Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

Notifying users by e-mail their password is going to expire

Windows by default has a mechanism to notify a user when the password is going to expire. By default Windows will start notifying the user 14 days before the password really expires and must be changed. The default value is affective when no other value has been configured in some GPO in AD. If you want to configure a value in a GPO, you can do so using the GPO setting as shown in the picture below. Or go to this link. The GPO that can be used is any GPO (it does not need to be the Default Domain GPO or the Default Domain Controllers GPO) targeted at a set of AD clients that should honor that specific setting. In other words, you could have a GPO targeting client computers in EMEA to notify users that logon to those computers 10 days before their password expires and another GPO targeting client computers in APAC to notify users that logon to those computers 20 days before their password expires.

So when the user logs on to the client computer the following notification is shown like in the picture below.

However, this setting only applies to interactive logons or TS logons at AD clients (workstations, servers, DCs). It does not apply to other type of logons. In addition, OWA may notify you when using it that your password will expire. However, there exist tons of other reasons and scenarios for which it is interesting to notify a user the password is going to expire. One of the scenarios is a consultant working for a client. The consultant uses his own computer that is not a member of the AD of the client. The consultant however does have a user account in the AD of the client (which is also mailbox-enabled) and from time to time the password must be changed according to the password policy. So, how are you going to notify that user to change its password without the password suddenly expiring? One way is to use a mechanism that e-mails the user with instructions. However that mechanism does not exist by default in AD. You either need to buy something or create something yourself. Another way is to use the tool/script that I provide in this post as an attachment.

The tool 'ADPwdExpNotify.exe' uses an INI file 'ADPwdExpNotify.ini' that needs to be configured prior to the usage of the tool in your environment. Environment specific information must be provided like AD domain name, FQDN DC, FQDN mail server, etc. In addition you can configure the script to log actions to a log file and create a CSV for the accounts for which a notification is generated. An interesting feature is that it is possible to configure the tool to either run in TEST mode or PROD mode. In TEST mode, 1 recipient will receive all notifications by e-mail for all users for which the script determined a notification must be generated. In PROD mode, EACH recipient will receive a notification by e-mail. This way you can test the tool for an amount of time you feel that is required to test the tool. After that you just change the MODE from TEST to PROD in the INI file and the users will start to get their notifications by e-mail if their password is about the expire (taking the notification period into account that has been configured in the INI file).

You need to have an account in AD that is mailbox-enabled to that it is accepted as a sender. My suggestion would be to execute the tool using a scheduled task. For the credentials you can use a normal user account without ANY special permissions. However, if something goes wrong an event is written to the System Event Log and for that the account must have permissions to write to the System Event Log. If you use some monitoring tool you could monitor for these events to see if the tool is working as it should.

Below you see the output to a log file and to the screen when logging has been enabled in the INI file

Below you see the creation of a CSV file when it has been enabled in the INI file

 

Below you see an example of the e-mail notification a user will get. It can then use CTRL+ALT+DEL to change the password in the AD domain or leverage the password change screen in OWA. The INI file contains examples links for the OWA Password Change URL in E2K3 and E2K7.

Disclaimer for using this tool/script:

  • The tool/script is freeware.
  • This tool/script is furnished "AS IS". No warranty is expressed or implied!
  • Always test first in lab environment to see if it meets your needs!
  • Don't expect in getting support for this tool. If I have time I will see what I can do, otherwise you are out of luck.
  • Use this tool/script at your own risk!
  • I have tested this tool/script for W2K3 AD and W2K8 AD, but I have not tested it for ALL possible scenarios and configurations. So, make sure to test it FIRST in a test environment before going to production!
  • I do not warrant this tool/script to be fit for any purpose, use or environment
  • I do not guarantee the tool/script does not have bugs
  • I do not guarantee the tool/script will not damage or destroy your system(s), environment or whatever.
  • I do not accept liability in any way if you screw up, use the tool/script wrong or in any other way where damage is caused to your environment/systems!
  • If you do not accept these terms do not use the script and delete it immediately!

