ICT-Freak.nl

With the script in this post you’re able to set logon hours to a bunch of users. All you have to do is to setup logon hours for a “template” user and define this “template” user into the $template variable.

The other step is to define the $ou variable with the path to the OU. In my case this was ict-freak/Gebruikers.

The script will now read the default logon hours and will apply them to the users in the OU.

$template = "" # This is a user with the default logon hours
$ou = "" # the full path to your ou "domainname/ouname1/ouname2"

# Get the logonhours from the template user
$template = Get-QADUser $template -IncludedProperties logonhours
[array]$logonHours = $template.DirectoryEntry.logonHours

# Get all users
$users = Get-QADUser -OrganizationalUnit $ou

# Loop through all the users
foreach($user in $users){
    Set-QADUser $user.Name -oa @{logonHours = $logonHours}
}

I found this trick here: http://www.powergui.org/thread.jspa?threadID=7860

Update: Dimitry Sotnikov has posted a great article about the new cmdlets. You can read his post here.  After reading Dimitry’s post, I created a new script.

For some test purposes I created a new test user. This test user has to be a member off al my application groups in Active Directory. This job can easily  be done with Powershell and the Quest AD cmdlets.

$User = Read-Host ("Username")
Get-QADGroup -Name 'GG_APL_*' -NotContainsIndirectMember $User `
    | Add-QADGroupMember -Member $User

To verify the changes, you can run the following script:

$User = Read-Host ("Username")
Get-QADGroup $User | Select Name 

This tutorial is a mix-up of other tutorials I found on the net. You’ll find the other sites in the source list at the bottom of this post.

Remember:

Just change ICT-FREAK.LOCAL to your own domain and Debian5srv1 to the name of your Debian server.

Step 1:  Update / Upgrade your Debain setup

apt-get update && apt-get upgrade

Step 2: Install the following packages:

apt-get install krb5-config krb5-user libkrb53 libpam-krb5
samba-common samba winbind smbclient

Step 3:  Create a backup of the krb5.conf file.

mv /etc/krb5.conf /etc/krb5.conf.org

edit the /etc/krb5.conf file with you favorite editor (nano or vi /etc/krb5.conf):

[logging]

default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log

[libdefaults]

default_realm = ICT-FREAK.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clock_skew = 300
ticket_lifetime = 24h
forwardable = yes

[realms]

ICT-FREAK.LOCAL = {
kdc = dc01.ICT-FREAK.LOCAL
admin_server = dc01.ICT-FREAK.LOCAL
default_domain = ICT-FREAK.LOCAL
}

Step 4: Check if you can Authenticate a user against the Active Directory

debian5srv1:~# kinit administrator
Password for administrator@ICT-FREAK.LOCAL:

Step 5: Create a backup of the krb5.conf file.

mv /etc/samba/smb.conf /etc/samba/smb.conf.org

edit the /etc/samba/smb.conf file with you favorite editor (nano or vi /etc/samba/smb.conf):

[global]

workgroup = ICT-FREAK
realm = ICT-FREAK.LOCAL
load printers = no
preferred master = no
local master = no
server string = fileserver
password server = <ip-address from your DC>
encrypt passwords = yes
security = ADS
netbios name = debian5srv1
client signing = Yes
dns proxy = No
wins server = <ip-address from your DC>
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
auth methods = winbind

Step 6: Start Winbind and test the connection

/etc/init.d/winbind start

You can query the AD with the command wbinfo. The –u parameter returns all users. The –g parameter returns all groups.

debian5srv1:~# wbinfo -u
administrator
guest
support_388945a0
krbtgt

debian5srv1:~# wbinfo -g
BUILTIN+administrators
BUILTIN+users
helpservicesgroup
telnetclients
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
dnsadmins
dnsupdateproxy
dhcp users
dhcp administrators
wins users

Step 7: Add the Debian box to the Windows domain

debian5srv1:~# kinit administrator
Password for administrator@ICT-FREAK.LOCAL

debian5srv1:~# net ads join -U administrator
Joined ‘debian5srv1′ to realm ‘ICT-FREAK.LOCAL’

Step 8: Now tell PAM that samba requires authentication and account from winbind. Add the following lines to /etc/pam.d/samba

auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so

We also need to edit the /etc/nsswitch.conf file so it will look like this:

passwd: compat winbind
group: compat winbind
shadow: compat

Test the new settings with: getent passwd If everything is configured as it should be, you’ll see the AD users.

