July 12, 2010

Using cacls.exe to set permissions from command line

Filed under: Information Technology — Tags: , , — Tim Lefler @ 1:02 pm

Whether you want to set NTFS file permissions via a script or if you would like some confirmation that something other than an hour glass is happening when you apply permissions to a huge directory tree, cacls is the command for you.

There is also a script xcalcs vbscript that can be used….. http://support.microsoft.com/kb/825751

CACLS filename [/T] [/M] [/S[:SDDL]] [/E] [/C] [/G user:perm] [/R user [...]]
               [/P user:perm [...]] [/D user [...]]
   filename      Displays ACLs.
   /T            Changes ACLs of specified files in
                 the current directory and all subdirectories.
   /M            Changes ACLs of volumes mounted to a directory
   /S            Displays the SDDL string for the DACL.
   /S:SDDL       Replaces the ACLs with those specified in the SDDL string
                 (not valid with /E, /G, /R, /P, or /D).
   /E            Edit ACL instead of replacing it.
   /C            Continue on access denied errors.
   /G user:perm  Grant specified user access rights.
                 Perm can be: R  Read
                              W  Write
                              C  Change (write)
                              F  Full control
   /R user       Revoke specified user's access rights (only valid with /E).
   /P user:perm  Replace specified user's access rights.
                 Perm can be: N  None
                              R  Read
                              W  Write
                              C  Change (write)
                              F  Full control
   /D user       Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
 
Abbreviations:
   CI - Container Inherit.
        The ACE will be inherited by directories.
   OI - Object Inherit.
        The ACE will be inherited by files.
   IO - Inherit Only.
        The ACE does not apply to the current file/directory.

I wanted to recursively set permissions for a directory structure and wanted to add permissions for users from 2 different domains…..

Example:

 
calcs "e:\test" /T /G "DOMAIN\Domain Users":F  "DOMAIN2\Domain Admins":F

March 4, 2010

Script to set AD targetAddress property to forward Email during a Transition to new Domain

Filed under: General Development,Information Technology — Tags: , , , — Tim Lefler @ 9:07 am

My company was moving from our in house email system to a completely new infrastructure with a new email domain name and a new Active Directory domain.  The plan was to have users configure a new Outlook profile to connect to the new system at a particular time on the migration day.  Because we have little control over when the users will actually make the transition, I want to make sure any new emaill that arrived at the old mailbox would get forwarded to the new mailbox.  This would help cover the straggler users who keep sending email to users who had already migrated.

So this script does exactly that…. it takes a list of distinguished names in an input file, connects to active directory and sets the Active Directory attribute for “targetAddress”.  This will essentially forward the mail to the targetAddress SMTP location.

The input file can be easily generated with a CSVDE command:

C:\csvde -f input.csv -d "dc=domain,dc=com" -r "(ObjectCategory=Person)" -l "DN"
Connecting to "(null)"
Logging in as current user using SSPI
Exporting directory to file input.csv
Searching for entries...
Writing out entries
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
...........................................
Export Completed. Post-processing in progress...
763 entries exported
 
The command has completed successfully

Then you can run this script to read it in and make the changes the the mail enabled active directory objects. (more…)

March 3, 2010

My definition of DHCP-snooping

Filed under: Information Technology,Security — Tags: , , , , , — Tim Lefler @ 2:04 pm

Cisco’s Overview of DHCP Snooping

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.

Well thanks for that extremely clear overview…….. what actually  is going on?  Lets say you have a switch.  You hook a DHCP server up to port #1 and designate this as a “trusted” interface and all of the rest of the ports that will have devices connected to them are setup as “untrusted”.  You would set this up using the commands:

*** Enable DHCP Snooping & ARP Inspection ***
ip dhcp snooping vlan 100
no ip dhcp snooping information option
ip dhcp snooping database flash:/dhcpdb.dat
ip dhcp snooping
ip arp inspection vlan 100
 
*** Untrusted Access Interfaces for DHCP ****
Int Range Fa1/0/2 - 48
description Workstation
switchport access vlan 100
switchport mode access
no mdix auto
 
Int Range Fa2/0/1 - 48
description Workstation
switchport access vlan 100
switchport mode access
no mdix auto
 
*** Trusted Access Interface for DHCP ***
Int Fa1/0/1
description DHCP Server
switchport access vlan 100
switchport mode access
no mdix auto
ip dhcp snooping trust

DHCP Client requests are forwarded regardless of the trust state of the port, but DHCP server responses are dropped if the port is untrusted.