If you have suggestions or found bugs, feel free to mail me: Jorge DOT de DOT Almeida DOT Pinto AT gmail DOT com I will then see what I can do!

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Sunday, July 20, 2008 5:44 PM by Jorge | 0 Comments
Attachment(s): ADPwdExpNotify.zip

AutoEnrollment Control Access Right is missing in AD

A few days ago I was chatting with a colleague of mine in the UK about automated permissions assignment in AD through DSACLS. His reason to do this was because of CLM deployments where you had to use different kinds of Extended Rights that are defined in AD throughout the AD environment. Each AD deployment by default contains a set of Extended Rights that are defined in the Configuration container. The path where the Extended Rights are defined is: "CN=Extended-Rights,CN=Configuration,DC=<FOREST ROOT DOMAIN>,DC=<TLD>". Below you can see a picture of it.

 

This list of Extended Rights is built when the AD forest is created and that of course occurs when the very first RWDC is installed for that AD forest. How that list is built is also not difficult. On each W2K server and higher a file called 'SCHEMA.INI' exists. That file contains instructions for DCPROMO to carry out depending on the choices and values specified for DCPROMO. Although possible, Microsoft does not support any custom changes to the file 'SCHEMA.INI'. So, let's suggest NOT TO MODIFY this file!

As soon as you install some product (e.g. AD upgrade, Exchange, CLM, etc.) that requires additional Extended Rights, these are additional Extended Rights are defined in the accompanying LDF files to be created when the AD schema is extended to support that particular product.

That same colleague told me that for Certificate Services and for CLM he was able to use DSACLS for every related Extended Right except for one. For that one he said he had to do it manually. As you may know certificate templates may have two specific certificate template related permissions. One being "Enroll" and the other one being "AutoEnroll" as you can see below.

As you see, in addition to "Allow:Read" I also assigned "Domain Users" both the "Allow:Enroll" and the "Allow:Autoenrollment" permissions (Extended Rights) on the certificate template called "User v2". Let's have a look how that would look like in LDP. That picture is shown below.

You can see the "Allow:Read", the "Allow Enroll" and some weird permission with a GUID. What the heck is that? Well, that's easy. Each Extended Right has an attribute called "rightsGuid". For more information on this attribute see this. But why is the name shown for one Extended Right and a GUID for the other? Let's have a look at that with ADFIND and retrieve more information about those two Extended Rights.

ADFIND -config -f "(&(objectClass=controlAccessRight)(displayName=Enroll))"

ADFIND -config -f "(&(objectClass=controlAccessRight)(rightsGuid=a05b8cc2-17bc-4802-a710-e7c15ab866a2))"

Hey, what's going on here? Not objects with that rightsGuid? It looks like the Extended Rights is not defined in the Extended Rights container in the Configuration NC. That's weird! This occurs in W2K (computer only), W2K3 and W2K8. To configure the "Allow:Enroll" permission on the "User v2" certificate template you could use DSACLS like:

DSACLS "CN=Userv2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<FOREST ROOT DOMAIN>,DC=<TLD>" /G "Domain Users:CA;Enroll"

 

This was what my colleague was talking about. He was not able to use DSACLS with the name of the AutoEnroll Extended Right. For the "Allow:Autoenroll" permission you would/could NOT use the following:

DSACLS "CN=Userv2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<FOREST ROOT DOMAIN>,DC=<TLD>" /G "Domain Users:CA;a05b8cc2-17bc-4802-a710-e7c15ab866a2"

Why? Well, DSACLS expects a name and then translates that to a rightsGuid. It cannot use the rightsGuid directly. The only way to define this Extended Right is to either use the GUI ("CERTTMPL.MSC") or through some tool that does support the use of the RightsGuid directly. However, there is another way if you really want to use DSACLS to automate the configuration of the non-existing Extended Right. The solution to that is to just define your own Extended Right with that specific rightsGuid in the Extended Rights container in the Configuration NC.

