight I'd go with Jeremy's book first.

Speaking of money being tight there are a lot of great free resources on the web that can be very helpful.

BLOGS

Microsoft's Official Group Policy Team Blog Great blog from the group policy team anyone wanting to learn group policy should have this in their RSS feeds.

The GPO Guy Blog Group Policy MVP Darren Mar-Elia's blog. Hands down Darren is one of the top group policy guru's on the planet and his blog is another must read. More to come from Darren later in this post.

Florian's Blog Florian is a Group Policy MVP from Germany and a friend. His blog deals with group policy and Active Directory. He often thinks of blog entries that no one else does. His Restricted Groups entry is the best blog on the subject on the net.

Group Policy Center Another great blog from Group Policy MVP Alan Burchill A lot of great information and his blogs contain a lot of screen shots and step by step which is very helpful when learning about group policy.

Other Great Free Resources

TechNet Virtual Labs Having a test lab is very important as I mentioned above, but if you don't have one yet there are a bunch of great group policy labs provided by Microsoft. The virtual labs are a great learning tool.

Darren Mar-Elia also has some great free Group Policy Training Videos on his site. Definitely worth checking those out.

Group Policy Mail List Run by Darren this is a list that anyone wanting to learn more about group policy should subscribe too. Some really smart group policy folks on that list. You will often see very hard problems being discussed on that list.

So that is my list, I know some may wonder where Jeremy Moskowitz's training classes are. You can find Jeremy's training info here I've seen good reviews of Jeremy's class but I've never taken it so I can't personally recommend it but if you or your company has training dollars to spend it is probably going to be worth your time and money.

So what did I miss? Any blaring omissions? Please let me know and I'm sure this will not only answer Thiago's question but it will help others.

Thanks

Mike

Find Enabled Users in the Domain Admin Group

2009-07-23T12:34:00.001-07:00

Sorry I've been out for a while, I'm back now with a quick hitter and more entries coming...well at least I have them planned in my head :)

I often receive requests from the security group to send them all user accounts in the domain admin group. What I've found is that there are often both disabled and enabled accounts. All they want is enabled accounts.

For this quick hitter I'll use my favorite tool. ADFIND by top MVP Joe Richards

adfind -default -f "name= domain admins" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn

There are other ways to do that in adfind but I really love playing with adfind being piped into adfind (great feature by joe)

Can anyone see another quick hitter coming about from this...how do you do this in powershell?...what about nested groups (see previous blog entry)...more to come :)

Update from Shariq via comments

I won't be doing a quick hitter for Powershell...thanks for the assist Shariq

Get-QADgroupmember "domain admins" | Get-QADuser -enabled

I also highly recommend checking out Shariq's Blog

Thanks Shariq!!

I'm a Microsoft MVP now -- Thank You

2009-07-01T10:08:00.000-07:00

I received an email earlier today telling me that I was awarded the MVP for directory services.

This is a really great honor and something I'm very proud of. I really enjoy working in the community and more importantly I enjoy learning from others too. I obviously didn't get to this point alone so I want to take some time to thank some key people that have helped me throughout my career.

Starting back in my Army days I can't say enough and thank those that serve. One of the best things I took away from my time in the Army was some of the good friends I made. So to Daryl, Will, and Todd thank you all. You all were like brothers during my time in and I'm proud to call you friends. Additonal thanks to Todd and all those currently serving during this time of war. Hoooaaaahhh!!

I had a few internships that got me in the door but my first real job was supporting a medium size agency in DoD. I really cut my teeth there and have to single out some folks there too.

First and foremost Kevin Buckman for being a great government manager. No way I'd be where I am today without Kevin's support during those early days. Thank you Kevin!! Honorable mention to Terri C. and Jim R.

Richard Guidorizzi -- thank you Richard for the second half of my DoD career at that agency. You really helped me more than you know and always believed in me and I'll never forget what you did. Honorable mention to Leslie Butler, a great senior manager and owner of the company I worked for.

Mark, David R., Garret, and Richard(again) - the discussions that we still have to this day are really great and I learn from each and every one of you. Definitely all friends for life

A great list of admins and engineers that I worked with at DoD:

Mark, David, Garret, Larry, Greg, Lili, Cesar, Kyle, Louis, Brian T, Stuart, Steve Mc, Alex, Guy, Todd, Steve B, Matt, Jeff H, Kevin D. and last but not least Rusty. I know I missed a lot of people but thanks to everyone there. We made it through a lot there including 9/11. I can still vividly remember watching the Pentagon burn. We will always be bonded by that experience.

Thanks to Keith, TJ, Ryan, Ditter, and John at my next agency. Not the most high speed job but at least I made some good friends. Did we pause the DEN yet haha

At my current job at Unisys there are a few key people that I definitely need to thank. Mark and Eric Jansen are on the top of that list. Really enjoyed the projects I worked on with them. It is so great to work with others that are good and know their stuff. We learned from each other and I think we made a solid and real impact for the agency we supported.

Thanks to the "geek network" Florian, Eric, Mark, Rich, Dave, Brian, and Troy B. We have some good discussions and I've learned a lot from all of you guys.

