BPuhl’s Blog

A little bit of everything without actually being much of anything

Archive for January, 2009

Identity Huh?

Posted by BPuhl on January 25, 2009

I’ve got a Windows Live ID.  I tried to re-activate the Hotmail mailbox that would go with it.  The activation errors out, and “click here to go to the solutions center”

When I get to the solutions center, I get a page with this message:

You have successfully logged in with Windows Live™ ID.

However, your Windows Live ID account is not currently linked to a Hotmail Online Solution Center account.

Create a Hotmail Online Solution Center account.
Please create one now by clicking the Create Account button

 

Seriously?  I’m logged in, but not logged in? 

As an identity management oriented type of guy…we need to do A LOT better than this.

Posted in Digital Identity, Identity and Access, Random Tecnical Stuff | Leave a Comment »

Win7 Client Beta

Posted by BPuhl on January 25, 2009

I’ve been running Win7 Beta on my laptop for a couple of weeks now.  In general, I can’t say enough about how much faster the machine is, especially booting up. 

Here’s some helpful hints that I’ve come across, some of them mine, others that have been pointed out for me:

MSN Messenger – If you want it back in the notification tray, which is where I’m used to it being – right click the shortcut and run in Vista compat mode.

RSAT Tools – Get them here, after you run the install you need to go to Programs and Features to turn them on

Show Desktop – It’s that extra box at the far right of the task bar, on the other side of the notification tray

Powershell v2 – It’s there – and it’s awesome.

About the only thing that I’ve decided I miss (and I haven’t gone back to figure out if it’s possible to change yet), is Sidebar.  Sidebar is still there, you just run the gadgets on the desktop.  But I really liked the ability to dock gadgets into an area that represented the edge of “full screen” when other windows were maximized.  I have started to get used to a partially compensating UI quirk though, which is that if you take a window and drag the top of it to the top of your screen, the bottom fills out to the bottom of your screen for you.  So it’s vertically maximized.

Posted in Random Tecnical Stuff, Win 7 | 1 Comment »

Sorry, it wasn’t THAT historic of a day

Posted by BPuhl on January 21, 2009

This morning was Barack Obama was inaugurated of the 44th president of the United States.  Congratulations, now it’s time to get to work. 

Of course, I had to laugh at what my 4-year old daughter Anika had to say when Obama stepped up to take the oath of office.  Looking completely stunned, fixated on the television, completely frozen:

“Mom!  But…Dr. Martin Luther King is supposed to be DEAD!!!”

Ooops, not bad for a 4-year old, but kind of hilarious in it’s own way.

To put this in context, you have to remember that January 18th is MLK Day in the US.  Kids usually get a day off of school, and the week before there is usually a history lesson about the civil rights leader.  In her pre-school, they taught lessons about why he was important, how he stood up on front of millions of people, and gave a speech…  so you can see where this went.

Sorry honey, it isn’t THAT historic of a day.  Just a new President.

(why is this blog-worthy?  Heck, I don’t know…it’s probably not.  But I laugh when I think about it, which is about where my internal “do I publish” bar is located)

Posted in Anika, Quotes, Randomness | Leave a Comment »

Life Cycle Management of RODC Password Replication Policies

Posted by BPuhl on January 6, 2009

There’s a thread going around on the ActiveDir mailing list, around whether or not to manage the passwords of machine accounts the same way you manage user accounts.  In general, our approach to the problem has always been to view machine accounts as equivalent to user accounts, because at the end of the day a computer has the same rights on the network that an “authenticated user” would have.  Since we’re considering them the same, then the process for managing the Password Replication Policy (the definition of which passwords can be replicated to each RODC) should be the same for both machine accounts and users.  This is easy enough to say, but turns out to be pretty difficult to implement.  Even more so when you don’t necessarily know “where” (on the network) a user or machine may be at any given time.

This post is meant to give some insight into one way to manage the lifecycle of passwords which are cached on an RODC.  You can see that the process is somewhat complicated, and there aren’t any products that I’m aware of which do this automagically, so we’re all on our own when it comes to implementing, but at least this gives you some ideas for what you might want to try to do.