First, let's have a look at how the "Enroll" Extended Right looks like and analyze what must be done to create your own Extended Right. Have a look at the picture below.

When creating your own Extended Right in AD you need to define at least the following attributes to be complete (for more information on those attributes click the link to go to MSDN):

  • objectClass: This attribute specifies the list of classes of which this object is an instance
  • cn: This attribute specifies the name that represents an object
  • displayName: This attribute specifies the display name for an object
  • showInAdvancedViewOnly: This attribute specifies whether the attribute is to be visible in the Advanced mode of user interfaces (UIs). Active Directory snap-ins read this attribute
  • rightsGuid: This attribute specifies the GUID used to represent an extended right within an access control entry (ACE)
  • appliesTo: This attribute specifies the list of object classes that an extended right applies to.
  • validAccesses: This attribute specifies the type of access that is permitted with an extended right

 

For the new Extended Right you would need to provide the following values:

  • objectClass = controlAccessRight
  • cn = Certificate-AutoEnrollment
  • displayName = AutoEnrollment
  • showInAdvancedViewOnly = TRUE
  • rightsGuid = a05b8cc2-17bc-4802-a710-e7c15ab866a2 (the GUID we found above)
  • appliesTo = e5209ca2-3bba-11d2-90cc-00c04fd91ab1 (the schemaIDGUID of Certificate Template objects which have an objectClass of "pKICertificateTemplate")
  • validAccesses = 256

 

You can either use ADSIEDIT.MSC to create the object or you can use ADMOD. Using ADMOD the command line syntax to create the controlAccessRight object is:

ADMOD -replacedn XXX-CONFIG-XXX:_config -add -b "CN=Certificate-AutoEnrollment,CN=Extended-Rights,XXX-CONFIG-XXX" "objectClass::controlAccessRight" "displayName::AutoEnrollment" "showInAdvancedViewOnly::TRUE" "rightsGuid::a05b8cc2-17bc-4802-a710-e7c15ab866a2" "appliesTo::e5209ca2-3bba-11d2-90cc-00c04fd91ab1" "validAccesses::256"

REMARK: At this moment I did not configure the ACL of the new controlAccessRight object to match the ACL of for example the controlAccessRight object "CN=Certificate-Enrollment,CN=Extended-Rights,CN=Configuration,DC=<FOREST ROOT DOMAIN>,DC=<TLD>". This could be done easily using ADSIEDIT.MSC!

The result is shown in the picture below.

Now let's rerun the following query: ADFIND -config -f "rightsGuid=a05b8cc2-17bc-4802-a710-e7c15ab866a2". It should find an object now.

Now let's use DSACLS to configure the "AutoEnrollment" Extended Right for Domain Users (I have removed it first using the GUI)

DSACLS "CN=Userv2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<FOREST ROOT DOMAIN>,DC=<TLD>" /G "Domain Users:CA;AutoEnrollment"

Let's now have a look at how LDP displays the permissions. Make sure to first close and reopen LDP! See the picture below.

As you can see, the rightsGUID is not shown anymore, but its displayName. The system is now able to translate the rightsGUID into its human readable name.

 

And as you have seen, you are now able to use DSACLS to configure the Extended Right called "AutoEnrollment" on certificate templates! Have fun!

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Thursday, July 17, 2008 9:13 PM by Jorge | 0 Comments

Migration Support in ADMTv3.1 for Windows Server 2008

In this post I explain what you can do with ADMTv3 and what you cannot do. Additionally I also define common migration steps and provide links to other information sources. ADMTv3.1 has been released a few days ago and it now supports Windows Server 2008 based servers. If you need to use ADMT on W2K3 use ADMTv3 and look at this post.

