Active Directory

A common question is "How do I delegate enabling and disabling Active Directory accounts?". Unfortunately, these specific operations cannot be individually delegated. The flag that indicates whether a user is enabled or disabled is part of a bitmask called userAccountControl. The vast majority of options in this bitmask are the checkboxes that you see on the account tab of ADUC:

The complete list of what's stored in the bitmask (copied out of the iads.h header) is below. Most of them should be fairly self explanatory but this MSDN article explains them all. The numbers are the bit which represents this value in the mask (in hex):

• ADS_UF_SCRIPT = 0x1
• ADS_UF_ACCOUNTDISABLE = 0x2
• ADS_UF_HOMEDIR_REQUIRED = 0x8
• ADS_UF_LOCKOUT = 0x10
• ADS_UF_PASSWD_NOTREQD = 0x20
• ADS_UF_PASSWD_CANT_CHANGE = 0x40
• ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x80
• ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0x100
• ADS_UF_NORMAL_ACCOUNT = 0x200
• ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0x800
• ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000
• ADS_UF_SER…

There are a few things that you really have to consider when you're setting up your site links – the naming convention, cost relative to the underlying WAN transport, frequency of replication, and schedule (that is when replication can even begin).

Naming your site links is something to think about as well. If you deal strictly with point to point links your options should be quite limited in how to name them. I generally use the Hub - Spoke format for the name, where Hub is either the hub site or the site which is logically closest to the hub (e.g. if you have three sites linked linearly Chicago à San Francisco à Tokyo, I would call the link from San Francisco to Tokyo San Francisco – Tokyo). The second part of this convention is to reverse the name in the description, so if the name is Hub – Spoke, then set the description to Spoke – Hub. The reasoning here is simple – assuming you're using a GUI tool to view all your site links in a list, you can sort by the name column to see everything by origin, and th…

Thought I'd post an informational post for folks who are moving an AD forest to Windows 2003 forest functional level (aka FFL2) as I realized today this piece of information might not be quite as well known as I might have thought. As an FYI, this change adds a number of attributes to the partial attribute set (aka the PAS or global catalog):

• Ms-DS-Trust-Forest-Trust-Info
• Trust-Direction
• Trust-Attributes
• Trust-Type
• Trust-Partner
• Security Identifier
• Ms-DS-Entry-Time-To-Die
• MSMQ-Secured-Source
• MSMQ-Multicast-Address
• Print-Memory
• Print-Rate
• Print-Rate-Unit
• MS-DRM-Identity-Certificate

This is done when you upgrade the forest functional level because at this point there are no Windows 2000 domain controllers in the forest and thus a change to the PAS will not force a GC resync. Recall that in Windows 2000, modifying the PAS caused every global catalog in the forest to replicate the global catalog from scratch. In a large environment this could b…

A few months ago I posted an article with steps to configure Windows IAS and Cisco IOS for authentication to Active Directory via RADIUS. I wanted to follow up on that with a quick overview of how to setup a PIX for management access authentication via Windows IAS and Active Directory. All of the steps for configuring IAS are identical, so I'm not going to cover that again. Remember that if you have a failover pair to add the standby partner to IAS as well. This example was built on a PIX 7.1 box, it will work on 7.X and it should be fine on FWSM 2.X or newer. I don't have something running 6.X around to test, but the configuration should be similar.

The sample configs here assume a pair of RADIUS servers at 10.1.1.10 and 10.1.1.11. On IOS there is an ip radius source-inteface command. The PIX seems to just use the interface IP of whatever interface the traffic leaves from. If your PIX has a failover partner, learns its routes dynamically, and the radius server network(s) are not directly connected, you need…

I came across these shortcuts today for navigating the group policy editor and thought they'd be worth sharing. They're holdovers from Windows Explorer that also work in the GPO editor.

• If you press * while targeting a folder in the console, the folder and all of its' children will be expanded
• If you press + while targeting a folder in the console, the folder will be expanded one level
• If you press - while targeting a folder in the console, the folder will be collapsed

When you double click on a policy setting, that dialog that comes up is non-modal. What this means is you can click in the GPO editor again and the setting dialog will go to the background. The settings dialogs are not shown in the taskbar, so you'll need to use Alt+Tab to access them.

There are two tools for this job, both Joeware (www.joeware.net). Grab adfind and admod and extract them to the same directory.

The first task is to get the logonhours attribute value you want to set. The easiest way is to set it by hand in ADUC on one user, and then use adfind to dump the value, with a command like this:

adfind -b “OU=Staff,OU=Users,DC=BigTire,DC=local“ -h “my-dc01” -f "(&(objectCategory=person)(objectClass=user)(samaccountname=templateusername))" logonhours

Copy and paste that somewhere, you'll need it later. If you just want to set it to 24/7 as I'm going to do, the value is “FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF“.

That done, we can update all the users we want to modify. We'll pipe the output from adfind over to admod.

adfind -b “OU=Staff,OU=Users,DC=BigTire,DC=local“ -h “my-dc01” -f "(&(objectCategory=person)(objectClass=user))" -dsq | admod -h my-dc01 -safety 100 bin##logonhours::"FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF"

Note that we added a -ds…

I thought I'd share the script attached at the end of this post as it's something I've seen requests for. The script will take all of the users in a given OU (or really any subtree), and create a home folder for them and stamp the path and drive letter on the user object in Active Directory. By default it only grants the users modify permissions on the account. If you want to change this modify the xcacls call around line 54.

There are a few constants which need to be configured at the top of the script which are explained with comments:

' The base OU to search (child OUs will be searched as well)
Const BASE_OU = "ou=accounting,ou=people,dc=mycompany,dc=com"

' The path to create the home folders in. Must have a trailing \
Const BASE_FOLDER = "\\someserver\Users\"

' Home folder drive letter
Const DRIVE_LETTER = "H:"

Feel free to post any suggestions, bugs, etc in the comments area and I'll take a look. The script is enclosed in a zip as an attachment to this post.

UPDATE - Script download link: http:/…