- It has to be fixed width (monospace) (of course!);
- It can easily let you tell the difference between a 0 (zero) and an O (as in Oops!)
Search This Blog
Sep 21, 2011
Programer's Font On Windows 7
I've been looking for a font on Windows 7 that's good for scripting. The two main requirements are:
Jul 18, 2011
2011 Microsoft Scripting Game - Advanced Leader Board
I was recently in the Scripting Guy 2011 game advanced group and placed 32nd overall. Not too bad :-) considering I didn't have enough time to finish all scripts (I've done 8 out of 10), neither did I have time to polish my scripts which costed quite a few points :-(. Nevertheless it's a great experience. I learned a lot new PowerShell techniques along the way!
2011 Advanced Group Final Leader Board
2011 Advanced Group Final Leader Board
Apr 20, 2011
Using System Namespace In Powershell
There are many cool pre-defined constants, functions, methods, and etc. in System object. One would normally learn individual ones through sample scripts, but really should browse the MSDN page to explore what System namespace has to offer. Go to a class/structure/enumeration that you are interested, then pay special attention to those static members.
A few examples:
[System.DateTime]::Today versus [System.DateTime]::Now
[System.String]::Empty
[System.Console]:: almost everything are static, not surprisingly
[System.Math]::PI
There are also a bunch of other namespaces, please see .Net Framework Libraries
A few examples:
[System.DateTime]::Today versus [System.DateTime]::Now
[System.String]::Empty
[System.Console]:: almost everything are static, not surprisingly
[System.Math]::PI
There are also a bunch of other namespaces, please see .Net Framework Libraries
Dec 14, 2010
Local Admin Account vs. account lockout
You can't really lock out an admin account - as long as you type in the correct password on *local console*, the system will unlock it automatically. This makes sense - legit users need a way to get into the system when all other credentials are failing - completely locking out all users surely won't make happy customers.
However this increases the risk of being cracked by brutalforce method. For companies who want to maximize the security and are willing to pay the cost of losing acceess due to lost passswords, there is a way to put admins under same lockout policy as ordinary users. MS has an old tool called passprop.exe that can enforce lockout policy, even against admins.
passprop /adminlockout
This is no longer needed in Windows 2008. There are pre-define security polices in Windows 2008 will do the same.
However this increases the risk of being cracked by brutalforce method. For companies who want to maximize the security and are willing to pay the cost of losing acceess due to lost passswords, there is a way to put admins under same lockout policy as ordinary users. MS has an old tool called passprop.exe that can enforce lockout policy, even against admins.
passprop /adminlockout
This is no longer needed in Windows 2008. There are pre-define security polices in Windows 2008 will do the same.
LDAP search can't find secondary email addresses
You can search primary address using filter like (mail=JohnDoe@foo.com), but similar filter (proxyAddresses=johnDoe@foo.com) won't return anything. This is because attribute "proxyAddresses" holds not only smtp addresses, but also other types, e.g. RightFax, X.25, as well. To search secondary smtp addresses, you need to define a filter like this
(proxyAddresses=smtp:johnDoe@foo.com)
(proxyAddresses=smtp:johnDoe@foo.com)
Oct 28, 2010
Java JDNI Authentication Against AD
Keep in mind that some of the mechanisms require the user's password stored in reversible format and password be reset.
JNDI, Active Directory and Authentication (Part 1) (Kerberos)
http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
JNDI, Active Directory & Authentication (part 2) (SSL)
http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50
JNDI, Active Directory and Authentication (Part 1) (Kerberos)
http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
JNDI, Active Directory & Authentication (part 2) (SSL)
http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50
How LDAP Error Codes Map to JNDI Exceptions
LDAP Status Code Meaning Exception or Action
0 Success Report success.
1 Operations error NamingException
2 Protocol error CommunicationException
3 Time limit exceeded. TimeLimitExceededException
4 Size limit exceeded. SizeLimitExceededException
5 Compared false. Used by DirContext.search(). Does not generate an exception.
6 Compared true. Used by DirContext.search(). Does not generate an exception.
7 Authentication method not supported. AuthenticationNotSupportedException
8 Strong authentication required. AuthenticationNotSupportedException
9 Partial results being returned. If the environment property "java.naming.referral" is set to "ignore" or the contents of the error do not contain a referral, throw a PartialResultException. Otherwise, use contents to build a referral.
0 Success Report success.
1 Operations error NamingException
2 Protocol error CommunicationException
3 Time limit exceeded. TimeLimitExceededException
4 Size limit exceeded. SizeLimitExceededException
5 Compared false. Used by DirContext.search(). Does not generate an exception.
6 Compared true. Used by DirContext.search(). Does not generate an exception.
7 Authentication method not supported. AuthenticationNotSupportedException
8 Strong authentication required. AuthenticationNotSupportedException
9 Partial results being returned. If the environment property "java.naming.referral" is set to "ignore" or the contents of the error do not contain a referral, throw a PartialResultException. Otherwise, use contents to build a referral.