Thanks to everyone at Experts-Exchange. I hang out in the Active Directory section there and I've learned a lot and hopefully helped a lot of people too. Have to give thanks to some of the other top people over there. Chris Dent, Americom, bluntTony, TigerMatt, Laura Hunter, Brandon Shell, and Brian Desmond.

Thanks to other MVPs that I have learned from for years and years. Top of that list is definitely Joe Richards. Joe is just cool as hell and knowledgeable beyond belief. His tools are a huge part of what I do. I remember the first time I emailed Joe offline and he responded with a very long and thoughtful answer. He didn't blow me off or treat me like I was a pee-on. Thank you Joe for all your work in the community. I really look forward to meeting you at the MVP summit next year.

Other great MVPs that I'd like to thank. I've met some of you in person. Others I only know via email but Thanks to: Joe, Brian Desmond, Laura Hunter, Florian F., Jorge, Mark Minasi, and Darren Mar-Elia.

Thanks to the Directory Services team at Microsoft. Ned, Rob, and everyone else that writes for the AskDS blog. Really great blogs and thanks for what you all do for the community.

Last but not least my brother Andy...thanks Andy I would not be here without you man.

I know I probably forgot people but again I didn't get here alone and I'll continue with help and support from great people.

Ok now this blog entry is starting to sound like one of those rambling Oscar speeches. The red light came on 5 minutes ago and now I'm getting the hook...I've overstayed my welcome :)

Thanks

Mike

Friday 6/26 BlogRoll

2009-06-26T08:16:00.000-07:00

I'm starting a new weekly post called the Friday BlogRoll. This is going to be some of the entries from the blog world that I found useful. It will usually be tech blogs but like everyone else in the Tech world I read other blogs too. Remember part of my blog title is "...and everything else..."

MVP Florian Frommherz had a really good entry on PDC Chaining
Really good concise explanation of what PDC chaining is and how it works. I highly recommend subscribing to Florian's blog.

The Active Directory Documentation Team has released an updated document detailing Active Directory Port Requirements
It is definitely good to know what ports are needed for AD, especially in environments where there may be firewalls and port blockages that could hinder operations. This is also where network traces and tools like portqry come in handy.

The Windows Blog team posted a blog outlining the pricing and upgrade options for Windows 7
I would have personally liked to see the prices a little lower. I understand the pricing but in these tough economic times I wonder how many people will go out and buy Windows 7. I'm guessing many will wait for their next PC that comes with Windows 7 installed. I have a feeling Windows 7 will be around 10 years from now... it is a good solid OS.

Staying on the Windows 7 theme, Microsoft has a good Windows Client Feature Comparison PDF available for download.
This is something you can give to your manager or anyone that asks what the key differences are between Windows 7, Vista, and XP.

MVP Don Jones has an ongoing 26 part series on Powershell over at Concentrated Tech.
Don has been a leader in the scripting community for years now and this is another great example of why he is one of the best around. He along with MVP Greg Shields do a great job on the Concentrated Tech site.

My brother Andy recently posted a video on YouTube about his thoughts on Twitter
Good response from the crowd at the Washington DC Improv, I could never get up and do stand up. Leave him a comment if you like the material and tell him I sent you :).

Find Nested Group Members

2009-06-24T13:26:00.000-07:00

I've run into a few questions recently where someone wanted to find the members of a security group. That in itself is fairly straight forward.

However what if your security group has nested groups and users. Then those nested groups may also have additional nested groups and users. What does that query look like? How do you find all the members?

Suppose I have the following Example

TopLevelGroup -- Global Security Group
- TopLevel -- User
- TopLevel2 - User2
- Nested1 - Global Security Group
  - Nested User
  - Nested User 2
  - InsideNested - Global Security Group
    - InsideNested1

There are several ways to do this, I'm not saying these are the only methods but these are three examples that work.

The first method is to use the PowerShell. For this example you will need the Quest AD Cmdlets. Thanks to MVP Dmitry Sotnikov for the Quest cmdlets.

Get-QADGroupMember "Group Name" -indirect

The second method is using ADFIND by MVP Joe Richards

adfind -default -bit -f "memberof:1.2.840.113556.1.4.1941:=DN of Group" samaccountname -nodn

More on that query here

Big Thanks to Chris Dent for that part. He was also involved in the questions. Chris was an MVP and should be an MVP again. One of the best and most knowledgeable guys around.

Now on to method three. Some people (especially in classified networks) can't install the Quest cmdlets or adfind (or any third party tool)

The Microsoft DStools can be used. For this example I'll use dsquery and dsget

dsquery group -samid "group name" | dsget group -members -expand

I hope that helps someone out there. Please let me know via comments if there are any questions.

Thanks

Mike

CodePlex, a Site every AD admin should know

2009-06-16T22:48:00.000-07:00

CodePlex is an open source project hosting website run by Microsoft. It allows shared development of open source software.