So lets say on port #2 the switch sees a DHCP discovery packet float by from a DHCP client.  Because it is a broadcast message this gets flooded to all ports on the VLAN.  The DHCP server connected to port #1 sees the discovery packet and sends an uninicast  DHCPOFFER packet to the client.  Because this originated from a “trusted” port the offer is allowed to go through.  The client recieves the DHCPOFFER chooses an offer from all that it receives and responds with a DHCPREQUEST back to the DHCP server.  The server then responds with a DHCPACK and includes the configuration parameters and committed network address.  The switch records the client binding port, vlan, mac address, and ip, etc into its local snooping database.
(more…)

March 1, 2010

How to use ExMerge to search through an Exchange mailstore and remove messages

Filed under: Information Technology — Tags: , , — Tim Lefler @ 2:04 pm

As an Exchange administrator we have probably all had that panic call from an administrative assistant want to recall a message that was inadvertently sent to the wrong group.  Every end-user knows that Outlooks “Re-Call” capability stinks.  Microsoft’s Exchange Mailbox Merge tool can be used to perform this function (Available as a download from Microsoft Here).  You’ve probably used this tool before to extract a single user’s mailbox from the Exchange Recovery Storage group to a PST.

We can use a similar technique to extract and delete all of the messages that match a criteria like “SUBJECT” to a PST and then simply throw away the PST.

Before we begin make sure the account you are using is NOT a Domain Admin and has read access to the mailstore and all of the mailboxes.  I like setting this permission on the SERVER level and letting it propagte down to the individual mailboxes.  You can’t use a Domain Admin account because Exchange explicitly denies Domain Admins read access at the mailbox level.

Startup exmerge, and choose the “Extract or Import (Two Step Procedure).

This allows us to extract the messages that meet our criteria first before trying to import or restore the messages.

Select "Extract or Import (Two Step Procedure)

So first we perform step 1 to extract the messages. (more…)

February 23, 2010

csvde Command to show disabled accounts

Filed under: Information Technology — Tags: , , , , , , — Tim Lefler @ 4:53 pm

For audit purposes I needed to list all active directory users and prove that ex-employees were either deleted of disabled. There are a couple of techniques to produce the required output. I think the easiest was to make use of the csvde.exe.

Arguements for csvde.exe

CSV Directory Exchange
 
General Parameters
==================
-i              Turn on Import Mode (The default is Export)
-f filename     Input or Output filename
-s servername   The server to bind to (Default to DC of computer's domain)
-v              Turn on Verbose Mode
-c FromDN ToDN  Replace occurences of FromDN to ToDN
-j path         Log File Location
-t port         Port Number (default = 389)
-u              Use Unicode format
-?              Help
 
Export Specific
===============
-d RootDN       The root of the LDAP search (Default to Naming Context)
-r Filter       LDAP search filter (Default to "(objectClass=*)")
-p SearchScope  Search Scope (Base/OneLevel/Subtree)
-l list         List of attributes (comma separated) to look for in an
                LDAP search
-o list         List of attributes (comma separated) to omit from input.
-g              Disable Paged Search.
-m              Enable the SAM logic on export.
-n              Do not export binary values
 
 
Import
======
-k              The import will go on ignoring 'Constraint Violation' and
                'Object Already Exists' errors
 
 
Credentials Establishment
=========================
Note that if no credentials is specified, CSVDE will bind as the currently
logged on user, using SSPI.
 
-a UserDN [Password | *]            Simple authentication
-b UserName Domain [Password | *]   SSPI bind method
 
Example: Simple import of current domain
    csvde -i -f INPUT.CSV
 
Example: Simple export of current domain
    csvde -f OUTPUT.CSV
 
Example: Export of specific domain with credentials
    csvde -m -f OUTPUT.CSV
          -b USERNAME DOMAINNAME *
          -s SERVERNAME
          -d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"
          -r "(objectClass=user)"
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

So to display whether a user is disabled or not we need to extract the “userAccountControl” property.
(more…)

January 12, 2010

What is SID History?

