Skip to main content


Showing posts from 2013

LDAP and SAN Certificates

Hey everyone - I ran across an interesting problem with certificates and services. The problem was that I needed to see which certificate is being presented to the client on a non-HTTPS service; specifically - binding to LDAP over SSL (LDAPS). So the question is, how can you be sure what certificate is being presented?

Windows, so far as I've been able to find, does not offer any native help in this regard. Luckily there is a solution, but first let me give you a slightly longer description of the scenario so you can appreciate what we're talking about a little bit better.

An environment exists with some number of Domain Controllers, let's say ten. Within this environment, third party applications (think Java apps, Linux systems, etc) need to bind to LDAP to enumerate groups or validate authentication or whatever. These systems, however, can only have a single (or at best, two) LDAP hosts configured. What do you do? Pick two DCs? Round-Robin DNS?

Well, in my case, a load-b…

HomeDirectory name inconsistency and LDAP Query weirdness

Recently I was doing some work where I had to archive some home directories of people who were no longer associated with the company. A typical configuration looks something like this:

User:samAccountName  -> \\Server\Home\%username%

Such that the samAccountName property has the same name as the directory in whatever home share is being used.

What I ran up against, though, was that over the years - through marriages or divorces or other personal reasons, sometimes people would request that their username be changed. The company I was working with sometimes accommodates these requests. My job was to identify if any of the home folders were associated with accounts that had different names.

For example - consider this timeline:

1. User bjones is created with home directory \\Server\Home\bjones
2. bjones gets married and her account name is changed to bsmith

Now user bsmith has \\server\home\bjones for her home directory. This typically isn't a problem technically but administrativ…

Net User and Reset Password Delegation

Hey Folks - I ran into an interesting issue recently where a user who has been given the right to change the password for another domain user, could not do so.  Let me give you a bit of background.

I have a user (let's call him "Account Owner") who manages another account that is used to bind to Active Directory (over LDAPS). Let's call that account "Bind User".  So, Account Owner has the rights to change the password for Bind User.

I told the Account Owner that he could issue the following command to change the bind_user account password:

Net User Bind_User * /domain

I informed him that this command would prompt him for a new password and he could manage the account that way (so he didn't need to install any additional management tools). I told him that this should work from any computer to which he is currently logged on.  The problem, as it turns out, was that I was wrong.  But why?

To answer that question, I configured one of my labs so that I can re…

Get-Help vs Help - the paging/pager inconsistency

When I'm teaching PowerShell to folks, I often like to use the full name of the cmdlets - get-help instead of 'help', get-childitem instead of 'dir'. You get the idea.

I do this to help drive home the verb-noun syntax and because I can't necessarily expect everyone to know the shortcuts that I tend to use.

Well, the problem that I'm about to describe hasn't come up too much - but its annoying and I finally decided to take a minute and figure out what's going on.

The Problem (Powershell 2.0 or 3.0) In powershell, if I issue the command:
get-help <cmdlet> -full
then I get a wall of text that is not paged (where paging is that "-- More  --" at the bottom of the screen that allows me to read a page at a time.
To be honest, I'd never really spent more than a second thinking about this annoyance because it seemed so trivial, but since I'm in the midst of putting together a curriculum for a powershell class, it got a little more impo…