Sep 27, 2010
What Certificate Authorities You (Are Forced to )Trust and Why
In our real life, any identity issuing agency gets their power from government that people elected. You can't just claim you can/want to issue identity certificates because nobody is going to trust what you issue.
Then why the heck that there are so many "trusted" root CAs in our operating systems that we didn't endorse? In other words we are forced to trust some companies that we didn't elect. How did those CAs get their "trusted" status?
The answer is that it's Microsoft who decides what CAs it wants to add into its Windows trusted list. They have a program called "Microsoft Root Certificate Program". As long as you meet MS' requirements, you can apply and (hopefully) get the same status as big guys as VeriSign, Thawte, etc.
Not surprisingly, you can expect that other main stream OSes/browsers have same kind of programs.
Some may argue that why should Microsoft make the choice on their behalf. Well, if you decided to use Windows, you, intentionally or unintentionally, decide to trust whatever Microsoft put on the system anyway, don't you? We can only trust that Microsoft's verification program will do their job.
Want to know who is in the list being trusted? Please see KB931125
Then why the heck that there are so many "trusted" root CAs in our operating systems that we didn't endorse? In other words we are forced to trust some companies that we didn't elect. How did those CAs get their "trusted" status?
The answer is that it's Microsoft who decides what CAs it wants to add into its Windows trusted list. They have a program called "Microsoft Root Certificate Program". As long as you meet MS' requirements, you can apply and (hopefully) get the same status as big guys as VeriSign, Thawte, etc.
Not surprisingly, you can expect that other main stream OSes/browsers have same kind of programs.
Some may argue that why should Microsoft make the choice on their behalf. Well, if you decided to use Windows, you, intentionally or unintentionally, decide to trust whatever Microsoft put on the system anyway, don't you? We can only trust that Microsoft's verification program will do their job.
Want to know who is in the list being trusted? Please see KB931125
Sep 17, 2010
Access denied when open a network drive
When openning a network drive, what is the difference between double clicking the driver letter versus typing the letter in address bar then enter? No really you would think.
I was troubleshooting a ticket where a user got "Access Denied" by double clicking in the meantime using address bar worked just fine. Needless to say, permissions are all correct on the netwokr share. It's just how you access it. The issue follows the user so I looked up and down in the user's properties in AD and group policies but failed to find anything.
It turned out it was caused by a little file, autorun.inf, under the root of that network drive. By double clicking the system tried to run it and it required something that this user didn't have permission to. Removing the file resolved the issue!
I was troubleshooting a ticket where a user got "Access Denied" by double clicking in the meantime using address bar worked just fine. Needless to say, permissions are all correct on the netwokr share. It's just how you access it. The issue follows the user so I looked up and down in the user's properties in AD and group policies but failed to find anything.
It turned out it was caused by a little file, autorun.inf, under the root of that network drive. By double clicking the system tried to run it and it required something that this user didn't have permission to. Removing the file resolved the issue!
Apr 28, 2010
AD limitations and scalability
This topic describes Active Directory scalability and other limitations, as well as recommendations that apply when you are designing or implementing an Active Directory infrastructure. These limitations include the following:
Maximum Number of Objects
Maximum Number of Security Identifiers
Maximum Number of entries in Discretionary and Security Access Control Lists
Group Memberships for Security Principals
FQDN Length Limitations
File Name and Path Length Limitations
Additional Name Length Limitations
Maximum Number of GPOs Applied
Trust Limitations
Maximum Number of Accounts per LDAP Transaction
Recommended Maximum Number of Users in a Group
Recommended Maximum Number of Domains in a Forest
Recommended Maximum Number of Domain Controllers in a Domain
Recommended Maximum Kerberos Settings
Maximum Number of Objects
Maximum Number of Objects
Maximum Number of Security Identifiers
Maximum Number of entries in Discretionary and Security Access Control Lists
Group Memberships for Security Principals
FQDN Length Limitations
File Name and Path Length Limitations
Additional Name Length Limitations
Maximum Number of GPOs Applied
Trust Limitations
Maximum Number of Accounts per LDAP Transaction
Recommended Maximum Number of Users in a Group
Recommended Maximum Number of Domains in a Forest
Recommended Maximum Number of Domain Controllers in a Domain
Recommended Maximum Kerberos Settings
Maximum Number of Objects
Apr 7, 2010
Account lockout-related event logs
Event ID
Description
528
A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
529
Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
530
Logon failure. A logon attempt was made, but the user account tried to log on outside of the allowed time.
Description
528
A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
529
Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
530
Logon failure. A logon attempt was made, but the user account tried to log on outside of the allowed time.
Mar 21, 2010
I am now Windows 2008 certified!
Passed 70-649 two weeks ago, which gave me three certificates:
MCTS: Active Directory
MCTS: Network
MCTS: Application Infrastructure
Two more exams to get my MCITP: Enterprise Admin
Update (Jun 12): Passed 70-747. One more exam (70-680) to get my MCITP:Enterprise Admin
Update (Sep 23): Passed 70-680. Now I am MCITP: Enterprise Admin!