Like ADMTv3 could only be installed on a W2K3 server, ADMTv3.1 can only be installed on a W2K8 server. Additionally the "Password Export Server" is available as a separate download for both 32 bit and 64 bit computers. Microsoft also updated the migration guide.

 

System Requirements

  • Supported Operating Systems: Windows Server 2008
  • ADMT can be installed on any computer capable of running the Windows Server 2008 operating system, unless they are Read-Only domain controllers or in a Server Core configuration.
  • Target domain: The target domain must be running either Windows 2000 Server or Windows Server 2003 or Windows Server 2008
  • Source domain: The source domain must be running Windows 2000 Server, Windows Server 2003, or Windows Server 2008
  • The ADMT agent, installed by ADMT on computers in the source domains, can operate on computers running Windows 2000 Professional, Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008

 

The following is available:

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Tuesday, July 15, 2008 11:29 PM by Jorge | 0 Comments

Married for 1 year

Exactly one year ago on this same date (7-7-7) my wife and I got married. Although it has been a weird exciting year, a lot of things happened whether we liked it or not. Except for one event we enjoyed all the others. To summarize:

  • Marriage (Thanks to everyone sending cards and/or being there)
  • Accident during our honeymoon and recovery of my wife (she's doing great again with some "minor" things)
  • Speaker at DEC 2008 (now called The Experts Conference – TEC) (Thanks to Gil, Christine, Stella and all the others)
  • Speaker at Windows Server 2008 launch at TechDays in Belgium (Thanks to Arlindo)
  • MVP Summit (Thanks to Microsoft)
  • I changed jobs (Thanks to my new employer or in this case Rinaldo)
  • My wife changed jobs (Thanks to her new employer)

 

Looking forward to another exciting year with her!

 

!!! Happy anniversary !!!

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Monday, July 07, 2008 10:07 AM by Jorge | 0 Comments
Filed under:

MIIS 2003 FAQ

The following link contains a lot of very useful information regarding MIIS 2003. Make sure you do not miss it if you are interested in MIIS 2003.

 

MIIS 2003 FAQ

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Wednesday, June 25, 2008 4:03 PM by Jorge | 0 Comments
Filed under:

DEC 2009, ehh I mean TEC 2009

The guys at Netpro renamed their conference from "Directory Experts Conference" (DEC) to "The Experts Conference" (TEC). In the very beginning it was all about AD only. In time MIIS/ILM joined and later on more Identity and Access Management related technologies joined like ADFS, ADCS, AD RMS. Now it is time for Exchange to join the party in the context of Messaging technologies.

 

In March 2009 TEC will be in Las Vegas and in September 2009 TEC will be in Berlin.

 

Read more here:

 

Oh, and by the way, the call for papers is open!

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Thursday, June 19, 2008 9:06 AM by Jorge | 0 Comments
Filed under:

Oxford Computer Group wins Microsoft Partner of the Year

Oxford Computer Group Honored as 2008 Microsoft Partner of the Year for Advanced Infrastructure Solutions, Active Directory

 

Oxford Computer Group - 16 June, 2008 - Today, Oxford Computer Group (OCG) proudly announced it has won the 2008 Microsoft Partner of the Year award for Advanced Infrastructure Solutions, Active Directory. The company was chosen out of an international field of top Microsoft partners as delivering market-leading customer solutions built on Microsoft technology.

"It is a great honour to receive this award which is a validation of our expertise and focus on identity and access solutions," said Neil Coughlan, Director, Oxford Computer Group. "We would like to thank our customers for great references and our people whose capability and professionalism sets us apart from the competition."

Awards were presented in a number of categories, with winners chosen from a pool of more than 2,000 entrants worldwide. The Advanced Infrastructure Solutions, Active Directory Partner of the Year award recognises OCG's proficiency in implementing solutions based on Windows Active Directory Domain Services (ADDS). Neil Coughlan of OCG commented, "OCG can quickly deploy an Identity and Access (IDA) platform that leverages Active Directory, either as a tactical point solution, or as a component of a strategic IDA platform."

