In continuing to audit a network, the number of accounts in Active Directory did not match employee records, nor previous asset records.

While using the interval variable for lastLogonTimeStamp will find accounts that have not logged on in a specific time period, it will not find accounts which have never logged on. The following queries will find them:

• (&(objectCategory=Computer)(!lastLogonTimeStamp=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))
• (&(objectCategory=User)(!lastLogonTimeStamp=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))

We have all been in the position where we have started a new job with an existing organization where security was somewhat lax. Inevitably during the process of locking the network down you have to deal with the VPN / Dial-up access problem.

The first step is to determine who already has access. This is fairly easy to accomplish using LDAP filters.

• (&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))

This filter will show you all of the user accounts that have Allow Access checked for Remote Access on the Dialin Tab of the ADUC MMC.

When trying to export a mailbox to a PST, I received the following error in ExMerge :

Error opening message store (MSEMS). Verify that the Microsoft Exchange Information Store service is running and that you have the correct permissions to log on. (0x8004011d)

I verified the account I was using to export the mailbox had full control over the database per http://www.microsoft.com/technet/prodtechnol/exchange/guides/UseE2k3RecStorGrps/1ed0d5af-7dff-4cc3-9a05-f46d292ac5f4.mspx. This did not seem to help.

What I finally ended up doing to resolve the problem was detaching the mailbox from the user account and reattaching it. (Remove Exchange Attributes) For some reason this seemed to work.

Update:
I have also discovered this will happen when trying to export the mailbox on an account that is disabled. If your security policy allows, enable the account to export mailbox.

This week I was faced with finding a way to clean up a few of the query based distribution lists that were created by a previous consultant group. The major problem with the queries is that they didn't take into account the dynamics of organizational turn over. The query based DL's were configured to send to every object that had an email address in that exchange store for each OU. This meant that NDR's (Non Deliverable Reciepts) were being sent for every disabled account in those OU's.

Without addressing the business rules of user account retention, I adjusted the LDAP filters to check the disabled flag on the userAccountControl. Now the queries will only send email to active accounts.

• Global All Users Distribution List
  (&(&(&(&(mailnickname=*)(|(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(homeMDB=*)(msExchHomeServerName=*))))))))

Over the last month I have been working more intensely with Windows 2003 Active Directory. In this process I have found the need to create custom filters to make finding objects and updating security policies easier. So thought it would be helpful to others to share my set of custom filters.

To use these filters you need to open the ADUC snap in and right click on Saved Queries. Select 'New' then 'Query'. Click the 'Define Query' button. A new window will open. In the Find drop down menu, choose 'Custom Search', and click the 'Advanced' tab. Paste the query into the textbox and select 'OK'. Now you can give your query a name and click 'OK' again. You should immediately see the results of your query in the right hand window portion of the snap in.

• Locked out Accounts
  (&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)))
• All Contacts
  (&(objectClass=contact))
• All Users
  (&(objectCategory=User)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!objectClass=Contact))
• Disabled User Accounts
  (&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2))
• Account Passwords Never Expire
  (&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))
• User Accounts Inactive for 60 Days
  (&(&(objectCategory=User)(lastLogonTimeStamp<=XXX)(!userAccountControl:1.2.840.113556.1.4.803:=2)))
  
  This filter requires a bit of massaging to get it to work correctly. I modified a vbscript to produce the correct number of 100 nanosecond intervals between January 1, 1601 and 60 days prior to the current date. I found the script; however, I can not remember to whom the credit should be long. The Get_60_Day_Interval.vbs script will respond with a message box with the correct long integer you need. You will then need to replace XXXX in the filter with that number (e.g. 127578167790000000). 

Dim dtmDate, dbl100NanoSecs Const MAXIMUM_PASSWORD_AGE = 60 dtmDate = DateAdd("d", -MAXIMUM_PASSWORD_AGE, Now()) dbl100NanoSecs = 10000000 * (DateDiff("s", "1/1/1601", dtmDate)) dbl100NanoSecs = FormatNumber(dbl100NanoSecs, 0, False, False ,0) WScript.Echo ("Value for query = " & dbl100NanoSecs)
Get_60_Day_Interval.vbs

