Sunday, August 7, 2011

Users Groups Computers



Three ways to manage objects in AD, GUI CMD PowerShell and VBScript, I summarized creation new objects, modification, enquiry, deletions etc maintains.

  
·         Dsadd Creates an object in the directory.

·         Dsget Returns specified attributes of an object.

·         Dsmod Modifies specified attributes of an object.

·          Dsmove Moves an object to a new container or OU.

·         Dsrm Removes an object, all objects in the subtree beneath a container object, or both.

·         Dsquery Performs a query based on parameters provided at the command line and returns a list of matching objects. By default, the result set is presented as the distinguished names (DNs) of each object, but you can use the –o parameter with modifiers such as dn, rdn, upn, or samid to receive the results as DNs, relative DNs, user principal names (UPNs), or pre-Windows 2000 logon names (security accounts manager [SAM] IDs).




Create New Objects


GUI: ‘Active Directory Users and computers’
CMD:
·  dsadd computer - adds a computer to the directory.
·  dsadd contact - adds a contact to the directory.
·  dsadd group - adds a group to the directory.
·  dsadd ou - adds an organizational unit to the directory.
·  dsadd user - adds a user to the directory.
·  dsadd quota - adds a quota specification to a directory partition.

Remarks:
If you do not supply a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use Control+Z, for End of File (EOF).

If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").

If you enter multiple values, the values must be separated by spaces (for example, a list of distinguished names).

The special token $username$ (case insensitive) may be used to place the SAM account name in the value of a parameter. For example, if the target user DN is CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name attribute is "janed," the -hmdir parameter can have
the following substitution:

-hmdir \users\$username$\home

The value of the -hmdir parameter is modified to the following value:

- hmdir \users\janed\home

dsadd user "User DN" Ðsamid pre-Windows 2000 logon name -pwd {Password | *} Ðmustchpwd yes

Importing Users with CSVDE
                                           LDIFDE
csvde [-i] [-f Filename] [-k]



PS:
$objOU=[ADSI]"LDAP://OU=People,DC=contoso,DC=com"

 $objUser=$objOU.Create("user","CN=Mary North")
$objUser.put("sAMAccountName",$samAccountName) 
$objUser.put("userPrincipalName",$userPrincipalName)
$objUser.put("displayName",$displayName) 
$objUser.put("givenName",$givenName) 
$objUser.put("sn",$sn) 
$objUser.put("description",$description) 
$objUser.put("company",$company) 
$objUser.put("department",$department)
 $objUser.put("title",$title)
 $objUser.put("mail",$mail)

$objUser.SetInfo()


Inquiry and search



GUI: ‘Active Directory Users and Computers’ , we are all familiar with this tool, easy to use. But if the organisation has 10,000 username, to find what you want is not easy anymore. So ‘Saved Queries’ comes in to play.
     

  Saved Queries



This is quite handy, for instance you can save a query for all disabled and non expiring account, it will help you to find all disabled accounts very quickly.

It’s not displayed in ‘Server Manager’, it will show up in ‘Active Directory Users and Computers’.

Using the Select Users, Contacts, Computers, Or Groups Dialog Box



·      Multiple names can be entered, separated by semicolons



CMD: dsquery

·       dsquery computer -   finds computers in the directory.
·       dsquery contact - finds contacts in the directory.
·       dsquery subnet - finds subnets in the directory.
·       dsquery group - finds groups in the directory.
·       dsquery ou - finds organizational units in the directory.
·       dsquery site - finds sites in the directory.
·       dsquery server - finds AD DCs/LDS instances in the directory.
·       dsquery user - finds users in the directory.
·       dsquery quota - finds quota specifications in the directory.
·       dsquery partition - finds partitions in the directory.
·       dsquery * - finds any object in the directory by using a generic LDAP query.

Examples:
To find all users in a given organizational unit (OU) whose name starts with "jon" and whose account has been disabled for logon and display their user principal names (UPNs):

    dsquery user ou=Test,dc=microsoft,dc=com -o upn -name jon* -disabled

To find all users in only the current domain, whose names end with "smith" and who have been inactive for 3 weeks or more, and display their DNs:

    dsquery user domainroot -name *smith -inactive 3

To find all users in the OU given by ou=sales,dc=microsoft,dc=com and display their UPNs:

    dsquery user ou=sales,dc=microsoft,dc=com -o upn



PS/VB Script:

Modify



Permission  ACL


 dsacls

Saturday, July 16, 2011

Dyndns configuration At Cisco router

If you want to reach your workstation, server, or camera where ever you are, the good way is to apply a static IP from your provider, of course it 's not free most likely. With dynamic IPs, the solution is dynamic DNS.
 Here you can find some of them: Dynamic DNS providers
http://dnslookup.me/dynamic-dns/

If you have a machine is on 7*24, then it's easy just installing the client on it, it will automatically update your ip to the provider. If not, your router/modem I guess it should be on all the time, check the vendor make sure it suppords DDNS. On my case it's Cisco router, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T2.
The following is the key commands:
1. DNS,
ip name-server YOURDNS server
no ip domain loop
!
2. The Wan interface,
ip ddns update hostname YOURHOST.dyndns.org
    ip ddns update DYNDNS.ORG
   ip nat outside

!
3. The update method,
ip ddns update method DYNDNS.ORG
 HTTP
  add http://YOURACCOUT:YOURPASSWORD@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
  remove http://YOURACCOUT:YOURPASSWORD@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
 interval maximum 0 0 30 0
 interval minimum 0 0 20 0
!

