Peter Van Eeckhoutte's Blog

Archive for the ‘Active Directory’ Category

Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines.  This should include local users, users that are logged in via RDP, user accounts that are used to run services and scheduled tasks (only when the task is running at that time).  I have not fully tested all scenario’s yet, but the first results look quite ok. You can download the utility from http://www.corelan.be:8800/index.php/my-free-tools/ad-cs/pve-find-ad-user/. You need .Net framework 2.0 on the machine that you are running the tool off, and you also need to have admin access on the computers you are running the utility against. The tool is compiled on a 32bit …

On popular request, this is a quick write-up on how to set up a Juniper screenOS firewall to use an external Radius server (I’ll use Windows IAS) to authenticate administrators and to let the Radius server to assign admin privileges (read-only or read-write) First, you will need to set up an dedicated external Authentication server for admin authentication on the screenOS device  (assuming that your Radius server is 192.168.10.10): set auth-server "IAS Radius Admin" id 1
set auth-server "IAS Radius Admin" server-name "192.168.10.10"
set auth-server "IAS Radius Admin" account-type admin
set auth-server "IAS Radius Admin" timeout 30
set auth-server "IAS Radius Admin" …

Introduction

The title of this post may be a bit misleading – synchronizing multiple account domains to a single domain or forest is not limited to Exchange. There may be other reasons (e.g. Identity Management solution) that require you to replicate users from multiple domains into a single domain/forest, or even ADAM instance.

In this blog post, I will show you a possible IIFP implementation that has some specific requirements. In my scenario, IIFP will be used to replicate user objects from multiple account domains into one centralized resource forest, and it will be used replicate back the “mail” and “proxyAddresses” attributes from the Resource Forest to the account domains.  Furthermore, I also need to replicate user objects from a domain that is not used for authenticate users or link mailboxes to, but merely to add the users as contacts in the …

Keywords : ldap authentication multiple domains combine adam adamsync adschemaanalyzer ldap proxy chain ldifde MS-ADAMSyncconf.xml MS-AdamSyncMetadata.ldf MS-ADAMSchemaW2K3.ldf Object Violation Naming Violation Ldap error occured. ldap_add_sW: Object Class Violation. Case definition : 2 AD domains, containing user accounts. One of the domains is a 2003 based domain and has the R2 + Exchange 2003 + Exchange 2007 schema extensions, the other one is a 2008 based domain, without any schema extensions.. Both domains have user accounts. 1 third party system that uses LDAP to query for object information.  The system can not perform ldap chaining, it can only connect to one ldap instance. Question : how can we allow this third party system to use ldap to query information from user accounts in both domains at …

Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. Finally, I will show some scripts that can be used to manage your CA, backup your CA, distribute CRL’s, create custom certificate requests,  convert keys etc… Design Before starting the installation of the Certificate Authority components on a 2008 server, it is important to think about the design of your CA infrastructure. In any case, even if you are just a small company, I would highly recommend deploying at least a 2 tier model, which consists …

According to Microsoft, Windows Server 2008 is the most secure Windows server version ever.

Windows 2008 does include many features that will help increase overall security of the OS, or assist you with securing AD, the network, etc. Most of the features/roles available in Windows 2008 are not being installed in a default installation of Windows 2008, leaving the OS in a more or less ’secure’ state right after installation. The attack surface of a default Windows 2008 server may be smaller than it was under NT4, 2000 and 2003, but concluding that Windows Server 2008 is secure, may be one bridge too far.

Microsoft has published a paper on the differences between 2003 and 2008, which includes some security related information. The document can be downloaded from “…

Every admin knows by now that using Active Directory as the central authentication database allows for a lot of possibilities in terms of user account and security management. Keeping internal as well as external users in one and the same AD might be a good idea if you have a lot of external people (partners, support contracts, …) that need to connect to resources in your network, whether it is remote (via vpn) or on-site. However, these people are external people, and you might need to control those user accounts (because of legislation regulations or just because that’s a good idea). One of the options is to disable those user accounts every day. As the number of users and groups grows, this can become a challenging and annoying …