krypted.com

Tiny Deathstars of Foulness

Merry Christmas ya’ll!

On the first day of Christmas my true love gave to me one 32 gig iPad

On the second day of Christmas my true love gave to me two bash one-liners

On the third day of Christmas my true love gave to me three Red Hat servers

On the fourth day of Christmas my true love gave to me four email blasts

On the fifth day of Christmas my true love gave to me five retweets

On the sixth day of Christmas my true love gave to me six regular expressions

On the seventh day of Christmas my true love gave to me seven lines of perl

On the eighth day of Christmas my true love gave to me eight app store apps

On the ninth day of Christmas my true love gave to me nine AWS instances

On the tenth day of Christmas my true love gave to me ten Active Directory forests

On the eleventh day of Christmas my true love gave to me 11 crappy python scripts

On the twelfth day of Christmas my true love gave to me 12 craft brews

xmas-ornament-computer-ram

December 25th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , , ,

There are a number of tools available for using Syslog in a Windows environment. I’ll look at Snare as it’s pretty flexible and easy to configure. First download the snare installation executable from http://sourceforge.net/projects/snare. Once downloaded run the installer and simply follow all of the default options, unless you’d like to password protect the admin page, at which point choose that. Note that the admin page is by default only available to localhost.

Once installed, run the “Restore Remote Access to Snare for Windows” script.

Screen Shot 2014-04-10 at 10.56.43 AM

Then open http://127.0.0.1:6161 and click on Network Configuration in the red sidebar. There, we can define the name that will be used in syslog (or leave blank to use the hostname), the port of your syslog server (we used 514 here) and the address of your syslog server (we used logger here but it could be an IP or fqdn).

Screen Shot 2014-04-08 at 10.58.04 AM

 

Once you have the settings you’d like to use, scroll down and save your configuration settings. Then, open Services and restart the Snare service.

Screen Shot 2014-04-08 at 10.56.22 AM

Then run the Disable Remote Access to Snare for Windows option and you’re done. Now, if you’re deploying Snare across a lot of hosts, you might find that scripting the config is faster. You can send the Destination hostname (here listed as meh) and Destination Port (here 514) via regedit commands (Destination and DestPort respectively) and then restart the service.

Screen Shot 2014-04-08 at 10.56.51 AM

I’ll do another article at some point on setting up a logstash server to dump all these logs into. Logstash can also parse the xml so you can search for each attribute in the logs and with elasticsearch/hadoop/Kibana makes for an elegant interface for parsing through these things.

April 13th, 2014

Posted In: Active Directory, Windows Server, Windows XP

Tags: , , , , , , ,

Trusts in Active Directory allow objects from one Domain or Forest to access objects in another Domain or Forest and allows administrators. To setup a trust:

  • Login with a user in the Domain Admins group if you are setting up a Domain trust or Enterprise Admins if you are setting up a Forest trust (if you cannot use an account in one of these groups, you can use an account in the Incoming Forest Trust Builders group)
  • Open Administrative Tools
  • Open Active Directory Domains and Trusts
  • Right-click the name of the domain
  • Click Properties
  • Click on the Trust tab
  • Click New Trust
  • Click Next
  • Click on the Trust Name page
  • Type the DNS or NetBIOS name of the forest you are connecting to
  • Click Next.
  • Click on the Trust Type page
  • Click Forest trust
  • Click Next
  • Click on the Direction of Trust page
  • To create a two-way (transitive) forest trust, click Two-way or if you’d only like to share objects one-way, click One-way
  • If One-way, choose the direction of the trust
  • Click continue to complete the wizard

Once completed, click on the Trust tab to view the trust. Then open a group, go to add a member and click on the Location button. At this screen you should see your domain and then below it another that has an icon with three triangles, similar to the Hyrule logo in Zelda. In fact, a lot of Active Directory is similar to Zelda, such as where do I find that sword, where’s the shield, etc. Just without a princess…

Anyway, you can then limit who can access the trust using the Selective authentication options in the Outgoing Trust Properties page if needed.