Tip:
I didn't bother security, because if some knows my ip, I am ok with it, I know the IP will change next time. If you do, here is the link to import the Dyndns certificate and using https rather than http.
http://www.dyndns.com/support/kb/configuring_cisco_https.html#



Monday, July 11, 2011

Implementing Cisco router with CA certificate

Generating an RSA Key Pair

myrouter(config)#crypto key generate rsa label RouterKeyJuly2011 exportable

myrouter(config)#do sh crypto key mypubkey rsa
% Key pair was generated at: 15:44:54 Melbour Jul 10 2011
Key name: RouterKeyJuly2011
Storage Device: not specified
Usage: General Purpose Key
Key is exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00DDCEC4
EB77050F C501C355 E811AC7D C6F87161 7A008992 713EE84A 420AFF15 FD1F8D40
0FCECC4B 5B60DF21 A6D6318A AE7ECA7E 3BEBC91F 44BABC12 985A00A1 60A81A1C
5CA5CE5D 9F044863 E19E2D19 F55A36AD F03FCD1C FE421BE2 1B0CC8B1 F8750B54
F2EC09A1 90BE9AAE 3BBF3D63 BA572139 728286FD F7269C05 5E1FB2EC F9020301 0001
% Key pair was generated at: 15:44:56 Melbour Jul 10 2011
Key name: RouterKeyJuly2011.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00F2D0B2 4C0DFB8C
B0A5AA00 9C0F2899 D034330E B1ABD5A3 D716AF73 61ADB7F5 27BDB63D 1A4D09F1
EAF27A8D BE9C0D24 55DB5E9A D85B0F9E DCC1F6A2 1F7C77AC C8BE60CD 309FE94B
F31FFDCA 6984DF8F AF973C2F AA3DB96C 6DEDAAF1 0BE4EC28 DD020301 0001

Configuring certificate enrolment to CA
crypto pki trustpoint win2k8-s3.itengineer.local
enrollment mode ra
enrollment url http://win2k8-s3:80/certsrv/mscep/mscep.dll
password AAC66E7AF8B6874F

subject-name cn=myrouter
revocation-check crl
rsakeypair RouterWinPKI

Detailed Steps Commands break down
crypto pki trustpointname

Example:
Router(config)# crypto pki trustpoint mytp
Declares the trustpoint and a given name and enters
ca-trustpoint configuration mode.
enrollment [mode] [retry period minutes]
[retry count number] url url [pem]

Example:
Router(ca-trustpoint)# enrollment url
http://cat.example.com
Specifies the URL of the CA on which your router should send certificate requests.
mode—Specifies RA mode if your CA system provides an RA.
retry period minutes—Specifies the wait period between certificate request retries. The default is 1 minute between retries.
retry count number— Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. (Specify from 1 to 100 retries.)
url url—URL of the file system where your router should send certificate requests. For enrollment method options, see the enrollment command in the Cisco IOS Security Command Reference.
pem—Adds privacy-enhanced mail (PEM) boundaries to the certificate request.
subject-name [x.500-name]

Example:
Router(ca-trustpoint)# subject-name cat
(Optional) Specifies the requested subject name that will be used in the certificate request.
x.500-name—If it is not specified, the fully qualified domain name (FQDN), which is the default subject name, will be used.
ip address {ip address | interface |none}

Example:
Router(ca-trustpoint)# ip address 192.168.1.66
(Optional) Includes the IP address of the specified interface in the certificate request. Issue the none keyword if no IP address should be included. Note If this command is enabled, you will not be prompted for an IP address during enrollment for this trustpoint.
serial-number [none]

Example:
Router(ca-trustpoint)# serial-number
(Optional) Specifies the router serial number in the
certificate request, unless the none keyword is issued.
auto-enroll [percent] [regenerate]

Example:
Router(ca-trustpoint)# auto-enroll

(Optional) Enables autoenrollment, allowing you to automatically request a router certificate from the CA.
By default, only the Domain Name System (DNS) name of the router is included in the certificate.
Use the percent argument to specify that a new certificate will be requested after the percentage of the lifetime of the current certificate is reached.
Use the regenerate keyword to generate a new key for the certificate even if a named key already exists.

