Monday, October 5, 2009

Using LDAP Saved Queries for Active Directory

In Active Directory, if you have more than one account in the same container, you can mass select them by CTRL+Clicking or SHIFT+Clicking them.  Once selected as a collection (I will refrain from using the term "group" in order to avoid "confusion"), you can enable or disable them, move them into a group, or modify many of their properties at the same time. 

The challenge in using this ability comes when the users that you want to manage live in different OUs, which prevents them from being selected simultaneously.   But fear not!  You can flatten the OU structure of an Active Directory domain in order to find and manage related accounts quickly by using Saved Queries!  Saved Queries will also allow you to find accounts based upon properties in a way that would otherwise be vastly time consuming.

Active Directory Cookbook, 3rd EditionSaved Queries are found in the Active Directory Users and Computers console.  Right click on saved queries, and create a new query.  Give your query a useful name, and then click "define query".  Now you can see that anything you can find with Active Directory Find can be found and saved here. Choose "custom search" from the drop down of options at the top.  Then go to the advanced tab, you will be presented with a blank LDAP query field.  This is where you will enter your queries.  I will now present several queries for your benefit, and explain what they do.

All Users Query: (objectCategory=person)(objectClass=user)
This query is a simple tool that allows you to have a logical search container that finds every user, no matter what OU they are hiding in.  Now you can seek, search, and sort to your hearts content within this structure.

Where's Bob Query: (objectCategory=person)(objectClass=user)(name=Bob)
This query finds any user named Bob, no matter where he is hiding.  I would just use the common query tool rather than the custom query to find him, but I want you to see the syntax in order to make sense of the next query...

Standard Users Query: (objectCategory=person)(objectClass=user)(!name=SUPPORT_388945a0)(name=*)(!name=Guest)(!name=Administrator)(!name=Krbtgt)
So, sometimes what is important is what you DON'T want to see!  Where (name=Bob) found the account we wanted, (!name=Administrator) indicates what we want to be filtered out.  The exclamation point acts as the boolean operator "NOT" in this query. 

Disabled Users - (objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)
This query finds all disabled users by their userAccountControl value.  Again, this one would be easy enough to do with a common query, where it is just a checkbox to find these accounts.  In fact, that is exactly what I did to create this query.  But on the main query page (before the editor), you can see the LDAP query that the common query created.  Again, I can use this to look for something that is NOT a common query...

NOT Disabled Users - (objectCategory=person)(objectClass=user)(!UserAccountControl:1.2.840.113556.1.4.803:=2)
Once again, the exclamation point before the setting makes it invert the selection, now finding all accounts that have not been disabled.  Remember that first query that flattened all the users?  Many organizations disable accounts instead of deleting them when people leave the company.  That means that with the first query you would find tons of old user accounts.  This query eliminates them from the display.

Locked Out Accounts - (ObjectCategory=Person)(ObjectClass=User)(LockoutTime>=1)
Finding accounts that are locked out so that they can be unlocked and have their password reset is a common issue.  Now, instead of trying to find the locked out account (which has no distinguishing icon, unlike disabled accounts), you can have Active Directory Users and Computers find it for you!

Only Temporary Accounts that will Expire - (objectCategory=person)(objectClass=user)(!accountexpires=9223372036854775807)(!accountexpires=0)
When an user account is created for a contract worker or temp worker, they are often given user expiration dates.  Default accounts will either have 0 or that huge number you see above as their value.  Again, this query dives in, finds the temp accounts in any region or department they may be located in, and brings them to the surface, perhaps so that you can reset their expiration date to something later, or delete or disable their account early.

All Computers - (objectCategory=computer)
You guessed it.  This finds all computers, no matter where they might be hiding in your AD structure.

Used Computer Accounts - (&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=*))
When a computer joins the domain, it populates it's own operating system field. This query uses the "*" as a wildcard character, which will find ALL operating systems, meaning that the field can be anything... except blank.

Prestaged Computer Accounts - (&(sAMAccountType=805306369)(objectCategory=computer)(!operatingSystem=*))
When a computer joins the domain, it populates it's own operating system field.  Therefore, by searching for all users accounts where the operating system is NOT filled with anything, you can find prestaged computer accounts that are set up ahead of time by administrators to support future clients.

Well, that's it for now.  If there is a query you would like to know how to do, please feel free to ask!  You can learn a lot by using the basic queries and backsolving.  You can also find out a great deal by configuring accounts differently and then viewing their properties in adsiedit.msc or in the 2008 ADUC properties tab.
One last note about saved queries.  Once you create them, they are saved with the console, NOT in Active Directory.  That means other users will not be able to see them.  Even you won't be able to see them if you open a different MMC console!  Fortunately, you can right click and export them as XML files, and import them into any other MMC where needed.  You may wish to export them and have them available on a network drive... just in case.

