Active Directory

Thought I'd post an informational post for folks who are moving an AD forest to Windows 2003 forest functional level (aka FFL2) as I realized today this piece of information might not be quite as well known as I might have thought. As an FYI, this change adds a number of attributes to the partial attribute set (aka the PAS or global catalog):

• Ms-DS-Trust-Forest-Trust-Info
• Trust-Direction
• Trust-Attributes
• Trust-Type
• Trust-Partner
• Security Identifier
• Ms-DS-Entry-Time-To-Die
• MSMQ-Secured-Source
• MSMQ-Multicast-Address
• Print-Memory
• Print-Rate
• Print-Rate-Unit
• MS-DRM-Identity-Certificate

This is done when you upgrade the forest functional level because at this point there are no Windows 2000 domain controllers in the forest and thus a change to the PAS will not force a GC resync. Recall that in Windows 2000, modifying the PAS caused every global catalog in the forest to replicate the global …

A few months ago I posted with steps to configure Windows IAS and Cisco IOS for authentication to Active Directory via RADIUS. I wanted to follow up on that with a quick overview of how to setup a PIX for management access authentication via Windows IAS and Active Directory. All of the steps for configuring IAS are identical, so I'm not going to cover that again. Remember that if you have a failover pair to add the standby partner to IAS as well. This example was built on a PIX 7.1 box, it will work on 7.X and it should be fine on FWSM 2.X or newer. I don't have something running 6.X around to test, but the configuration should be similar.

The sample configs here assume a pair of RADIUS servers at 10.1.1.10 and 10.1.1.11. On IOS there is an ip radius source-inteface command. The PIX seems to just use the interface IP of whatever interface the traffic leaves from. If your PIX has a failover partner, learns its routes dynamically, and the radius server network(s) are not directly connected, you…

I came across these shortcuts today for navigating the group policy editor and thought they'd be worth sharing. They're holdovers from Windows Explorer that also work in the GPO editor.

• If you press * while targeting a folder in the console, the folder and all of its' children will be expanded
• If you press + while targeting a folder in the console, the folder will be expanded one level
• If you press - while targeting a folder in the console, the folder will be collapsed

When you double click on a policy setting, that dialog that comes up is non-modal. What this means is you can click in the GPO editor again and the setting dialog will go to the background. The settings dialogs are not shown in the taskbar, so you'll need to use Alt+Tab to access them.

There are two tools for this job, both Joeware (). Grab adfind and admod and extract them to the same directory.

The first task is to get the logonhours attribute value you want to set. The easiest way is to set it by hand in ADUC on one user, and then use adfind to dump the value, with a command like this:

adfind -b “OU=Staff,OU=Users,DC=BigTire,DC=local“ -h “my-dc01” -f "(&(objectCategory=person)(objectClass=user)(samaccountname=templateusername))" logonhours

Copy and paste that somewhere, you'll need it later. If you just want to set it to 24/7 as I'm going to do, the value is “FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF“.

That done, we can update all the users we want to modify. We'll pipe the output from adfind over to admod.

adfind -b “OU=Staff,OU=Users,DC=BigTire,DC=local“ -h “my-dc01” -f "(&(objectCategory=person)(objectClass=user))" -dsq | admod -h my-dc01 -safety 100 bin##logonhours::"FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF"

Note that…

I thought I'd share the script attached at the end of this post as it's something I've seen requests for. The script will take all of the users in a given OU (or really any subtree), and create a home folder for them and stamp the path and drive letter on the user object in Active Directory. By default it only grants the users modify permissions on the account. If you want to change this modify the xcacls call around line 54.

There are a few constants which need to be configured at the top of the script which are explained with comments:

Feel free to post any suggestions, bugs, etc in the comments area and I'll take a look. The script is enclosed in a zip as an attachment to this post.

UPDATE - Script…

A frequent problem that many people, including me, run into is the necessity to add network printer connections to every user's profile on a machine. Without some magic, network printer connections are per-user. Fortunately, Microsoft has supplied a cryptic API which can be called from the commandline to complete this task.

The entrypoint is PrintUIEntry in printui.dll. Conveniently, this API supplies some graphical help if we run rundll32 printui.dll,PrintUIEntry /? from the command line. There's a whole wad of switches you can specify, but, I'm only going to cover a few of them, as they're the ones necessary for the task at hand.

First and foremost, you'll need admin level rights - a startup script is a good place to run these commands on your machines. At Payton, we use something like this to add the Printer in Room306 on server “PrintServer1“ to a workstation:

rundll32 printui.dll,PrintUIEntry /q /ga /n

There are three switches of interest here:

/q - quiet mode, do…