Filed under: Information Technology — Tags: , — Tim Lefler @ 4:55 pm

SID History is an Active Directory (AD) user account object attribute that facilitates the authorization process when you migrate Windows domains.  SID History helps in migrating active directory domains in which a both domain infrastructures exist in parallel. In such a scenario, newly created user accounts in the new domain often need to be able to access resources in the old domain. The main problem in these situations is that resources in the old domain are secured using ACLs that refer to old SIDs of user accounts defined in the old domain.

To resolve this problem, Microsoft provides the ClonePrincipal API used by tools like the Active Directory Migration Tool (ADMT).  When you create a new account, the API can add the old account’s SID to the SID History attribute of the new account.  As a result, when the user logs on to the new domain by using his or her new account, the access token will refer to the new SID and to the old SID. The user can then seamlessly access resources secured with the old SID hosted in the old domain.

There are a number of other applications other than ADMT that can help ease some of the migration headache.  One of note is Quest’s Migration Manager.  Our enterprise group sings the praises of this product.

December 18, 2009

Volume Licensing and the Key Management Service (KMS)

Filed under: Information Technology — Tags: , , — Tim Lefler @ 1:15 pm

Overview

This is a synopsis of information provided on the Microsoft Volume Acitvation Site, but I’ve filtered it for what I think is usefull.

Microsoft Volume Activation (VA) 2.0 is designed to allow volume licensing customers to automate the activation process so that there is little  impact on end users. VA 2.0 provides volume customers with two models for activating Windows Vista and Windows Server 2008. The KMS model is designed to activate systems by connecting to a locally managed network-based service. The MAK model has systems connect to Microsoft for activation either individually or by using a proxy.

Most people will use both activation models because latops are not around to activavate to a local KMS service.

Key Management Service (KMS)

KMS requires a minimum number of physical computers in a network environment. You must have at least five (5) physical computers to activate Windows Server 2008 and at least twenty-five (25) physical computers to activate Windows 7 clients. These minimums, called activation thresholds, are set so that they are easily met by enterprise customers. For more information about activation thresholds, see the Volume Activation 2.0 Planning Guide.

Note:  These thresholds at least pose a problem to people who are first implementing KMS.  None of your windows 7 clients are activated until the 25 limit is reached.  Thankfully in our environment there are a lot of windows 2008 servers so that helps with our threshold, but this is still something that needs to be planned for….

By default, volume editions of  Window 7 and Windows Server 2008 connect to a system that hosts the KMS service to request activation. No action is required of the end user

MAK is used for a one-time activation with Microsoft’s hosted activation services. There are two ways to activate computers using MAK. The first method is MAK Independent activation, which requires that each computer independently connect and activate with Microsoft, either over the Internet or by telephone. The second method is MAK Proxy activation. With this method, a computer acting as a MAK proxy gathers activation information from multiple computers on the network and then sends a centralized activation request on their behalf. MAK Proxy Activation is configured using the Volume Activation Management Tool (VAMT).

Note: For us MAK was not an option because we are under a corporate agreement with Microsoft.

What If Systems Are Not Activated?

If activation does not occur immediately after the operating system is installed, Windows 7  and Windows Server 2008 still provide the full functionality of the operating system for a limited amount of time, or grace period. The length of a grace period varies from thirty days, for Windows 7  to sixty days, for Windows Server 2008. After the grace period expires, the initial release of Windows Vista transitions to reduced functionality mode (RFM), but Windows Vista Service Pack 1 (SP1) and Windows Server 2008, after the initial grace period expires, do not go into RFM. If not activated, these products continue to remind the user to activate through notifications.

Grace Period

During the initial grace period, there are periodic notifications that the system needs activation. Systems in this grace period have a set period of time to activate the operating system. Once a day, during the logon process, a notification bubble reminds the user to activate the operating system. For both 60-day and 30-day grace periods, this behavior continues until there are three days left in the grace period. For the first two of the final three days of the grace period, the notification bubble appears every four hours. During the final day of the grace period the notification bubble appears every hour, on the hour.