CodePlex is similar to SourceForge

There are a few key projects for the AD admin that I'd like to highlight. In future posts I'll write reviews of these products/tools. Will there be another 4/4 OU Award? :)

ADModify.NET

ADModify was created to make it easier to modify / import / export objects in Active Directory in bulk. ADModify also has a very nice undo feature if you need to back out of changes

PAL Tool

PAL is a tool that reads in a performance monitor counter log (any known format) and analyzes it using complex, but known thresholds (provided). The tool generates an HTML based report which graphically charts important performance counters and throws alerts when thresholds are exceeded. The thresholds are originally based on thresholds defined by the Microsoft product teams and members of Microsoft support, but continue to be expanded by this ongoing project.

AD Utils

AD Utils are utilities that are primarily focused on administration and operations of Active Directory.

The AD Utils include

CheckDSAcls
ReplDiag
TrustCheck
FindGuidInAD
SearchForDuplicateAttributeData

There are many other tools and utilities on CodePlex. Please leave comments about some other good/useful tools you use for your AD and Server Administration duties from the site.

I'll be posting more information and reviews of the utilites in the future.

Find Users Who are Not in Specific Groups

2009-06-09T10:05:00.000-07:00

I know everyone has been wondering what happened to the quick hitter series...well it is back :)

This question has come up twice over the last few weeks on the AD section at Experts Exchange so that means time for an entry.

The question is suppose I have some groups and I want to find out if users are not members of any of the groups.

Example:

GroupA, GroupB, GroupC, GroupD - So how do I find out what users are not members of those groups?

Two quick ways that I like to use are ADFIND and Powershell. I know there are other methods.

The first is to use ADFIND by MVP Joe Richards

adfind -default -f "&(objectcategory=person)(objectclass=user)(!memberof=DN of groupA)(!memberof=DN of groupB)(!memberof= DN of group C)(!memberof= DN of groupD)" samaccountname memberof -nodn

The other method is to use PowerShell. For this example you will need the Quest AD cmdlets. Thanks to Dmitry Sotnikov for those

get-qaduser -sizelimit 0 -notmemberof groupa, groupb, groupc, groupd | ft -wrap samaccountname, memberof

In my examples I've outputted the memberof field just so you can verify the commands do what you want and don't have users that are members of those groups, you can take that out if you want.

UPDATE: Joe Richards wrote a great blog entry about DN Formats in AD

As you can see from Joe's post you can also use the GUID of the group instead of the DN in the adfind/LDAP query.

Want to quickly find the GUID of your group...ADFIND once again :)

adfind -sc g:GroupName objectGUID

Thanks

Mike

Thank You Veterans on Memorial Day

2009-05-25T00:27:00.000-07:00

Today is Memorial Day in the United States. It commemorates U.S. men and women who died while in service for their country.

There are no words that can truly express my feelings. We can't give enough thanks to those that have made the ultimate sacrifice. I not only give thanks to those that made the ultimate sacrifice but also to the loved ones they left behind.

I also extend my deepest thanks to our fallen allies. We don't go into battle alone and many men and women from other countries have also made the ultimate sacrifice.

I doubt anyone I served with reads an Active Directory blog but thank you to my brothers in the Army and to anyone that has served in any branch of the military. Hooaaahhh!!

Add Employee ID Field - ADUC

2009-05-13T10:17:00.000-07:00

I've seen this question several times on various message boards so I wanted to write a step by step entry on how to do this.

User objects have an employeeID attribute but it doesn't appear by default in active directory users & computers.

Sakari Kouti has written a great script to help with this. You can find that script here(employeeID.vbs)

Step1:

Download the script and save it on your PC. I've put the script on my C drive in a folder called AddID

Step2:

In ADSI Edit go to the configuration container and navigate to CN=DisplaySpecifiers, CN=409)

In the right pane find CN=user-display and right click and select properties.

Step3:

Select the adminContextMenu attribute. Add the following value
2, Employee &ID, path to script

Note: If 2 is in use just pick the next number. In my example I've put the script in c:\addid\employeeid.vbs

UPDATE: I should have added this when I first posted this but thanks to Rob Sampson for pointing it out. Rob is one of the strongest scripters I've met and is a valuable member of the IT community.

From Rob (Thanks Rob!):

you could place "employeeid.vbs" in your NetLogon share of a Domain Controller (which then replicates to all other DCs), and have 2. Employee &ID, \\domain.com\sysvol\domain.com\scripts\employeeid.vbs

Screen shot below shows that example in my mktest.com domain.

Step4:

Now if you use Active Directory Users & Computers you can right click on a user and employee ID should appear.

You can select the field and edit it:

Thanks to Sakari Kouti for the script. He also has a new book coming out called Active Directory 2008 Unleashed

If that book is anything like his last book (Inside AD 2nd Edition) then it is a must have...I've already pre-orderd the new book :)

Product Review - GPO Compare from SDMSoftware

2009-05-12T13:17:00.001-07:00

This is the first in my "product review" series. I will try and test products (free and not free)relevant to all aspects of active directory and group policy.

Today we start with GPO Compare.

GPO Compare is produced by SDMSoftware If you don't know SDMSoftware then you probably know their founder. Darren Mar-Elia is the founder and has been a long time group policy MVP and generally considered one of the best group policy guys in the business.

Currently there are no free native Microsoft tools that can be used to compare the differences between two group policies. Microsoft does make a product called Advanced Group Policy Managment (AGPM) AGPM is part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is only available to software assurance customers.

