BPuhl’s Blog

A little bit of everything without actually being much of anything

Archive for May, 2008

RODC Compatability Pack for XP and 2003 now available

Posted by BPuhl on May 28, 2008

There were a few fixes required for downlevel clients to be able to fully leverage an RODC, and those changes are now available in the download center!

“Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients”



Posted in Active Directory, Random Tecnical Stuff | Leave a Comment »

Posted by BPuhl on May 15, 2008


I feel a previously scheduled engagement coming on…    -DH

Posted in Randomness | 1 Comment »

Posted by BPuhl on May 12, 2008

The status quo blows… -KS

Posted in Quotes | Leave a Comment »

Is the user in the group?

Posted by BPuhl on May 10, 2008

Initial disclaimer:  I am not a developer.  I don’t even play one on TV.

However, now that that’s out of the way, since I am “the AD guy” who’s usually around in MS IT, and am more often than not willing to answer questions (whether I know the answer or not), I tend to get a lot of questions around programs interacting with AD.  One question, which I’ve been asked at least 3 times (in various forms) in the past few months, goes something like this:

“When a user comes to my application, query the member attribute of the security group that we want, and then loop through it to see if the user is a member.  This worked great until we expanded our pilot, and there are now 7,000 members of the group.  Is there a more performant way of doing this?  We have tried using isMemberOf, but that doesn’t work so well either”

Now, I figure there are probably better ways built into the OS to do this to begin with, but then again, maybe not…  At least not in the “edge case” territory, which is where I often seem to live.  The reply that I’ve started to give, goes something like this:

If all you really care about, is whether the user is a member of a specific group, then that’s what you should ask AD. 


More specifically, you should change your code so that it gets the distinguished name of the user, and then query AD for “all security groups, with the name <your group here>, that contain user <userDN>.  To see if BPuhl is a member of the FooBar security group, it would look something like this:


First, get the DN for BPuhl:  cn=bpuhl,ou=users,dc=ms,dc=com


Second, check to see if there is a group that he’s a member of:





Depending on how they “know” the name of their group, either way the performance is the same


With this query though, If you get an object back from AD, then the object will be your security group, and you will implicitly know that the user was a member.  If the user isn’t a member, then AD will return back nothing, because there “are no security groups with a name of foobar that contain user bpuhl”

I’m sure there are better ways of doing this, but I get the impression that they become implementation specific, etc… and the folks who are usually asking the question are IT pro’s instead of developers, and tend to be fairly light, even on .NET stuff.

If anyone else has a better answer to this question though, I’d love to hear it!

Posted in Active Directory, Random Tecnical Stuff | 5 Comments »

ADFS with a one-way trust

Posted by BPuhl on May 9, 2008

One of the nice parts about ADFS, is it’s ability to work throughout your trust realm.  Within MS IT, we have a single ADFS instance joined to our REDMOND domain in our main internal forest.  However, we have 7 production forests, with a total of 17 production domains.

Fortunately, the requirements for ADFS are fairly simple and intuitive:

  • The user has to be able to authenticate to an ADFS server
  • The ADFS server needs to have the ability to query the users domain, to read attributes to put into the users token.

Thinking about it like this, then it’s easy to see that with a full mesh of 2-way trusts between the forests, a single ADFS instance will work for users, regardless of which domain their account resides in.

Posted in ADFS | Leave a Comment »

Posted by BPuhl on May 8, 2008

Even the most complex systems work in PowerPoint

Posted in Quotes | Leave a Comment »

Did you see my blog? (let me e-mail it to you)

Posted by BPuhl on May 8, 2008

There is this fascinating trend internally at Microsoft.  Well…ok…maybe not fascinating, but definitely a trend!

A while back, faced with the “Mini-Microsoft’s” and “Scobles” of the world, the powers that be decided to set up internal blogs, where people could post things for other employees, without necessarily airing our dirty laundry to the rest of the world (what fun that would be, I have no idea).  Many of the managers have picked up on this, and periodically will post about something that’s going on in the org.

The interesting trend though, is that in addition to posting their blog – they also e-mail the content, usually with the subject line similar to “Hey, I’ve posted something new to my blog!”, to everyone in their org.

The part of blogs that I like the most, is the – “If you don’t like, don’t read it” – mentality that you can have.  This was one of the reasons that I moved my blog from TechNet to WordPress, so I could eliminate the expectations that every post had to be technical or about AD or something like that…It’s empowering to be able to rant, vent, or observe random things and then write about them.  But I wouldn’t ever send out e-mails to all of my friends telling them that I posted something new.  That’s what RSS is for…

and seriously, if I didn’t want to read the blog post before you sent me a mail…I’m most certainly not going to want to read it afterwards…

Posted in Rants | 1 Comment »

On death and De-Perimeterization

Posted by BPuhl on May 6, 2008

Two co-workers just published an excellent article in Network World describing how we “really feel” about network based access control’s.

Price is a security architect in MS IT, and Dan is an Identity Architect on the same team that I am.  Both are ridiculously smart guys, who (obviously) wax poetic. 🙂


Posted in 21st Century, Random Tecnical Stuff | Leave a Comment »

Need a hook-up…please…don’t…be…offline…please

Posted by BPuhl on May 5, 2008

Sitting in Tully’s this morning, working on some documentation, when this whirlwind comes flying through the door, lands in the first available chair, and flips open the laptop.

While she’s obviously waiting for her machine to do something (log in, come out of sleep, I don’t know…)  I made the comment, “You look like you’re on a mission for a good internet connection…”

“Yeah, thank god for free wireless!”

Just as quickly, the laptop slapped shut, and out the door.

Posted in Randomness | Leave a Comment »

trustDirection Attribute Enumeration

Posted by BPuhl on May 2, 2008

Sitting in a coffee shop in Seattle – which is where I can usually get the most work done – and am helping a friend out by throwing together a VBScript that will enumerate all of the trusts, for all domains in a forest.  Not rocket surgery by any means, but one of the things which I thought would be nice to include is the direction of the trust, which is held on the aptly named trustDirection attribute of the trustedDomain object. 

Exploring a little bit through CORP, I was basically able to guess what the values meant, since I know what our forest/trust structure looks like, but since the attribute is just a number, I wanted to make sure that I had all of the options. I followed my instincts straight to my favorite search engine, and queried for the attribute, which promptly landed me on the MSDN page – previous experience telling me, that this is going to get me nowhere, because normally all you get is version and light information about the structure of the attribute.

So, much to my surprise, that down at the bottom in the Community Content section, Joe Richards had put the information which people would actually want and use.


So thank you Joe – for updating the documentation with the information which is actually relevant and useful.

Posted in Active Directory | 1 Comment »