ActiveDirectory

IronPort ESA LDAP Accept Query – Disabled AD Accounts

Posted on by looke

I recently had the possibility to work on a project where I had to setup and implement an E-Mail gateway using Cisco IronPort Email Security Appliances (ESA) and stumbled over an interesting issue.

If you verify the recipient on incoming mails via an internal ActiveDirectory (only accept mails for people who have a E-Mail address associated to their account in ActiveDirectory), you might find this useful:

To avoid the ESAs from accepting mail for disabled accounts, you have to use a custom accept-query:


(&(|(mail={a})(proxyAddresses=smtp:{a}))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

This query takes into account, that the ActiveDirectory marks disabled accounts by setting the userAccountControl flag to 0x0002 (decimal 2).

As a comparison, this is the default accept-query:


(|(mail={a})(proxyAddresses=smtp:{a}))

Links
http://support.microsoft.com/kb/305144
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832%28v=vs.85%29.aspx

ActiveDirectory – Connectivity through NAT

Posted on by looke

Even though, ActiveDirectory communication through a NATed (and port-forwarded) interface is not officially supported by MS, there is a way to do that. I stumbled upon this issue, after forgetting it for quite some time (solved it with a nasty hack in the first place – keyword: read only DNS entries)

Situation:



 [DC1]------------>[NATed interface]------------>[DC2]<--------[Clients]
  • DC1 addresses DC2 by the address of the NAT interface
  • CLIENTS address DC2 by its real address

Problem
DC2 updates its DNS record with its current IP address (real address)
DC1 can't reach DC2 through its real IP, instead it would need the address of the NAT interface.

Solution
Add the following Registry Key on DC2 to force it to add its real and his NATed IP to its Host DNS records

HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Registry Value: PublishAddresses
Registry Value Type: REG_SZ
Registry Value Data: sepparated by single whitespace

The nice thing is, that the DNS server serves the address of DC2 that is suitable for the host. If the host is on the same network as DC2 it gets its real IP, if its on the other side of the NATed interface it gets the NAT interfaces address.

More infos
DNS PublishAddresses Parameter: http://technet.microsoft.com/en-us/library/cc959753.aspx
Nice Technet Article about Replication through Firewalls: http://technet.microsoft.com/en-us/library/bb727063.aspx

Adding scheduled tasks to Windows clients with GPO

Posted on by looke

In this example, I show how to add a scheduled job (taken from the article Shutting down an idle Windows computer) to multiple domain clients, using GPOs.

First, create a batch file (for example in %SystemRoot%\SYSVOL\domainname\scripts) with the following content:


schtasks /Create /RU System /TN "Shut down idle system" /SC ONIDLE /TR "C:\Windows\system32\shutdown.exe /s /f /t 0" /I 20

Open up the Group Policy Management console and add a new GPO. Go to Computer Configuration > Windows Settings > Scripts > Startup and add the newly created batch file. Now you just have to link the GPO to an OU which should be affected.

Windows XP Professional Product Documentation – Schtasks:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/schtasks.mspx?mfr=true

List of ActiveDirectory User Attributes (2000 and 2003)

Posted on by looke

During my work as a system engineer I often come across situations, where I need to have an easy overview of an ActiveDirectories attribute names. To be a bit more independent of other sites, I decided to start with mirroring an attribute list from the MS KB.

Optional Attributes

accountExpires Value:9223372036854775807
cn (Container) Value:Nirmal
codePage Value:0
countryCode Value:536
displayName Value:Display Name
distinguishedName Value:CN=nirmal,CN=Users,DC=test,DC=local
instanceType Value:4
name Value:nirmal
objectCategory Value:CN=Person,CN=Schema,CN=Configuration,DC
uSNChanged Value:50203
uSNCreated Value:13920
whenChanged Value:2022552554552
whenCreated Value:2022554588585
logonHours Value:://///////////////////////////
userAccountControl Value:524802

Required Attributes

dn Value:CN=nirmal,CN=Users,DC=test,DC=local
objectClass Value:User
sAMAccountName Value:SAMLNAME

Attributes that can’t be imported into AD

badPasswordTime Value:1
badPwdCount Value:1
lastLogoff Value:0932479234902343
lastLogon Value:12924723489374737
logonCount Value:0
primaryGroupID Value:513
pwdLastSet Value:0
sAMAccountType Value:805306368
objectGUID Value::QT2p48fufjweue839384ufufj/A==
objectSid Value::
memberOf Value:CN=Domain Admins,

Other

department Value:GIS
co (Country Name) Value:India
comment
company Value:Computer Sciences Corporation
description Value:Description Field Cost Centre
directReports
lastLogonTimestamp
adminCount Value:1
ADsPath
c (2 digit country) Value:IN
dSCorePropagationData
facsimileTelephoneNumber
givenName
homeDirectory Value:\\amppfilerp01\hthrmg$
homeDrive Value:H:\
homePhone
info (Phone notes)
initials Value:INT
ipPhone
isCriticalSystemObject
l (City) Value:City Field
userCertificate
userParameters
userPrincipalName Value:LogonName@test.local
userWorkstations
wWWHomePage Value:Web Page Field
mail Value:Emailss@sss.com
manager
CN=Users,DC=Local,DC=C
mobile
msNPAllowDialin Value:FALSE
AQUQISJFAAAAAUISIRK@#!$KGFJG(#JFJDJSjs
otherFacsimileTelephoneNumber
otherHomePhone
otherIpPhone
profilePath Value:\\tqchain2k3pc\profiles\nirmal
otherMobile
otherPager
otherTelephone
pager
physicalDeliveryOfficeName Value:Office Name
postalCode Value:Zip Code
postOfficeBox Value:Post Office Box
scriptPath Value:qchain.vbs
servicePrincipalName
showInAdvancedViewOnly
sn (Surname) Value:Last Name Field
st (2 digit State / Province)
streetAddress
telephoneNumber
title
url

Taken from: http://support.microsoft.com/kb/555638
Further informations: http://support.microsoft.com/kb/257218
Information on ActiveDirectory attribute time/date conversion: http://support.microsoft.com/kb/555936