To start, remember that there are 6 attributes that are relevant in this case to RODC’s and passwords:

msDS-Reveal-OnDemandGroup – Accounts who are allowed to be cached on the RODC

msDS-NeverRevealGroup – Accounts which are not allowed to be cached on the RODC

msDS-AuthenticatedAtDC – List of RODCs through which a user has successfully authenticated to a full DC

msDS-AuthenticatedToAccountList – List of accounts who have successfully authenticated to a full DC through the RODC

msDS-RevealedUsers – For an RODC, Identifies the users (and computers) whose secrets have been replicated

msDS-RevealedDSAs – For a user, identifies which RODC’s hold that user’s secrets

The goal of life cycle management of the PRP, is to allow a password to be cached on an RODC when a user (or machine) is known to be in a site, and then remove that account from the PRP when they are no longer in the site.  Also, remember that we don’t necessarily need to have the password pre-cached before a user/machine is in a site, because the WAN link is likely to be up when they first attempt to logon.

(for the rest of this post, assume that when I say “machine” or “user”, that I mean BOTH machine and user accounts)

To start with, we know that before a user logs on in a site for the first time, the AuthenticatedAt attribute does not contain the user account, the user is not on the allowed to reveal list for that RODC, and the password is not cached (revealed).  In other words:
     AuthenticatedTo: Empty
     Allowed: No
     Revealed: No

After the first login at the site, the state of the attributes changes so that:
     AuthenticatedTo:  User is now on the list
     Allowed: No
     Revealed: No

Because we know the user is in the site, we want to perform 3 actions:
1.  Add their account to the Allow list in the PRP
2.  “Replicate with secrets” their account to the RODC to cache their password
3.  Clear the account out of the authenticatedAt list

     AuthenticatedTo: <removed>
     Allowed: Yes
     Revealed: Yes

We know that when a user changes their password, the password is cleared from the cache on the RODC’s, so it’s no longer revealed, however they are still in the Allowed list therefore it will be recached on their next logon.  The only thing we need to remember, is that during that next logon attempt, the user will be added to the RODC’s AuthenticatedTo list again.  This happens because the user attempted to logon on via his local RODC, but the password wasn’t cached.  So we know that periodically we’ll still end up with users who are in the AuthenticatedTo list and who are already on the Allow list AND who have re-cached their passwords.  That’s ok, just clear them out of AuthenticatedAt again and carry on.

The final case that we’re looking for though, is the case where users have moved out of the site, or machines have been decomm’d, or similar.  We can find these people, by looking for the cases where users do not have their passwords revealed (they haven’t been cached), and they haven’t been authenticatedTo, but who are still on the Allow list inside the PRP.  These are the users who are allowed to be cached, but aren’t, and therefore should be removed.

By removing them from the Allow list, you’ll end up right back where we started, with:
     AuthenticatedTo: Empty
     Allowed: No
     Revealed: No

Each of the phases of the life cycle need to have an environment appropriate delay of some number of days.  Especially when removing from the PRP, otherwise you’ll continue on the vicious cycle every time someone takes a vacation and their password expires.  Of course, maybe in your environment, you WANT to remove them from the PRP.  Fortunately it’s AD replication, which generally speaking lends itself well to replicating changes.

Confusing?  Probably a bit.  Here’s the (not so) pretty picture that I put together when I presented this at the Directory Experts Conference last year.  Hopefully this helps visualize it a bit:

PRP

The point of this post is that while it may be challenging, there are Active Directory attributes on each RODC which give all of the information required to manage the password replication policy.  Now, this is somewhat intensive, especially as it needs to be performed for each RODC, which makes scaling a challenge when you have an environment like MSIT with 100+ RODC’s.  Using tools like MIIS or ILM will definitely make things easier.

Clear as mud right?

~Brian

<edited 10:30pm:  I originally put AuthetnicatedAt as the attribute on the RODC to look at, when that is the user attribute.  Corrected to be AuthenticatedTo>

Posted in Active Directory, Identity and Access, Random Tecnical Stuff | 2 Comments »

KWIIEE!

Posted by BPuhl on January 5, 2009

<for your own sake, you may want to stop reading now>

Way back when I was young and stupid (as opposed to now, being older and stupid), probably around 19 or 20 years old…I remember driving with some friends to go see the midnight showing of  Spike and Mike’s Sick and Twisted Animation Festival in Costa Mesa (I think).

Somewhere during the ensuing barrage of penis and barf jokes, bambi and Godzilla, and No-Neck Joe clips, was this awesome little short that was a stop action done on a typewriter that went something like “primmyteetoota urm sku mu po gif mo KWIIEEE!!!”  This little skit stuck in my mind, filed away with all of the other good lines from movies that get pulled out in the middle of conversations (which most people recognize, and the rest just knowingly nod their head to mask the confusion)…  you know, things like, “We take off and nuke the entire site from orbit. It’s the only way to be sure…” and “1.2.3.4?!? The kind of thing an idiot would have on his luggage!”