Wednesday, August 26, 2009

Finding Microsoft Server info using the knowledge base and your search engine

Like most of you, I have grown indebted the wealth of information that is available on the World Wide Web. I'll research the inner workings of some new and exciting products, or I'll try to wrestle the last dying gasps out of a service that is on its last legs. I am often surprised that many IT pros don't know how to isolate their searches using a few simple parameters to their search engine queries. Whether you Bing or Google these days, these two simple tricks can help you find what you are looking for faster.

How to Do Everything with GoogleTip #1: Get what you want, where you want it! When researching a problem by typing in an error code or symptom into a search engine, I often get a flood of links to forums. Don't get me wrong - forums are one of the most powerful collaboration techniques on the internet, and the natural evolution of the older newsgroups. It's just that sometimes, what I really want is a search result that comes straight from the Microsoft knowledge base, the MSDN site, the Cisco web site, or Amazon. Or... sometimes I specifically want to exclude a site that sends a lot of results I don't want. Let's say the search was for exchange 2007 OWA errors and I did a normal search:

You'll notice the results are all over the map on various web sites.

Now we'll try it again with a small addition to the query:

Did you see the difference? I added to the original query the phrase By doing this, the search engine will exclude any results that are not in from the Microsoft knowledge base. If I was researching standard documentation for OWA, I would have added If I was looking for technical books on exchange and OWA, you guessed it, I would have added It's just that easy. And of course, if I just want to exclude the msexchange forum traffic through my results, then I would add The minus sign before the site will add the Boolean NOT to my search, keeping me forum free for this lookup.

Tip #2: Look for what you want in the format you want it. These days, some of the clearest insights on technology are presented in a non-web format, such as PDF or PowerPoint. So, if I'm looking for a walkthrough on a technology, I'll often include the filetype: phrase in my search, as listed below:

So I'm curious about the new features in Windows Server 2008, and I'm willing to bet that more than one someone has created a concise (unlike the corporate web pages) presentation on the subject. Of course, if I want to ensure that I'm not just getting the "yes man" verbiage on the subject, I could combine our two search tips, making it new features "Windows Server 2008" filetype:ppt
If you do certain advanced searches often, you could also "save" the advanced settings as custom searches in Internet Explorer's search provider. I hope this helps you to speed up all your searches on Microsoft Windows Server, SQL, or the latest version of Ubuntu!

Sunday, August 23, 2009

Windows Server 2008 - ADDS ADCS ADFS ADLDS ADRMS - is it really all AD?

As Microsoft has continued to promote Windows Server 2008, one of the challenges for me has been to wade through the hype in order to figure out why something that in Windows 2000 was cheerfully known as "Active Directory" is no longer what I thought it was. At its core, the term Active Directory still refers to the mainstay backbone of Microsoft based security environments: "trust" and "secure logon authentication." In addition, it still refers to a searchable information store. But leave it to the marketing guys at M$ to realize that "Active Directory" has the connotation of being an indispensable part of a Windows network.
Windows Server 2008 Active Directory Administration: Win Server 08 ADAAs Windows as matured, a supplements to the core operating system appeared over the last five years or so. These features, installable as additional features or available as free downloads, had various names, but all in some way dealt with the issues of "trust", "secure logon authentication", or "searchable information store". Let's examine them, and why they now bear the AD prefix, even if they are not a part of what we have traditionally referred to as Active Directory.
ADDS - Active Directory Directory Services. O.K., this one really is what you think it is. The database of users, computers, and groups, logically divided by Organizational Units, held in at least one domain, used to centrally manage a network.

ADLDS - Active Directory Lightweight Directory Services. This one, formerly known as ADAM (Active Directory Application Mode), is designed to be an information store that web applications can use for a database of user accounts and their properties, without having to actually connect to ADDS. Since multiple instances of this service can be installed on the same machine under different ports, it is an easy way to allow LDAP searching programs (again, usually web apps) to authenticate and determine user account capabilities, without mangling or compromising the security of the internal ADDS environment. Why prefix it with AD if it's not AD? Because it still deals with the core issues of a secure logon (for a user against the web app) and an information store.

ADFS - Active Directory Federation Services. This service is all about allowing a remote company to establish a non-ADDS trust with your company. What's wrong with using an ADDS trust? Nothing, in and of itself, but the process of allowing that access may open up ports and communication protocols over the internet that you do not want to allow. ADFS, which travels over standard HTTP ports, provides a secure means of Trust (Ah, the AD tie in) between two ADDS (or other) environments, without having to weaken security.

ADRMS - Active Directory Rights Management Services. A service to lock down content (such as Word documents or Emails) so that it is not subject to misuse (such as restricting printing or saving a copy of a document, or preventing the forwarding of a confidential email). This Windows service requires the use of an Active Directory user account in order to be trusted to open the document. (Perhaps a better name would be AD-Integrated Rights Management Services). Still, the key here is that documents can only be opened once a "secure logon authentication" has been established, and the document recognizes that it "trusts" the end user. What if the end user isn't in my company? Then my domain will need to trust theirs, either through a Windows domain trust, or a Federation trust (see ADFS above).