Many are not software assurance customers so they are out of luck...until now.

...so let's start the review.

The first thing you will want to do is download GPO Compare. You can get it here

What I first noticed is that I had a fully functional trial. That is always nice because I didn't have any features blocked or not available.

The download is approximately 7MB and the install is super easy and fast.

After you install and launch the program the first screen you see is self explanatory. As you can see in the screen shot below you can browse for two group policy objects (GPOs).

When you select Browse you will be presented with a screen that shows all the policies for your domain.

For this example I'll be using two password policies.

You will notice the check box labeled "Include GPO Metadata in Comparison?"

That setting/option includes comparisons of GPO metadata such as created and modified dates, security permissions and links. If the option is unchecked then those items are not included in the comparison. For this first run I'll include those items.

So for these policies for instance if I don't select it then there are only 6 differences versus 11.

...so now as you guessed it you can go ahead and select compare:

When you run the compare the first thing you will see is a box telling you how many differences there are. As you can see in the screenshot there are 11 differences between my two GPOs.

You can view the difference report from this dialogue box or you can access the report from the Tools menu.

The GPO Compare Difference Report will show you the differences between the group policies.

As you can see you can also right click and jump directly to that particular setting/difference.

After you select "jump to setting" you will be directed back to the main page and the exact details are spelled out in the "comparision details" section

My favorite part is the GPO Difference Report that you can create. You can save it or print it. Very easy for even managers to follow :)

An example of the GPO Difference report is in the screenshot below

My overall thoughts is that this is a great tool!! It is very easy to use, the full version costs less than $100 and it really fills a much needed void in the group policy landscape.

Final Verdict = 4/4 OUs - WELL DONE!!

Steve Riley has left Microsoft

2009-05-09T06:49:00.000-07:00

Steve Riley was let go as part of Microsoft's restructuring...this was round two of layoffs at Microsoft.

Steve Riley was one of Microsoft's best known speakers. His concentration was security related issues. I know times are tough for all companies but I was really surprised by this news.

Security is a huge concern in most corporations and Steve was a great speaker at most major events and brought a lot to the community.

I'm sure he will do well with whatever he does next but this is a head scratcher for sure.

If you read the comments to his blog entry you will see that he will definitely be missed.

Good Luck Steve!!

How do you secure Active Directory and Windows Servers?

2009-04-30T09:11:00.000-07:00

Computer security is a big concern these days and securing your Active Directory and Windows Servers is one of the most important things we can do as admins and engineers.

I also see questions come up all the time about people wanting to know how to secure their machines.

Although there is not one answer for every environment there are some good guidelines that have been released by Microsoft and various US Federal agencies that can help out.

In my opinion there are a handful of universal rules that apply to any Active Directory environment.

UNIVERSAL RULE#1:
Limit the number of enterprise and domain administrators. I've seen plenty of organizations lock down their systems and take a lot of good security measures and then you look and there could be 50-100 (or more)domain admins.

Domain admins have control over every aspect of your domain, in fact a domain admin can have control of your entire forest.

It is important to limit these very powerful accounts. Limiting admins also limits the number of inadvertent mistakes that can cause issues

UNIVERSAL RULE#2:
See Rule #1 :)

UNIVERSAL RULE#3:
Don't give your users admin rights to their PCs. This seems like a no brainier but I was involved in a question on one of the boards recently and the admin's boss mandated that he make all the users admins on their machines.

So now you have limited admins and you have a good anti-virus program and are patching your servers with the appropriate patches.

What other guidelines are out there to help an admin secure AD and their servers?

The following is a list of some guides that should get most organizations going in the right direction

NSA Security Guides
Yes the NSA does more than electronic and their security guides are really in depth
and have a lot of good information.

DISA Security Checklists
Defense Information System Agency (DISA) is another US Federal Agency. These checklists are similar to the NSA guides.

DISA Active Directory STIG
STIG's are DISA's Security Technical Implementation Guides and this one is particular to Active Directory.

Microsoft Best Practice Guide for Securing Active Directory
Microsoft's best practices for securing Active Directory

Microsoft Server 2003 Security Guide
Microsoft's guide on how to harden Windows Server 2003

Microsoft Windows Server 2008 Security Guide
Similar to the 2003 guide but for 2008

Federal Dektop Core Configuration (FDCC)
Although not for servers FDCC is a mandate for US Federal agencies and these lock downs can help all organizations.

UPDATE via comments from Garrett - Thanks Garrett!!

The Active Directory STIG has been deprecated by the all encompasing Directory Services STIG. While it has sections for specific software (like AD), it also contains overarching security guidlines that trancends all implementations of Directory Services.

http://iase.disa.mil/stigs/stig/directory-services-stig-v1r1.pdf

Those guides are a really good place to start if you want to learn more about securing your Windows Servers and AD Infrastructure.

This all leads me to Universal Rule #4...

UNIVERSAL RULE#4:
Don't just blindly install security templates and don't lock down Active Directory or your servers without testing testing testing. This may seem like common sense but again I've seen many incidents of servers or AD being hardened and then users may lose functionality or other major problems can arise because the lock downs were not tested. It is important to be secure but at the end of the day it is also important for our users/customers to be able to function and do their jobs.