After the initial grace period expires or activation fails, Windows 7 and Windows Server 2008 continue to notify the user that the operating system needs activation. (Very annoying but everything still works)

So to setup the (KMS) service on a windows 2003 machine…..

(more…)

December 15, 2009

Team Foundation Server Overview

Filed under: Information Technology — Tags: , , , , , — Tim Lefler @ 7:54 am

Team Foundation Server Overview

Team Foundation Server is part of the Visual Studio Team System 2008 Team Suite (VSTS 2008).   VSTS 2008 provides multi-disciplined team members with an integrated set of tools for architecture, design, development, database development and testing of applications.

This is my watered down overview of TFS highlighting the pieces of the Microsoft Documentation that I thought were important.

VSTS 2008 Team Foundation Server is an integrated collaboration server.  It consists of a set of tools and technologies that enable a team to collaborate and coordinate their efforts on building a product or completing a project. Team Foundation enhances team communication, tracks work status, supports team roles, enacts the team process, and integrates team tools.

The following diagram outlines a sample logical implementation of Team Foundation Server as it relates to the roles most common to the software engineering and development lifecycle.
TFS_Components

Team Foundation Server delivers source control, work item tracking, Team Foundation Build, team project portal Web site, reporting, and project management capabilities.  Team Foundation Server also includes a data warehouse where data from work item tracking, source control, builds, and testing tools are stored.

Team Foundation Server

All team projects are stored and managed with Team Foundation Server.  A logical Team Foundation Server is made up of two components:

  • An application-tier server, made up primarily of Web services
  • A data-tier server, made up primarily of several SQL Server databases.

The application-tier server and data-tier server can be deployed on one server or two servers.

Team Foundation Build

Team Foundation Build provides a build lab as part of Team Foundation.  The builds can be defined to be on-demand, rolling, or continuous integration where each check-in causes a build to be queued according to its priority.  Enterprise build managers can synchronize the sources, compile the application, run associated unit tests, perform code analysis, release builds on a file server, and publish build reports.  Team Foundation Build works with other Visual Studio Team System tools during the build process, including version control, work item tracking, and test tools.

Team Foundation Server Proxy

Team Foundation Server Proxy is an optional server designed to boost network performance by caching copies of source control files in a remote location, local to the developer needing the files. By storing copies in the remote location, typically connected to the source location through a slower link than the local area network, the proxy helps each user avoid a costly download of the files to their workspace across the slower connection. (more…)

November 18, 2009

How to Determine the FSMO Roles in use for a Windows 2003 Active Directory Domain

Filed under: Information Technology — Tags: , , , , , , , , — Tim Lefler @ 5:08 pm

Windows 2003 Active Directory domains utilize a Single Operation Master called FSMO (Flexible Single Master of Operations)

The five FSMO roles are:

  • Schema master – Forest-wide and one per forest.
  • Domain naming master – Forest-wide and one per forest.
  • RID master – Domain-specific and one for each domain.
  • PDC Emulator- domain-specific and one for each domain.
  • Infrastructure master – Domain-specific and one for each domain.

In most cases, an administrator can keep the FSMO role holders (all 5 of them) on the same DC configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.  For example, if you are decommissioning old equipment you would want to move the FSMO role to one of the other DC to prevent disruption of services.

I’m going to document two separate methods for determining each of the FSMO roles:

Using the GUI each of the FSMO Roles

(more…)

November 2, 2009

How to enable Virtualization Technology(VT) on Dell 1950

Filed under: Information Technology — Tags: , , , — Tim Lefler @ 3:48 pm

A quick post to docment how to enable the Virtualization Technology (VT) BIOS setting from the command line.  We had a situation where we could not add a 64bit VM on our ESX Host without having the BIOS setting set.  Unfortunately, this ESX host was in production and downtime could not be scheduled.

Install OpenManage and then run the following:

omconfig chassis biossetup attribute=cpuvt setting=enabled
(more…)

Older Posts »

Powered by WordPress