April 9th, 2014

Posted In: Active Directory, Windows Server

Tags: , , , , ,

Changing the Forest Mode in Active Directory can be scripted. I find this useful when regression testing such tasks in a sandbox (e.g. restore image, automate login, change mode, run tests, etc). The script is very simple. First, you’ll import he ActiveDirectory modules:

Import-Module -Name ActiveDirectory

Then you’ll check for the mode prior to running:

Get-ADForest | Format-Table ForestMode

Then you’ll change the forest and domain modes (one per line):

Set-ADForestMode –Identity “krypted.com” –ForestMode Windows2008Forest
Set-ADDomainMode –Identity “krypted.com” –DomainMode Windows2008Domain

Then you’ll report the result:

Get-ADForest | Format-Table Name , ForestMode

The end result could be as simple as three lines if just testing:

Import-Module -Name ActiveDirectory
Set-ADForestMode –Identity “krypted.com” –ForestMode Windows2008Forest
Set-ADDomainMode –Identity “krypted.com” –DomainMode Windows2008Domain

April 8th, 2014

Posted In: Active Directory, Mass Deployment, Windows Server, Windows XP

Tags: , , ,

You can use PowerShell to pretty much get anything you want out of Active Directory. Let’s say you want to see when the last time a user changed their password was. You can use the Get-ADUser commandlet to obtain any attribute for a user in the Active Directory schema. To use Get-ADUser, you’ll need to define a scope. In this example, we’ll do so using the -filter option and filter for everyone, using an *. That could be a lot of data, so we’re also going to look for the property, or attribute of PasswordLastSet using the -Properties option:

Get-ADUser –filter * -Properties PasswordLastSet

We can then add a little more logic and pipe the output to a conditional statement that just looks at who hasn’t ever changed their password.

Get-ADUser –filter * -Properties PasswordLastSet | Where { $_.passwordLastSet –eq $null }

A more common task, we could also look for the last 90 days, using “(get-date).adddays(-90)” in our filter. We don’t want to display disabled users, so we could do something like this (note the curly brackets allow us to compound search):

Get-ADUser -filter {(passwordlastset -le $90days) -AND (enabled -eq $True)}

April 1st, 2014

Posted In: Active Directory, Windows Server

Tags: , , , , , ,

Here’s a little powershell script to enable mailboxes based on an OU and put their new mailbox into a given database. To customize, change OU=ORGANIZATIONALUNIT,DC=companyname,DC=com to the DN for the OU you are configuring. Also, change DATABASENAME to the name of the information store that you’d like to use for the mailboxes in that OU.

Import-module activedirectory

$OUusers = Get-ADUser -LDAPfilter ‘(name=*)’ -searchBase {OU=ORGANIZATIONALUNIT,DC=companyname,DC=com}
foreach($username in $OUusers)
{
Enable-Mailbox -Identity $username.SamAccountName -database {DATABASENAME}
}

March 21st, 2014

Posted In: Microsoft Exchange Server, Windows Server

Tags: , , , , , ,

A UserPrincipalName (or UPN) is an attribute that contains an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is used for a lot of different tasks, notably for Kerberos/Single Sign-On. As such, there are a lot of scripts that can now key off of a UPN.

You can use the Get-ADUser cmdlet to query accounts for the UserPrincipalName attribute. To do so, we’re going to -Filter our results to display everyone (although we could include a username to only get one user) and then define the Search Base (using -SearchBase) to refine where in the query that the search will begin. Use the –Properties parameter followed by the userPrincipalName attribute (or whatever attribute you might be curious to query from). I specify the SearchBase of the organizational unit (OU), and I use the * filter. This is shown here:

Get-ADUser -Filter * -SearchBase 'ou=Users,dc=krypted,dc=com' -Properties userPrincipalName

Overall, we’re specifically looking at userPrincipalName, but we could just as well be looking for other attributes, such as primaryGroupID, proxyAddress, pwdLastSet, sn (although we’re likely feeding sn to the command by swapping it out with the *), streetAddress, sAMAccountName, etc.

October 13th, 2013

Posted In: Active Directory, Windows Server

Tags: , , , , , ,

Installing Active Directory services is arguably one of the first things done on many a Windows Server. And for well over a decade you could unbox, update, run dcpromo and be done with much of that. While the wizards are still there, in the case of Windows Server 2012, the process has changed ever-so-slightly. To install a domain controller in Windows Server 2012, start with Server Manager. This new tool is the place where you start many a process in a Windows Server now, and Active Directory is no different.

To get started, first open Server Manager.

Screen Shot 2013-08-08 at 3.54.57 PM

From Server Manager, click on the Manage menu and select Add Roles and Features. At the Before you begin screen in the Add Roles and Features Wizard, click on Next.