You say you don't have a test lab? To address that issue I'll defer to a quote by the great Don Hacherl - you can think of him as the godfather of Active Directory.

"You do, in fact, have a lab environment. What you do not have is a production environment."

These are by no means the only guides for securing AD or your Windows Servers. There are also good books and plenty of blogs and other guides. Please feel free to leave comments about your experiences with seucrity and AD

Force Certain Users to change passwords via Command Line

2009-04-24T09:27:00.000-07:00

There was a question that recently came up where the poster wanted to force some of his users whose login name started with B to change their passwords. He wanted to do this using the command line.

This Friday quick hitter post will show two ways to do this (there are other ways also)

What I like for this sort of task are adfind and admod by Joe Richards

The command I used was:

adfind -default -f "&(objectcategory=person)(objectclass=user)(samaccountname=b*)" -dsq | admod pwdLastSet::0

That will set "User must change password at next logon" for logon names that begin with B.

Some notes about this command:

Joe puts a lot of safety nets in his tools (good thing).
You can use the -unsafe switch with admod if you don't want a safety or you can use the -safety switch and specify how many objects you want to modify (by default the safety kicks in at 10)
You can also specify -upto xx if you want it to do xx object mods and then stop...thanks Joe for that one :)

Brandon Shell also came in with a powershell command to do this. If you don't know Brandon check out his blog . Brandon is very knowledgeable but also a really cool guy who is always willing to help and a huge asset to the community.

The powershell command takes advantage of Quest's Active Directory cmdlets. Big thanks to Dmitry Sotnikov and everyone at Quest for those.

The command is

Get-QADUser -SamAccountName b* | Set-QADUser -UserMustChangePassword $true

As you can see both commands worked and met the requirements. I hope you can also see how you can manipulate these commands to set other attributes for example. Comment or contact me for more info.

For those that are more comfortable with the GUI you can run the same LDAP query I used in adfind in Active Directory Users and Computers and find them and highlight them all at once and check the box to force them to change their password.

Hope everyone has a great weekend, spring is finally here on the East Coast of the USA so it should be nice.

Lessons Learned from Eric Fleischman

2009-04-22T13:52:00.000-07:00

As previously mentioned I attended the Philly.NET users group Code Camp on Saturday 4/18/2009.

I had the great privilege to sit through two sessions from Eric Fleischman.

Who is Eric Fleischman you ask?

Eric is currently the Dev Lead for Virtualization(cloud services) at Microsoft. Eric has also been a lead developer on the AD team for Microsoft. When it comes to those that know AD the best there is no debate...Eric makes that list.

One of Eric's best known projects in the AD community was creating the largest Active Directory known to date.

What I wanted to do is list some of the things I picked up.

Always make every DC a GC, assume you can do that unless you can prove that your bandwidth can't handle it. In most environments the DC/GC role will be fine. We already do this where I am but I was glad to hear Eric recommend it.
Leave Field Engineering Logging on everywhere. Turning it on won't hurt perf and the info you get from it is very valuable. It will let you know about inefficient and expensive queries in your environment. More info on field engineering can be found here We currently don't have this on but we soon will turn it on.
Eric considers Replication and Query Optimization the hardest part of AD. You also have to know that Eric works with very large implementations.
Don't ever user eseutil to repair your AD database. Never even tried that one in production and will never try it :)
Establish baselines: run SPA from time to time and run Perfmon a lot.
Collect Crash dumps and look at your own dumps before asking PSS.
The following commands will help with the crash dumps before calling PSS.
- windbg –z foo.dmp
- sympath SRV*http://msdl.microsoft.com/download/symbols
- !analyze -v

That was just a taste of what Eric talked about. If you ever get a chance to go see Eric speak then do it!! Eric lived up to his reputation and in fact he exceeded all expectations.

He could have a great career after Microsoft as a college professor or high school teacher if he wanted to. Very smart but also good at conveying his thoughts and ideas to the audience. I can't imagine anyone not giving him a 5/5 on any evaluation.

Happy Earth Day, Microsoft Style

2009-04-22T00:14:00.000-07:00

Today is April 22, 2009 which is Earth Day and while most of us are concerned about our environment and the future of our planet there are some real things that we as admin/engineers can do to help.

What I'm going to talk about today is using the power options with group policy preferences.

I won't go in-depth into the background of group policy preferences. Group Policy MVP Darren Mar-Elia has a great white paper titled Group Policy Preferences Overview I encourage anyone new to preferences to check that out.

As Darren mentions in the paper you may need to install Client Side Extensions (CSEs). You can get those CSEs for various operating systems from Microsoft.

At this point I'm assuming you are ready to go for Group Policy Preferences.

The power options are located in both the computer configuration or user configuration nodes.

If you set the options in both locations then the user setting will win as the user settings are configured after the computer settings.

The computer power options are located in:

Computer Configuration | Preferences | Control Panel Settings | Power Options

The user power options are located in:

User Configuration | Preferences | Control Panel Settings | Power Options

We have now decided to help the planet and setup some user power options. I'll create a new GPO called Happy Earth Day - Power Options

You can set a new Power Options and/or a new Power Scheme by right clicking and selecting New

I'll first go into power options, you can set several options including enabling hibernation.