ADCS - Active Directory Certificate Services. - This is the service that allows users, computers, and services to request and receive certificates that can be used for confidentiality (you know, encrypting stuff) and integrity (you know, digitally signing stuff). This service can run in a standalone mode in a workgroup, and never see a domain controller in its entire life! However, if it is installed in a domain and installed as an Enterprise Certificate Authority (Read as: Active Directory-Integrated) then the server is automatically trusted by all members of the domain, and it becomes much easier to request certificates (perhaps through group policy), and they are automatically granted by the server to all domain members. Certificates are used for "Trust" and, in some cases, for "secure logon authentication".

I hope this brief overview of these topics has shed some light on why they all bear the AD prefix. Microsoft has their eyes on the prize when it comes to "trust", "secure logon authentication", and "searchable information store" through the Active Directory name. In our age where perimeter security is no longer considered secure and realms of trust guarded by the mechanisms of authentication are the true definitions of our security boundaries, these AD technologies are all designed to let you allow just enough access to get the job done, and no more.

Friday, August 21, 2009

Serious gotchas with mounted drives or mount points on Microsoft Windows Server

I have used mounted drives on Windows Servers and clients for many years, and found them to be powerful tools for managing drive space.  However, there are a few things to keep in mind will keep you from pulling your hair out when they do not work as advertized. 

For the uninitiated, a mount point refers to the ability to create a folder on an existing NTFS formatted drive and change it into a pointer to a completely separate disk space.  For example, this folder could point to a seperate external drive, an assigned LUN from a SAN environment, or even a CD or DVD.  I can hear some of you saying, "What's wrong with drive letters?  They were good enough for grandpa and they're good enough for me."  Too true!  However, there are times when one of two things occur.  First, you may find that you run out of drive letters to assign, or that trying to navigate a flat directory of 17 drives may become cumbersome.  Second, you may run out of space in an existing drive, and although more space is available, your application is not easily set to change its data storage locale to the new formatted space.  Here is where the mount point comes in, letting you use your existing path, but in the background diverting the operation to occur on your larger, more available disk space.
Now, regarding the gotchas:

Permissions: A mount point folder appears as a child object somewhere inside of an existing drive.  This begs the question, what permissions will apply to an object that is inside the mount point?  The answer is simple, as long as you remember that a mount point folder is essentially just a shortcut that guides you to the root of a new partition.  If you build a file inside this partition, it will inherit the permissions of the parent drive, not the shortcut folder (mount point), or the drive that the the mount point folder resides on. 

A mount point folder appears as a child object somewhere inside of an existing drive.  This begs the question, what permissions will apply to an object that is inside the mount point?  The answer is simple, as long as you remember that a mount point folder is essentially just a shortcut that guides you to the root of a new partition.  If you build a file inside this partition, it will inherit the permissions of the parent drive, not the shortcut folder (mount point), or the drive that the the mount point folder resides on. 

This means that if you gave a group named managers full control on the mount point folder they would be able to open it, but would have no permissions on the files and folders on the partition that the mount point guided them to.  If you bring up the properties of your mounted drive folder, you will see that it identifies itself as a mounted volume, and has a second property button on the general tab.  This button opens up the properties of the partition, and it is from there that you can set the security permissions for this volume (assuming that is not a DVD that doesn't have permissions!).

The only other wrinkle in this configuration is that if you go to the advanced properties of a file that is in a mount point, it will identify that its permissions came from the mount point folder's volume.  DON'T BELIEVE IT!  Your permissions for this file will come, of course, from the root of the volume that contains it.

Now for the other gotcha - deleting folders in a mount point.  Here's what happens: you have a subfolder with some files stored in a mount point volume.  Life is good.  The project that the files relate to is several years old, and the data is no longer relevant.  Like a good admin, after ensuring that the data has been archived, you connect to your server via remote desktop, browse to the subfolder, and attempt to delete it.  To which the server replies, "access denied".  Bummer. 
You make sure that there are no applications or explorer windows that are locking it from deletion, and there aren't.  Hmmmm.  The problem is the recycle bin.  This "undo" option is maintained with a hidden system file that is on the partition that holds the files being deleted.  Unfortuantely, when the command to delete a folder is given, the system attempts to delete the folder using the mount point folder's Master File Table, and not the subfolder's Master File Table.  The mount point folder's MFT doesn't host the record, and an access denied message is kicked back to you for having the temerity to try and recycle a directory which apparently doesn't even exist!  The only solution for this is to not recycle subfolders and directories, but to outright delete them.  Locally, an easy method is to hold down SHIFT while deleting a file.  Remotely, when using a UNC path or a mapped network drive, all folders are automatically deleted, so this issue doesn't arise.  This could all make a person want to keep their files in a SharePoint library, but that is a post for another day.