Microsoft has recognized OCG's quick start solution for provisioning Microsoft's hosted Windows Live services - one of a range of related IDA services, such as identity lifecycle management, strong authentication and federation which can form part of a wider strategy.

"OCG was the first of our systems integrator partners to build a business focusing exclusively on providing Microsoft directory and identity management consulting services to enterprise and mid-market customers," said Gordon Frazer, Vice President, Microsoft International. "We commend the way in which OCG has scored customer success using Windows Live Quickstart, notching up more than a dozen educational institutions, and in the process providing students the benefits of Microsoft directory and identity management solutions."

OCG has been a Microsoft Gold Partner for 3 years. It has Advanced Infrastructure and Network Solutions competencies, as well as the Identity and Secure Access Specialism within the Security Solutions Competency.

Oxford Computer Group is an IT service company that specializes in Identity and Access Management. With operations in North America, the UK, Benelux and Germany, OCG has an enviable repository or expertise, solution components and training courses. OCG has deployed 300+ enterprise-wide identity and access solutions and its instructors have trained more than 3,000 people on Microsoft IDA technologies. For more information on OCG, please visit http://www.oxfordcomputergroup.com/

 

SOURCE: http://www.oxfordcomputergroup.com/news/oxford-computer-group-honoured-as-0046.aspx

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Monday, June 16, 2008 11:30 PM by Jorge | 1 Comments
Filed under:

Wanna read something cool about RODCs, Hyper-V and PowerShell?

Nathan Muggli, a PM at Microsoft in the AD product group blogged about a cool way to deploy RODC using Hyper-V and PowerShell in an automated way.

 

Read it here.

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Tuesday, June 10, 2008 12:25 AM by Jorge | 0 Comments

Heavy Metal Moose

Just like this one very much!

 

Taken in Chicago when I was @ DEC 2008

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Saturday, June 07, 2008 6:44 PM by Jorge | 0 Comments
Filed under:

Active Desktop Recovery

I was going through some pictures and found this one. This board normally shows the schedule of the bus from the long term parking lot near Schiphol (dutch airport near Amsterdam) to the airport. Well, not this time as the Active Desktop needed some recovery as you can see. ;-)

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Saturday, June 07, 2008 6:35 PM by Jorge | 0 Comments
Filed under:

Strong Authentication – Free Resources from the OCG website

Strong Authentication - free resources on our web site 

Solutions for Strong Authentication - replacing weak password protected credentials with strong, smart card-based authentication methods - are becoming an increasingly important element of the Identity & Access solutions we deliver. 

For this reason we've put together a number of new resources to help you understand this important subject. By following the links below you can access online video demonstrations of the solutions we deploy using Microsoft Identity Lifecycle Manager and its Certificate Lifecycle Management component. In addition, we have a new white paper which describes the technologies we use, the roles they play, the benefits they bring and a new workshop to help you get started with Strong Authentication. The videos are part of an ongoing series and you can register here to be notified when each new one is released.

 

View these resources

Online video. Microsoft Identity Lifecycle Manager 2007, with Certificate Lifecycle Manager, being used for issuance, unblock and renewal of smart cards and certificates. Click here...

Online video. Microsoft Identity Lifecycle Manager 2007, with Certificate Lifecycle Manager, being used in combination with Encrypted File System. Click here...

White Paper. Managing a Public Key Infrastructure using Active Directory Certificate Services and Certificate Lifecycle Manager. Click here...

Workshop Overview. A starting place for Strong Authentication. Click here...

 

Microsoft Identity & Access European User Group

On September 3rd and 4th, in partnership with Microsoft, we will again be hosting the European User Group for Microsoft Identity & Access Technologies. The event is being held at the Microsoft campus in Reading, UK. An agenda for both days will be available soon. Click here to register your interest and receive further information.
 