You can also set the behavior when the power button is pressed.

The power button options for closing the lid of a portable computer/laptop are:

Do Nothing
Stand by
Hibernate

The power button options for pressing the power button or sleep button on a computer are:

Do nothing
Ask me what to do
Stand by
Shutdown
Hibernate

You can view the power options tab here:

One important thing to note are the green underlines. That indicates that the setting is enabled and will be applied.

The group policy team at Microsoft had a very good series explaining this:

Part one: Red/Green GP Preferences
Part Two: Red/Green Underlining Continued

As you can see in the Group Policy team posts you can use F5, F6, F7, or F8 to configure these settings

F5 = Configure all these settings
F6 = Configure just this setting - this is an individual setting
F7 = Ignore just this setting - this is an individual setting
F8 = Ignore all these settings

Here is an example:

The common tab allows to to configure other options including item level targeting

Next we will move on to a new Power Scheme -- this is where we can really make a difference on Earth Day.

With the Power Scheme you can select an action

Those actions include Create, Delete, Replace, and Update

Create - Create a newly configured Power Scheme. If a power scheme with the same name as the Power Scheme item exists, then the existing Power Scheme is not modified.
Delete - Remove a Power Scheme with the same name as the Power Scheme preference item. The extension performs no action if the Power Scheme does not exist.
Replace - Delete and recreate the named power scheme. The net result of the Replace action overwrites all existing settings associated with the power scheme. If the power scheme does not exist, then the Replace action creates a newly configured power scheme.
Update - Modify a power scheme. The action differs from Replace in that it updates the settings defined within the preference item. All other settings remain as they were previously configured. If the power scheme does not exist, then the Update action creates a new power scheme.

As you can see you can define when to turn off monitors and disks and when to put the system into standby or hibernate.

So the obvious question is What are some recommended settings?

The EPA recommends setting computers to enter system standby or hibernate after 30 to 60 minutes of inactivity. To save even more, set monitors to enter sleep mode after 5 to 20 minutes of inactivity. Obviously the lower the setting, the more energy you save.

The department of energy has also released EZ GPO for those that may not be using preferences yet.

As with any group policy test it out first in a lab and then pilot users.

It may not seem like this could make a big difference on the environment but think if every admin across the world enabled power saving schemes....again we can all do our part and hopefully help the planet.

HAPPY EARTH DAY 2009 EVERYONE!!!

Active Directory Masters Course - Caution Ahead

2009-04-21T08:18:00.000-07:00

Last weekend I attended a day long event sponsored by the philly.NET users group

There were a lot of sessions for coders and developers. Laura Hunter put together a really great lineup of speakers (Eric Fleischman, Brandon Shell, Mark Arnold, & Gil Kirkpatrick) for the Active Directory/IT Pro crowd.

After one of the sessions my friend Eric and I were talking to one of the instructors and a guy in class who had just come back from the AD Masters Course/Cert Program

What he told us is that only 10 out of 21 people in his class passed. In the previous track only 1 out of 21 passed. The instructor/MVP also backed the point of the exams being tough. I don't know if those numbers are dead on but even if they are a little off I got the point...not an easy cert to get.

What I think is happening is that the AD Masters course covers so much ground and there are not that many positions that allow someone to work with all the technologies needed to pass the exam. For example in my case ADRMS and ADFS would be big challenges.

I think what needs to happen is a mind set change for those going to take this course and exam. The windows/AD guys/gals have to treat this like Cisco folks treat the CCIE. That means setup a very good lab and just test test test and try to know the stuff cold before you go to the course. So in my case I'd really dig into ADFS and ADRMS and do a lot of brushing up on everything else.

I think it is good that they are making it this challenging. Other Microsoft certs have gotten a bad reputation over the years so it looks like this the masters cert is not going to have the same stigma. Also if in 5 years the Masters takes hold like the CCIE has then that will be very beneficial ($$$) for those that hold this cert/title.

I'm not sure if I'll ever go(it is not cheap) but now I know that I have a lot of work to do if I ever decide to go

Security Filtering and Group Policy

2009-04-16T12:02:00.001-07:00

One of the questions I often see is how do I only apply group policies to certain groups or users or computers.

...for those of you already familiar with group policy you will know this already. This post is for those new to working with group policies. If you were sent here by a question I participated in then feel leave a comment if this helps you out.

This entry will serve to supplement Microsoft's article http://technet.microsoft.com/en-us/library/cc781988.aspx

I will first assume you are using GPMC to manage your group policies.

First thing is that group policies can't be applied directly to groups. You link a group policy at the site, domain, or OU level. The policies apply to either users and/or computers.

So suppose you have a policy that you only want to apply to a subset of users or computers. The first thing is to create a group and place the users or computers you want this policy to apply to into that group (I'll use a global group in this example). We will call that group testgroup1.

In GPMC select your group policy object. In GPMC you will see the Scope tab. Notice that by default the policy will apply to Authenticated Users

You will remove authenticated users. Then you can add your testgroup1. Now the policy will only be applied to your testgroup1

So what really happens in the background when you make that change?