Note If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear in the trustpoint configuration to indicate whether the key pair is exportable: “! RSA key pair associated with trustpoint is exportable.”
usage method1 [method2 [method3]]

Example:
Router(ca-trustpoint)# usage ssl-client
(Optional) Specifies the intended use for the certificate.
Available options are ike, ssl-client, and ssl-server; the
default is ike.
password string

Example:
Router(ca-trustpoint)# password meow
(Optional) Specifies the revocation password for the certificate. If this command is enabled, you will not be prompted for a password during enrollment for this trustpoint.
Note When SCEP is used, this password can be used to authorize the certificate request—often via a one-time password or similar mechanism.
rsakeypair key-label [key-size [encryption-key-size]]

Example:
Router(ca-trustpoint)# rsakeypair cat
(Optional) Specifies which key pair to associate with the
certificate.
A key pair with key-label will be generated during
enrollment if it does not already exist or if the
auto-enroll regenerate command was issued.
Specify the key-size argument for generating the key,
and specify the encryption-key-size argument to request
separate encryption, signature keys, and certificates.

Note If this command is not enabled, the FQDN key pair
is used.
fingerprint ca-fingerprint

Example:
Router(ca-trustpoint)# fingerprint 12EF53FA
355CD23E 12EF53FA 355CD23E
(Optional) Specifies a fingerprint that can be matched against the fingerprint of a CA certificate during authentication.

Note If the fingerprint is not provided and authentication of the CA certificate is interactive, the fingerprint will be displayed for verification.
crypto pki authenticate name

Example:
Router(config)# crypto pki authenticate mytp
Retrieves the CA certificate and authenticates it.
Check the certificate fingerprint if prompted.

Note This command is optional if the CA certificate is already loaded into the configuration


myrouter(config)#crypto ca authenticate win2k8-s3.itengineer.local
Trustpoint 'win2k8-s3.itengineer.local' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: DDBAA276 58D8DEAB C09C4833 EFB984EE
Fingerprint SHA1: 1BDDEF1E 7CA28085 FCE74A9D DAA00F7D 3A0D98A3

% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.

myrouter(config)#crypto ca enroll win2k8-s3.itengineer.local
%
% Start certificate enrollment ..

% The subject name in the certificate will include: cn=myrouter
% The subject name in the certificate will include: myrouter.itengineer.local
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FHK140770M4
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose win2k8-s3.itengineer.local' commandwill show the fingerprint.



Verify the configuration:

myrouter(config)#do sh cry ca ce
Certificate
Status: Available
Certificate Serial Number (hex): 13F3430E00010000001D
Certificate Usage: General Purpose
Issuer:
cn=itengineer-WIN2K8-S2-CA
dc=itengineer
dc=local
Subject:
Name: myrouter.itengineer.local
Serial Number: FHK140770M4
cn=myrouter
hostname=myrouter.itengineer.local
serialNumber=FHK140770M4
CRL Distribution Points:
ldap:///CN=itengineer-WIN2K8-S2-CA(1),CN=win2k8-s2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=itengineer,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 19:09:51 Melbour Jul 10 2011
end date: 19:09:51 Melbour Jul 9 2013
Associated Trustpoints: win2k8-s3.itengineer.local

CA Certificate
Status: Available
Certificate Serial Number (hex): 6171E77C000000000004
Certificate Usage: Signature
Issuer:
cn=LocalCA
Subject:
cn=itengineer-WIN2K8-S2-CA
dc=itengineer
dc=local
Validity Date:
start date: 22:04:40 Melbour Jul 4 2011
end date: 22:14:40 Melbour Jul 4 2015
Associated Trustpoints: win2k8-s3.itengineer.local


myrouter#sh crypto key mypubkey rsa
% Key pair was generated at: 15:44:54 Melbour Jul 10 2011
Key name: RouterKeyJuly2011
Storage Device: private-config
Usage: General Purpose Key
Key is exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00DDCEC4
EB77050F C501C355 E811AC7D C6F87161 7A008992 713EE84A 420AFF15 FD1F8D40
0FCECC4B 5B60DF21 A6D6318A AE7ECA7E 3BEBC91F 44BABC12 985A00A1 60A81A1C
5CA5CE5D 9F044863 E19E2D19 F55A36AD F03FCD1C FE421BE2 1B0CC8B1 F8750B54
F2EC09A1 90BE9AAE 3BBF3D63 BA572139 728286FD F7269C05 5E1FB2EC F9020301 0001
% Key pair was generated at: 15:44:56 Melbour Jul 10 2011
Key name: RouterKeyJuly2011.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00F2D0B2 4C0DFB8C
B0A5AA00 9C0F2899 D034330E B1ABD5A3 D716AF73 61ADB7F5 27BDB63D 1A4D09F1
EAF27A8D BE9C0D24 55DB5E9A D85B0F9E DCC1F6A2 1F7C77AC C8BE60CD 309FE94B
F31FFDCA 6984DF8F AF973C2F AA3DB96C 6DEDAAF1 0BE4EC28 DD020301 0001
% Key pair was generated at: 19:05:12 Melbour Jul 10 2011
Key name: RouterWinPKI
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 008A1F87 1EE25EF2
9B56CD9D 7C9BDF49 56E0124C DA9EE267 65736B45 AEB14829 61365089 C019781E
74CC3D78 E05EEEFE 5DAE0E34 735DC40F 2EC9D181 1090564C A9020301 0001



myrouter#sh crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate

Code Usage IP-Address/VRF Keyring Name
C Signing default X.500 DN name:
cn=itengineer-WIN2K8-S2-CA
dc=itengineer
dc=local