We trust you will find these new resources of value. If there's any aspect of Strong Authentication or Identity & Access we can assist you with, please do contact us. We'd be pleased to hear from you.

 

Oxford Computer Group Contacts
For contact information, please go to: http://www.oxfordcomputergroup.com/contact

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Wednesday, June 04, 2008 6:17 PM by Jorge | 0 Comments
Filed under:

RODC Compatility Pack for Legacy OSes

Microsoft released a KB article that describes issues/symptoms with legacy OSes and the Windows Server 2008 RODC including possible workarounds. You can find that KB article here (Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients)

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Wednesday, June 04, 2008 2:16 PM by Jorge | 0 Comments

Defining the level of expertise or knowledge

A great way to ask for the level of expertise or knowledge somebody has! ;-)

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Tuesday, May 27, 2008 1:29 PM by Jorge | 0 Comments
Filed under:

Denying the change of password related bits on user objects

In every AD domain it is possible to implement one or more password and account lockout policies. In W2K/W2K3 AD domains you can only define one password and account lockout policy and in W2K8 AD domains you can define multiple password and account lockout policies. For more info about that see:

 

So, as a domain admin you set up one or more password and account lockout policies, you delegate either the creation of user accounts or write permissions for the "userAccountControl" attribute (for example to disable user accounts) and you are good to go! The delegated admins that create user accounts should use passwords according to the definitions in the password policies. That is true, but there is a small "but…" here you might have missed.

Because the delegated admins either have full control over user objects or at least write permissions on the "userAccountControl" attribute, they are allowed to change each single bit that is represented by that attribute. For more info also see: "userAccountControl" attribute - It can be a pain to delegate!

 

Everyone that is allowed at least write permissions on the "userAccountControl" attribute is able to change the bits it represents and therefore also the password related bits like configuring a password never to expire or configuring a password with reversible encryption or configuring the account without the need of a password.

I'm talking about the following bits:

  • "Password Never Expires" which can be configured with ADUC
  • "Store password using reversible encryption" which can be configured with ADUC
  • "Enable Password Not Required" which can be configured from the command line using NET USER….

 

Remember the password policy you just created that everyone MUST use? Because of the permissions on the "userAccountControl" attribute might go down the drain and you might still end up with accounts that do not comply with the password policies that are configured

 

So, is it possible to prevent this? Yes!

In W2K you can only prevent this by using a third party proxy tool to manage user objects. In W2K3 and later you can use three new extended permissions to prevent those bits from being edited, even if the admin has the permissions mentioned earlier. The three (new) "Extended Rights" are:

  • "Enable per user reversible encryption"
  • "Unexpire password"
  • "Update password not required bit"

 

These need to be configured at the domain level (required!) for "This Object only" with either ALLOW or DENY for a certain group. By default "Authenticated Users" have permissions for those three extended rights. But, it does not mean authenticated users can screw around with the password related bits in the "userAccountControl" attribute. You still need to have at least the permissions mentioned earlier. So, what you can do is create ONE group in AD for ALL three extended rights or ONE group in AD for EACH of the mentioned extended rights and configure it at domain level with a DENY ace and put everyone in the corresponding group(s) that has at least Full Control on user objects or write permissions on the "userAccountControl" attribute, BUT should not be able to screw around with the password related bits on the "userAccountControl" attribute. In the picture below you will find an example of such configuration

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Tuesday, May 20, 2008 9:24 PM by Jorge | 0 Comments
Filed under:

Giant baby bull

 

9 years, more than 1000 kg, 6 ft 6 inches…. Wow!

 

 

 

SOURCE: http://www.dailymail.co.uk/pages/live/articles/technology/technology.html?in_article_id=565909&in_page_id=1965

 

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Posted Tuesday, May 13, 2008 7:26 PM by Jorge | 1 Comments
Filed under:
More Posts Next page »