If you go to the delegation tab you will see an Advanced button.

As you can see testgroup1 now has "read" and "Apply Group Policy" set to Allow. So the policy will apply to that group. Read and Apply group policy are both needed in order for the user or computer to receive and process the policy

...at this point some of you may be asking, what if I wanted to "deny" the policy to a group or user. If you instincts tell you to apply set Read & Apply Group Policy to "deny" then you would be correct.

In the following screenshot I've set deny permissions for Read & Apply Group Policy and testgroup1 will not receive the policy.

That is really all there is to security filtering and group policies...not so hard after all. Please feel free to contact me if you have any questions about this.

Thanks

Mike

UGLY & AGLP what are they?

2009-04-16T11:32:00.000-07:00

You will often hear the acronyms UGLY and AGLP when people are talking about how to apply permissions to resources (usually in the context of files/folders) in an Active Directory environment.

There are three types of security groups in Active Directory they are

• Universal
• Global
• Domain Local

More information on the scope of these groups can be found here:

http://technet.microsoft.com/en-us/library/cc755692.aspx

As you can see you can nest global groups into domain local groups and that is where these acronyms come into play

AGLP = Accounts into globals, Globals into domain Locals, assign Permissions

UGLY = Users into global groups, Global into domain Local groups, You assign permissions

NOTE: You will also hear AGLP refered to as AGDLP

So the question comes up should this method always be used when assigning permissions?

If you are in a single domain forest or if you are using an empty root design then you don’t need to worry about either of these acronyms. You can just use globals or domain locals and add members and apply permissions. Don’t worry about nesting groups.

In a multi-domain forest the thought process behind AGLP and UGLY is that you only ever add members to the global groups. From the link above you can see that

because groups with global scope are not replicated outside their own domain, you can change accounts in a group having global scope frequently without generating replication traffic to the global catalog.

The one issue that can come up is that you may lose some control of who has access to the resources unless you have a good auditing process setup.

Suppose you have a North America, Asia, Europe, & South America domain. Now in the North America domain you have an Accounting folder and you use AGLP/UGLY to apply permissions. If you are only an admin in North America then the admins from all the other domains could be adding members to their global groups that may not really need access.

So as you can see there are pros and cons to the various methods. The final answer here is that there is no set in stone hard and fast answer. You have to look at your organization/structure/environment and decide what is best for you

How great are Special Forces!!

2009-04-14T13:04:00.000-07:00

Taking a detour from Active Directory.

By now everyone has heard how the Navy Seals rescued Captain Phillips from the pirates off the coast of Africa.

For those that don't know the three Navy Seals parachuted in and watched the boat Captain Phillips was in for several days. Then at one point two of the pirates briefly stuck their head out and two seals took simultaneous shots and killed the two pirates. The third seal at the same time shot at the third pirate inside (there must have been a window). That third shot was sucessful too. Three simultaneous shots...three kills. NBC News had a really great animation of all this but I can't find it on the web. If I do find it I'll post it.

Update from my friend Keith (also an Army Vet)

It was night and they used thermal image scopes that way they could see heat through the fiberglass life boat. 3 shots 3 kills. The forth pirate was aboard the navy ship as a negotiator

Great info Keith!! This is even more impressive.

How bad ass is that? Man oh man these guys are good. Just think if one shot would have been off Captain Phillips would have been a dead man.

I was in the Army but never came anywhere close to doing anything this high speed. You just have to take your hat off to all these guys in Special Forces they are a rare breed and we owe them a lot of thanks!!

Navy Seals, Army Rangers/Green Berets/Delta Force, USMC Force Recon, England’s SAS, Israeli Sayeret, and Germany's KSK.

Thanks to all of you, most of us will never know all the missions and things you all do to keep the world safe because of how Top Secret your missions are but we know you are out there and we know you are doing great things so THANK YOU!!!

Hooooaaahhh!!

Modify User displayName using the command line

2009-04-14T11:19:00.000-07:00

A question came up in the forums today about how to modify the displayname of users to Lastname, Firstname

My friend Matt had a very good suggestion and that was to use a tool called ADModify.NET

ADModify is indeed a great tool and will do that job and that is a very good recommendation, but what I'll show here is a command line method using Joe Richard's adfind and admod tools...have I mentioned I'm a big fan of these tools :)

The first thing to know is that in Active Directory the Lastname and Firstname attributes are not stored that way. What they really are in the background is:

Lastname = sn
Firstname = givenName

So for this example what I'll show is the before, the modification, then the after

What I'll run first is just an adfind command to show that the displayName field is not populated

As you can see no displayName

Next I will use adfind and pipe those results into admod...that is what makes these tools very very powerful

The command is (my accounts are in an OU called admodtest)

adfind -b ou=admodtest,dc=mktest,dc=com -f "&(objectcategory=person)(objectclass=user)" sn givenname -adcsv | admod "displayname::{{sn}}, {{givenname}}"

If you have more than 10 to change at once you can use the -unsafe switch in admod (default will change 10...joe puts a lot of safety nets into his tools)

Note: the -adcsv is a switch that joe has put in so that the output can be passed to his other tools (admod in this case)

The command did complete successfully, but now I run the same adfind command to make sure the display name is what I want...and it works as advertised.