Anyway, tonight it started snowing again, and Anika and I were all excited to have are 300th snowball fight of the year (defined as she picks up snow, and throws it at daddy) when I blurted out KWIIEEE!!!  Once I got her to sleep, I started poking around on the internets and not only was able to come up with enough correct search terms to find the website (http://www.primititootaa.com), with the correct spellings, history, original poems, blah, blah, blah…  but also was able to find the video on YouTube (Seriously, is there anything that they don’t have?)

So posting it to my blog so that I will never lose it again 🙂

And the full text from http://www.primititootaa.com/ursonate/primititootaatext.html

FFFFFFFF  MMMMMMMM  SSSSSSSS
Bw

Fums  bowo  tazaa  Uu
Uu  zee  Tee  Wee  Bee  Fumms

rakete  rinze  kete
rakete  rinze  kete
rakete  rinze  kete
rakete  rinze  kete

rakete  rinze  kete
rakete  rinze  kete
rakete  rinze  kete
rakete  rinze  kete

rakete  rinze  kete
rakete  rinze  kete
rakete  rinze  kete
rakete  rinze  kete

beeeeeeeeeeeeeeee  bo

Fo
bowo
Fummsbo
booro
Fummsbowo
boworotaa
Fummsbowotaazaa
boworotaazaaUu
FummsbowotaaZaaUu
boworotaaZaaUu             po
FummsbowotaaZaaUu    po
boworotaaZaaUu             pogiff
FummsbowotaaZaaUu    pogiff

Kwiiiee                    Kwiiiee

Dedesnn  nn  rrrrr  iiee  miff tilff  toooo
Dedesnn  nn  rrrrr
     desnn  nn  rrrrr
          nn  nn  rrrrr
                               iiee  miff  tilff  toooo
Dedesnn  nn  rrrrr  iiee  miff  tilff  toooo
Dedesnn  nn  rrrrr  iiee  miff  tilff  toooo  till
Dedesnn  nn  rrrrr  iiee  miff  tilff  toooo  tillll

Juu  Kaa?

Primiti Too Taa
Nnz  kkr  muu
pggiv  muu
Kwiiiee

Grim  Glim  Gnim          Bim  Bim
Grim  Glim  Gnim          Bim  Bim
Grim  Glim  Gnim          Bim  Bim
Grim  Glim  Gnim          Bim  Bim

Grim  Glim  Gnim          Bim  Bim
Grim  Glim  Gnim          Bim  Bim
Grim  Glim  Gnim          Bim  Bim
Grim  Glim  Gnim          Bim  Bim

Bum     Bim  Bim           Bam         Bim  Bim
Bum     Bim  Bim           Bam         Bim  Bim
Bum     Bim  Bim           Bam         Bim  Bim
Bum     Bim  Bim           Bam         Bim  Bim

Grim  Glim  Gnim         Bim Bim
Grim  Glim  Gnim         Bim Bim
Grim  Glim  Gnim         Bim Bim
Grim  Glim  Gnim         Bim Bim

Ta  Ta  Ta  Ta     Tuie  Tuie
Ta  Ta  Ta  Ta     Tuie  Tuie
Ta  Ta  Ta  Ta     Tuie  Tuie
Ta  Ta  Ta  Ta     Tuie  Tuie

Ta  Ta  Ta  Ta     Til  La  La  La
Ta  Ta  Ta  Ta     Til  La  La  La
Ta  Ta  Ta  Ta     Til  La  La  La
Ta  Ta  Ta  Ta     Til  La  La  La

Til  La  La  La     Tuie  Tuie
Til  La  La  La     Tuie  Tuie
Til  La  La  La     Tuie  Tuie
Til  La  La  La     Tuie  Tuie
Til  La  La  La     Tuie  Tuie

Tui  tui  tui  tui  tui  tui  tui  tui
tui  tui  tui  tui  tui  tui  tui  tui

Primiti  Too  Taa
Nnz  kkr  muu
Pggiv  muu

Beeeeeeeeeeeeeeeeee            Bo

Kwiiiee.

Posted in Randomness | 2 Comments »

HAPPY NEW YEAR!!!

Posted by BPuhl on January 1, 2009

May your 2009 be better than 2008 was, and almost as good as 2010 will be.

Posted in Randomness | Leave a Comment »