Screen Shot 2013-08-08 at 3.55.00 PM

At the Installation Type screen, choose Role-based or feature-based installation and click Next.

Screen Shot 2013-08-08 at 3.55.02 PM

At the Server Selection screen, choose the server you’d like to install the Active Directory role on and then click Next. If you only have one server then you should only have one listing here.

Screen Shot 2013-08-08 at 3.55.06 PM

There are a number of Roles a domain controller can have. For many environments, a simple Domain Services role will be sufficient, especially on the first 2012 server in the environment. To select this, at the Server Roles screen, choose Active Directory Domain Services and then click on Next.

Screen Shot 2013-08-08 at 3.55.14 PM

A sanity check will run to verify all the required Features and other Roles are installed. If not, you’ll be presented with a list of items that will be installed in support of the Role being deployed. Click Add Features for most environments, unless you have the tools to manage the Role installed elsewhere.

Screen Shot 2013-08-08 at 3.55.17 PM

Back at the Server Roles screen, click Next, unless you’d like to install other Roles as well.

Screen Shot 2013-08-08 at 3.55.21 PM

At the Features screen, click Next, unless you’d like to install other features as well.

Screen Shot 2013-08-08 at 3.55.32 PM

At the AD DS screen, click Next.

Screen Shot 2013-08-08 at 3.55.57 PM

At the Confirmation screen, click Install. You can also tell the server to restart automatically here, so do that as well.

Screen Shot 2013-08-08 at 3.56.02 PM

Once the installation is complete, you’ll see a yellow icon indicating that something needs to happen with the server. The menu that appears contains a link to promote the server to a domain controller. Click the link to bring up the Deployment Configuration wizard.

Screen Shot 2013-08-08 at 4.30.05 PM

At the Deployment Configuration screen of the wizard you can choose whether to add the domain controller to an existing domain or create a new forest. In this case, we’ll select the “Add a new forest” option. When highlighted, you will be able to provide a name for the domain. here we use krypted.com. Once the name is provided, click Next.

Screen Shot 2013-08-08 at 4.30.42 PM

At the Domain Controller Options screen, choose whether the server will be an AD Integrated DNS Server, a Global Catalog server, possibly a Read only domain controller and provide a Directory Services Restore Mode (DSRM) password used to restore the environment in case it fails. Also, choose the functional level of both the domain and forest. Because this is a new environment with no 2003 to 2008 servers we will leave the levels set to Windows Server 2012. Click Next when you’re satisfied with your entries.

Screen Shot 2013-08-08 at 4.33.14 PM

If you decided to enable DNS, you will have the option to also install DNS delegation which you should do if possible, in most environments. Click Next.

Screen Shot 2013-08-08 at 4.33.48 PM

At the Additional Options screen, provide a NetBIOS name. This is usually a 8 character or less rendition of the same domain name, often used in legacy tools or prepended to usernames and passwords when namespace collisions occur with account names. When you’ve provided the name, click Next.

Screen Shot 2013-08-08 at 4.34.09 PM

At the Paths screen, indicate where you want the directories that contain the Active Directory files stored. Most environments can leave these to the default settings and click Next.

Screen Shot 2013-08-08 at 4.34.26 PM

At the Review Options screen, click Next provided that all of the options match the information you provided/desire.

Screen Shot 2013-08-08 at 4.34.29 PM

At the Installation screen, click Install and watch the Progress (takes a minute or three usually to complete).

Screen Shot 2013-08-08 at 4.42.53 PM

Once completed, open the Tools menu in Server Manager to see the tools formerly available in the Administrative Tools section of the Start menu, including Active Directory Domains and Trusts, Active Directory Power Shell, Active Directory Sites and Services and Active Directory Users and Computers, which mostly look like they’ve looked for a long time (but with a pretty blue frame around the screen).

Screen Shot 2013-08-09 at 9.14.19 AM

Additionally, there’s an Active Directory Administrative Center, which provides quick and easy access to a number of features from other tools and allows you to change domain controllers, raise the domain/forest functional levels (useful when upgrading from previous incantations of Active Directory), etc.

Screen Shot 2013-08-10 at 3.31.59 PM

August 12th, 2013

Posted In: Active Directory, Windows Server

Tags: , , , , , ,

Next Page »