There are also other command line methods (dsmod from Microsoft, PowerShell, VBScript, etc...)

This is just one option in addition to ADModify.NET

When were my domains created - quick-hitters

2009-04-13T11:36:00.000-07:00

This will be the first post in what I'll call "quick-hitters". Short to the point posts to accomplish a specific task.

So you want to find a quick way to know when the domains in your forest were created.

This is where I really like a tool called ADFIND by Active Directory MVP Joe Richards. Joe is one of my favorite people in the AD world. Really smart but also a cool guy that is always willing to help.

The command is

adfind -gcb -f objectcategory=domain name whencreated -tdcgt

In my example screen shot I only have one domain in that forest in my lab but it works across your forest becasue of the -gcb switch. If you only want to search your domain you can replace -gcb with -default.

Thanks

Mike

Need AD DSRM Password -- Not So Fast

2009-04-12T08:00:00.000-07:00

The situation was that the network team was Re-IPing a subnet and before that was done the IP of the domain controller was not changed. At the time the new subnet could not contact the subnet where the DNS server was located.

There were calls made and eventually I was called on the subject. I was called in order to provide the AD Directory Services Restore Mode (DSRM) password. The plan was apparently to log into the domain controller hit F8 during boot go into DSRM and modify the IP address.

After thinking about it and talking it over with my good friend Eric Jansen[1] we thought that was overkill. The domain controller has a writable copy of AD. In this situation there shouldn't be any problems logging in at the DC, regardless of some peoples' concerns about DNS client side settings.

This of course called for a test and this is very easy to setup in a virtual environment.

In my main domain I have three domain controllers (2 Windows 2003 and 1 Windows 2008). For this test I changed W2K3 DC2 and had it only point to DC1 for DNS. I created a new account and turned off DC1.

As you can see in the screen shot, the DC only has one DNS server configured and that server is off/not responding. This would be a problem if this were a workstation but this test was just for a domain controller. The workstation issue will be explained in a future entry.

The next step was to try and log into the box. As expected the login went fine and I was authenticated and was able to change the IP on the box.

DSRM mode password not needed --- crisis averted.

Thanks

Mike

[1] Out of all the people that I've worked with Eric is the best and my favorite person to work with not only because he is smart but because he really enjoys and has a passion for AD. Watch for Eric's blog on my blog list...when he creates it. Ok sure Eric has a wife and young daughter and in college full time so he may not have as much time as I do....no excuses Eric :)

My Favorite Commercial of All-Time

2009-04-11T11:52:00.000-07:00

Michael Jordan is my favorite athlete of all time. I really loved watching him play and watch that passion he had for the game.

What I really loved about this commercial is that Michael shows us all that even he has failed many many times…but in the end that is why he succeeded.

This is the same with Active Directory. We often try new things or maybe fail to solve the issue at hand in the first try or within the first few minutes….but that is why we succeed.

Odd Title For your Blog – Is AD really fun?

2009-04-11T11:38:00.000-07:00

So why would I call my blog “ADisFUN”. There are a lot of things in this world that people consider fun and Active Directory is not often mentioned in that list.

What I really enjoy is that AD fits about any network. From those small businesses that run AD using SBS or to the large companies that span the globe with thousands and thousands of users across multiple continents. That means knowing AD and how it works is needed everywhere.

There is also always something to learn which is probably the most fun I have. If you ever hear anyone tell you that they have completely mastered AD and know everything about it then that person is lying. There are always new features and new versions coming out. Microsoft constantly strives to improve AD and now that they are releasing new features every two years there is always more to learn and know and try to master.

An analogy I use is that I compare Active Directory to the game of golf. Golf can be a humbling game and even someone as great as Tiger Woods knows that he will never truly “master” the game. Tiger comes close but he learns new things about his game and golf all the time. This is the same with Active Directory. There are those in the AD world that I consider the “Tiger Woods of AD” and the great thing is those people will readily admit that they still have things to learn and master.

There are new issues we encounter on a regular basis and solving those issues is what I consider Fun. Learning the new features is what I consider Fun. Working with great people in the AD community (see my blog list for some examples) is what I consider Fun. Helping answer questions in the community and receiving emails or comments from people is very fun and rewarding.

…and yes even going out and getting new certifications every few years is what I consider Fun :)

Hello World

2009-04-11T00:05:00.000-07:00

My first post, yeah finally :)

This isn't my first attempt at a blog/website. Four years ago I purchased http://www.diggpodcast.com/

At the time podcasts were not really big and digg.com had just gotten started so I figured that would be a good podcast to start.

The problem there was when I actually recorded a few and heard my voice I really hated it. I know a lot of people hate their voice but I just didn't feel like it was a good podcast.

If you know what Active Directory is then you have come to the right place. I plan on posting Active Directory related topics and from time to time non-technical items too.

I'm active on experts-exchange in the AD forums (mkline71) and I'll try to pick a few questions from there a week and expand on them here in the blog.

I also plan on doing some step by step videos but that will come later.

I hope you all enjoy my blog and hopefully it can help someone out there.