MCTS: Active Directory
MCTS: Network
MCTS: Application Infrastructure
Two more exams to get my MCITP: Enterprise Admin
Update (Jun 12): Passed 70-747. One more exam (70-680) to get my MCITP:Enterprise Admin
Update (Sep 23): Passed 70-680. Now I am MCITP: Enterprise Admin!
Nov 24, 2009
Suggested Thresholds for Essential Counters
This is excerpted from an MS article for w2k resource kit. Most of the numbers should still be applicable to newer version of OSes.
Resource
Object/Counter
Threshold
Comments
Disk
PhysicalDisk\% Disk Time
90%
Disk
PhysicalDisk\ Disk Reads/sec, PhysicalDisk\Disk
Depends on manufacturer's specifications
Check the disk's specified transfer rate to verify that the logged rate doesn't exceed specifications.(1)
Resource
Object/Counter
Threshold
Comments
Disk
PhysicalDisk\% Disk Time
90%
Disk
PhysicalDisk\ Disk Reads/sec, PhysicalDisk\Disk
Depends on manufacturer's specifications
Check the disk's specified transfer rate to verify that the logged rate doesn't exceed specifications.(1)
Sep 22, 2009
Account Logon vs. Logon/Logoff events in security log
Ever confused by the "Account Logon" events and "Logon/Logoff" events in your Security Log? Read on.
[Edit: Dec 19, 2011]: This is applicable to Windows 2003. In Windows 2008, "account logon" is changed to "credential validation" to better reflect what it really is.
****************************************
This is a complete copy/paste from MSDN.
****************************************
One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories?
The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, it's about credential validation.
Here's the low down on what is the difference between Logon/Logoff and Account Logon events, and how to decipher Account Logon events.
[Edit: Dec 19, 2011]: This is applicable to Windows 2003. In Windows 2008, "account logon" is changed to "credential validation" to better reflect what it really is.
****************************************
This is a complete copy/paste from MSDN.
****************************************
One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories?
The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, it's about credential validation.
Here's the low down on what is the difference between Logon/Logoff and Account Logon events, and how to decipher Account Logon events.
Sep 3, 2009
Backup and restore TCP/IP stack config using command line
netsh -c interface dump > ipconfig.txt
netsh -f ipconfig.txt
netsh -f ipconfig.txt
Apr 22, 2009
Jan 28, 2009
Change TSM client password on cluster
Or when there are more than one scheduler services.
On the active node, open command prompt
>dsmc -optfile="the opt file that you want to change"
>q se
>set password
Failover to second node, do the same.
On the active node, open command prompt
>dsmc -optfile="the opt file that you want to change"
>q se
>set password
Failover to second node, do the same.
Jan 15, 2009
Replacing a cert without losing existing cert in IIS
http://support.microsoft.com/kb/295281
Recently I ran into a problem when I tried to generate a CSR. The current cert in use was from VeriSign and we wanted to switch to thawte. The problem was that the option "Replace current cert" was grayed out because existing cert was still valid. The above KB is the perfect workaround.
Recently I ran into a problem when I tried to generate a CSR. The current cert in use was from VeriSign and we wanted to switch to thawte. The problem was that the option "Replace current cert" was grayed out because existing cert was still valid. The above KB is the perfect workaround.
Dec 30, 2008
How Outlook contact properties map to LDAP attributes
>>>>>>> Taken from OpenLDAP <<<<<<<<
. Outlook Field - LDAP Attribute(s) (1)
-----------------------------------
Summary
. Name - cn, display-name
. E-Mail Address - mail (2)
. Home Phone - homePhone
. Pager - officePager, pager (3)
. Mobile - mobile
. Personal Web Page
. Business Phone - telephoneNumber
. Business FAX - officeFAX, facsimileTelephoneNumber
. Job Title - title
. Outlook Field - LDAP Attribute(s) (1)
-----------------------------------
Summary
. Name - cn, display-name
. E-Mail Address - mail (2)
. Home Phone - homePhone
. Pager - officePager, pager (3)
. Mobile - mobile
. Personal Web Page
. Business Phone - telephoneNumber
. Business FAX - officeFAX, facsimileTelephoneNumber
. Job Title - title
Sep 22, 2008
VB applet that create event logs on Windows 2000 servers
Recently I've been working on a monitoring solution so I need a tool that can generate event logs to trigger the monitoring agent. There are a few tools from MS Support Tools or Resource Kit Tools that can do this but they all have some limitations. For example, some can create logs for existing sources, the other can't create log for existing source/ID.
Blackhole routers and how they affect your AD environment
Recently I've been working on a Kerberos authentication issue with servers that connect to DCs via VPN. The servers can join domain fine, users can log into domain from these servers, and browsing domain resources seem no problem. However, for a particular application, it always fails to get the AS ticket from DC.
Subscribe to:
Posts (Atom)