Step 9: Create a share. First we need to create a folder

mkdir –p /data/share

Change the permissions so the folder is writable

chmod 777 /data/share

Open the /etc/samba/smb.conf file and paste the following lines:

[Share]
comment = Test Share
read only = no
path = /data/share
valid users = @"ICT-FREAK+domain users"

Restart the Samba service via:

/etc/init.d/samba restart

Step 10: Test the new share. Go to your Windows box and browse to the Debian box via \\debian5srv1 

If everything is configured as it should be, you will see the following screen:

Sources:
http://www.simsonlai.org/samba-and-active-directory-authentication/
http://rubenleusink.com/debian-samba-filesharing-with-microsoft-active-directory-authentication-2008-10-07/

Stel je bent midden in een migratie naar een andere fileserver of naar bijvoorbeeld een NetApp filer. Daarnaast wil je ook alle Home directory’s migreren. Dit houdt in dat je ook de Active Directory moet aanpassen.  Dit kun je op verschillende manieren doen. Ik heb gekozen om eens te kijken naar de Quest ActiveRoles addin voor Powershell en dat bleek behoorlijk krachtig te zij, zoals je kunt zien in het onderstaande scriptje:

Voordat je dit script kunt gebruiken heb je een PC nodig die lid is van het domain, PowerShell en de Quest AD cmd-lets geïnstalleerd heeft. Daarna kun je het script als volgt uitvoeren:

PS Scriptdir> .\Change_Home_Dir_drive.ps1

Daarna kun je in de Active Directory nakijken of het script succesvol heeft gelopen.

Het kan zijn dat je de volgende error krijgt in de eventvwr.msc.

Na wat googlen kwam ik het volgende KB artikel tegen: KB296681 In dit artikel wordt stap voor stap uitgelegd hoe je dit kunt herstellen.

Stap 1: open Active Directory Sites and Services en selecteer vervolgens de site waar de server zich bevind. Klik daarna op Licensing Site Settings.

In dit geval was de Computer en het Domain invalid. Deze heb ik aangepast en na de eerst volgende replicatie mag de foutmelding niet meer voor mogen komen.

In deze “How To” lees je hoe eenvoudig het is geworden om een Ubuntu 8.04 machine in een Windows domain toe te voegen.

Als eerste dien je likewise-open te installeren en te configureren. Dit gaat als volgt:

• sudo apt-get update
• sudo apt-get install likewise-open
• sudo domainjoin-cli join ubuntu.lnx.lab Administrator
  fqdn                             Administrator account binnen AD.
• sudo update-rc.d likewise-open defaults
  
• sudo /etc/init.d/likewise-open start
• sudo reboot -n

Nadat de linux machine opnieuw is opgestart kun je inloggen met Domain\Userid

Je kunt in de Terminal nog even via het commando whoami nakijken of alles klopt:

Als je nu op de Domain Controller in de Active Directory kijkt, zie je de linux doos in de Computers container staan:

Bron: http://bobbyallen.wordpress.com/2008/05/23/how-to-join-ubuntu-804-to-windows-active-directory-domain/

Mark Wilson heeft een serie artikelen gemaakt over het ontwerpen van een Active Directory.

• Active Directory design considerations, part 1: Introduction
• Active Directory design considerations, part 2: Forest and domain design
• Active Directory design considerations, part 3: Organizational Units
• Active Directory design considerations, part 4: Group policy objects
• Active Directory design considerations, part 5: Security groups
• Active Directory design considerations, part 6: DC placement and site design
• Active Directory design considerations, part 7: DC configuration and DNS
• Active Directory design considerations, part 8: Summary and further information

Bron: http://www.markwilson.co.uk/blog/

In mijn omgeving werken we nu nog met twee verschillende loginscripts. Ik wilde graag weten welke gebruikers die nog enabled waren het oude loginscript aangekoppeld hadden. Dit kun je doen door de volgende LDAP query uit te voeren in Active Directory Users and Computers.