• Disabled Computer Accounts
  (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))
• All Computer Accounts
  (&(objectCategory=computer)(name=*))
• Windows XP Computers
  (&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows XP*))
• Windows Server 2003
  (&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=*Server 2003))
• Windows 2000 Server
  (&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Server 2000*))
• Windows NT
  (&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows NT*))
• Windows 2000
  (&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows 2000*))
• Windows Server 2003 no Service Packs
  (&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=*Server 2003)(!operatingSystemServicePack=*))
• Windows XP no Service Packs
  (&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows XP*)(!operatingSystemServicePack=*))
• Windows 2000 no Service Packs
  (&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows 2000*)(!operatingSystemServicePack=*))
• Computer Accounts Inactive for 60 Days
  (&(objectCategory=Computer)(lastLogonTimeStamp<=XXXX)(!userAccountControl:1.2.840.113556.1.4.803:=2))
  
  Again this filter uses the Get_60_Day_Interval.vbs script. You will then need to replace XXXX in the filter with that number (e.g. 127578167790000000)

• All Distribution Groups
  (&(objectCategory=group)(sAMAccountType=268435457))
• Mail Enabled Groups
  (&(objectCategory=group)(mail=*)(!sAMAccountType=268435457))
• All Empty Groups
  (&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(objectCategory=group)(!member=*)))

I received my copy of Visual Studio 2005 Team Suite, Team Foundation Server, and SQL Server 2005 Developer Edition.

I was considering just upgrading everything this weekend... but I am taking a class in C# this summer. So... here come the virtual machines.

More on these when I get then installed.

A couple of weeks ago I decided I would jump ahead and install SP1. Being the technically savvy person I am, I also decided to forgo the practice of reading before installing.

Everything was working fine for approximately one week. And for no apparent reason known to me, my server lost all connectivity. I couldn't even ping it. So I logged into the console and much to my surprise I couldn't even ping my gateway from the server. Of course I checked the network cable. Rebooted my switch. Still nothing.

Thanks to Google, I found out that there were some serious changes to security in SP1. After about 6 hours of wrestling with Exchange, SQL, and all the other applications I had running on the server, everything was working again. Did I mention I had to turn off Windows Firewall and re-enable it for the settings to take? Didn't think so.

So about 4 AM this morning (I guess 4AM because that was the last email I received), something happened and my server lost Internet connectivity again. I was at work before I knew this though. So when I got home I started going through the normal troubleshooting... network cable, nic, Ipconfig... and nothing stood out. I could ping with no problem. So I checked the Windows Firewall and the Security Config Wizard to see if I missed something. Nada.

About 4 hours of off and on troubleshooting, I took a look back at the ipconfig /all and saw there were two IP's. One for each NIC. One was supposed to be disabled. It was on, and had an IP... even though it had no cable plugged in. Weird I though... checked the Nic setting and there staring me in the face was my answer. Microsoft Network Load Balancing was enabled.

This wrecked havoc on my AD, DNS, and DHCP. Not to mention SQL and Exchange were flipping out as well. So I disabled NLBS, and went about fixing AD, DNS, and DHCP. Once internal name resolution was working again, SQL and Exchange stopped throwing errors.

Sometimes what seems like a perfectly good idea, in the end comes back to haunt you.

I ordered my copy of Visual Studio 2005 Beta 2 weeks ago. Apparently I ordered it at the wrong time. It has been on Back Order since then.

Today though I received an overly formal email letting me know that my copy had shipped and would arrive in 2-3 weeks. What method of shipping takes 2-3 weeks? And from where is it coming?

I am looking forward to getting it. I have Visual Studio 2002 which I purchased from school and there are some road blocks I have run into in developing my website. I just have to figure out the impact using 2005 with the 2.0 FrameWork will have on my webserver.

Up next is the SQL 2005 release!

I needed to determine what the real TimeZone (CST vs CDT) was for my blog application. So here is what I came up with:

// instantiate a DateTime Object
DateTime dT = DateTime.Now;

// create a string to hold the full date and time
string pubDate = dT.ToLongDateString() + " " + dT.ToShortTimeString();

// determine if daylights savings and add the appropriate TimeZone
if(TimeZone.CurrentTimeZone.IsDaylightSavingTime(dT))
{
 pubDate += " CDT";
}

else
{
 pubDate += " CST";
}

Granted I am really cheating and not using the full capabilities of the DateTime Class. But time is of the essence and I needed working code without a lot of testing to get the "right code".