De onderstaande query geeft alle users weer met het loginscript login.bat en de accountstatus op enabled

(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)(scriptPath=login.bat))

De volgende LDAP query doet bijna hetzelfde als de bovenstaande alleen geeft deze de personen terug met de accountstatus op disabled

(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2)(scriptPath=login.bat)

Een LDAP query ziet er dan als volgt uit:

Geholpen door het volgende KB artikel: KB827754

Brian W. McCann heeft een korte post gemaakt over Health Checks on Domain Controllers.

Hieronder zie je de tools die hij beschrijft:

Dcdiag.exe /v >> c:\temp\pre_dcdiag.txt
This is a must and will always tell you if there is trouble with your DCs and/or services associated with it.

Netdiag.exe /v >> c:\temp\pre_Netdiag.txt
This will let me know if there are issues with the networking components on the DC. This along with the post test also is a quick easy way to ensure the patch I just installed is really installed (just check the top of the log)

Netsh dhcp show server >> c:\temp\pre_dhcp.txt
Some may not do this but I’ve felt the pain of a DHCP server somehow not being authorized after a patch. This allows me verify the server count and names.

Repadmin /showreps >> c:\temp\pre_rep_partners.txt
This shows all my replication and if it was successful or not. Just be aware that Global Catalogs will have more info here than a normal domain controller.

repadmin /replsum /errorsonly >> c:\temp\pre_repadmin_err.txt
This is the one that always takes forever but will let you know who you are having issues replicating with.

Bron: http://www.adminprep.com/articles/default.asp?action=show&articleid=101

 

Overview

Infrastructure Planning and Design guides share a common structure, including:

• Definition of the technical decision flow through the planning process.
• Listing of decisions to be made and the commonly available options and considerations.
• Relating the decisions and options to the business in terms of cost, complexity, and other characteristics.
• Framing decisions in terms of additional questions to the business to ensure a comprehensive alignment with the appropriate business landscape.

These guides complement product documentation by focusing on infrastructure design options.
Each guide leads the reader through critical infrastructure design decisions, in the appropriate order, evaluating the available options for each decision against its impact on critical characteristics of the infrastructure. The IPD Series highlights when service and infrastructure goals should be validated with the organization and provides additional questions that should be asked of service stakeholders and decision makers.
IPD consists of the following downloadable packages:

• Infrastructure Planning and Design Series Introduction
• Selecting the Right Virtualization Technology
• Microsoft SoftGrid Application Virtualization
• Windows Server Virtualization (for Windows Server 2008 Hyper-V and Virtual Server 2005 R2 SP1)
• New! Windows Deployment Services
• New! Windows Server 2008 Active Directory Domain Services
• New! Windows Server 2008 Terminal Services

The guides are available as individual downloads or as a single all-in-one package.
Send questions or feedback to us directly at SATfdbk@microsoft.com

 

System Requirements

• Supported Operating Systems: Windows Server 2003; Windows Vista; Windows XP

• These download files work with the following Office programs:
  • Microsoft Office Word 2007 (.docx)
  • Microsoft Office Word 2003 (.doc)
  • A Word viewer such as Word Viewer 2003.

Instructions

1. To start the download, select a file from the list of Files in this Download on this page.
2. Save the .zip file to your preferred location on your computer.

 

Additional Information

Solution Accelerators are free, scenario-based guides and automations designed to help IT professionals who are proactively planning, deploying, and operating IT systems using Microsoft products and technologies. Solution Accelerator scenarios focus on security and compliance, management and infrastructure, and communication and collaboration.
More Information about the Solution Accelerator Notifications Newsletter
Register to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as:

• Communication and Collaboration
• Security, Data Protection, and Recovery
• Deployment
• Operations and Management

You may also receive invitations to participate in accelerator development via beta programs and customer surveys. Solution Accelerator Notifications is currently available in English only.

You can download the documents over here: http://www.microsoft.com/downloads/