Retrieving object details from Active Directory

/0 Comments/in /by

Obtaining any type of info from your Directory Services requires scripting, if you’re using the native tools. There’s an easier and faster way- you can use third party Active Directory solutions like the Active Directory Manager, or Active Directory Reporter.
So let’s compare the two approaches; let’s try to get something simple… say “User” details:
1- Scripting. Ok, we’re not big fans of scripting around here. Still, let’s follow this through, painful as it is:
public void GetUserDetails()
{
try
{
drpUsersList.Items.Clear();
ListItem li =new ListItem(“– Users List –“,””);
drpUsersList.Items.Add(li);
string _path =”LDAP://Your Domain Name”;
_filterAttribute =txtSearchEmployee.Text;
DirectorySearcher dSearch = new DirectorySearcher(_path);
dSearch.Filter = “(&(objectClass=user)(givenName=” + _filterAttribute + “*))”;
foreach(SearchResult sResultSet in dSearch.FindAll())
{
LoginName=GetProperty(sResultSet,”cn”); // Login Name
FirstName=GetProperty(sResultSet,”givenName”); // First Name
MiddleInitials=GetProperty(sResultSet,”initials”);// Middle Name
LastName=GetProperty(sResultSet,”sn”); // Last Name
Company=GetProperty(sResultSet,”company”); // Company
State=GetProperty(sResultSet,”st”); //State
City=GetProperty(sResultSet,”l”); //City
Country=GetProperty(sResultSet,”co”); //Country
Postalcode=GetProperty(sResultSet,”postalCode”); //Postalcode
TelephoneNumber=GetProperty(sResultSet,”telephoneNumber”);
Email=GetProperty(sResultSet,”mail”); //Email
uniqueName = GetProperty(sResultSet,”mailnickname”);
ListItem newitem = new ListItem(uniqueName,uniqueName);
drpUsersList.Items.Add(newitem);
}
}
catch(Exception ex)
{
Response.Write(ex.Message.ToString());
}
}
public static string GetProperty(SearchResult searchResult, string PropertyName)
{
if(searchResult.Properties.Contains(PropertyName))
{
return searchResult.Properties[PropertyName][0].ToString() ;
}
else
{
return string.Empty;
}
}
2- Active Directory Manager/Active Directory Reporter. First off- NO SCRIPTING. Once you log in through the web interface (that’s your bowser), it’s pretty easy to obtain any details about User objects. It’s a 3 step process taking virtually seconds- click on the “Reports Tab/User reports”, click “General Reports” and “All Users”. In the next screen, search for the user you’re looking for, and the Active Directory Manger will display all the User details.
The script in the first example is quite simple. By all accounts, if you want to do anything more involved in AD the script is only going to get more complicated. And we all know the longer the script is, the more chances you have of something going wrong.
In today’s world, you have to simplify your IT– why add more complexity to your environment?

Group Policy best practice analyzer tool

/0 Comments/in /by

This tool has been available for about 1 year or so. Many people are aware of it, but we talk to many other IT folks that either chose to ignore it or are simply unaware of it.
According to Microsoft- You can use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect data about an environment’s Group Policy configuration. For example, you can use this tool to analyze a Group Policy configuration for the following purposes:
• To search for common configuration errors
• To discover and to diagnose problems
• To collect data for archiving
The account that you use to run the tool must have the appropriate permissions to access both the Active Directory database on an environment’s domain controllers and the SYSVOL file structure that is maintained on those domain controllers. Additionally, the account must have local Administrator permissions on the Group Policy client.
There are two additional prerequisites for using the GPDBPA tool:
• The Microsoft .NET Framework version 1.1 or a later version must be installed on the computer on which the GPDBPA tool is installed.
• The Windows Management Instrumentation (WMI) service must be running on the environment’s domain controllers.
Our Active Directory Manager has a robust built-in Group Policy management module. Contact us for more info about this or any of our other solutions.

Quick note about Group Policies – Server 2003 vs. Server 2008

/0 Comments/in /by

A major issue in Server 2003 implementations of Group Policies is the huge amount of space they take up. For each Policy, there’s a corresponding .ADM file. The .ADM file supports only the English language, and it’s also 3.5MB in size. Not much right? When you consider that for each policy you have, there’s a new .ADM file and another 3.5MB, you can see how this can get out of control. For example, let’s say you have 200 policies– that’s 700MB of extra data that you have to back up. Even if you only have 100 policies, that’s still 350MB.
Server 2008 offers a new way of dealing with this issue. In Server 2008 you can use ADMX files, which are based on XML- more lightweight by comparison. With the new ADML files, you now also have multiple language support.
The Active Directory solutions we provide will help with your Group Policies management. Contact us for more information.

Failed to access IIS metabase

/0 Comments/in /by

When setting up the Active Directory Manager, some people may encounter issues related to the IIS setup.
The possible cause: When you install IIS AFTER .NET 2.0 framework, the rights of the ASPNET user had not been set correctly.
Suggested resolution: Repair (Uninstall if repair does not work for you) .NET Framework 2.0
You can run the following from the command line to reset the IIS registry settings for aspnet user. In most cases, framework directory for .Net Framework 2.0 resides under C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727


Microsoft KB Resources
Contact us for more Active Directory help.

Audits- the necessary evil?

/0 Comments/in /by

Most IT executives recognize the importance of a proper audit, yet audits can be a painful process for both the auditor and the IT organization. Audits give companies opportunities to improve, based on analysis and advice. How big (and complex) should an audit be depends on the risk priorities and thresholds, business objective, differences in the operating environments and the overall audit objectives. The goal of the audit should not be to “make the auditor” happy, but to review and show how well the department meets the needs of the business.
Logging, reporting and monitoring are very important for both daily IT functions as well as audit processes. In an audit: Logging provides a record of events related to IT processes. Monitoring is important when trying to determine state changes and other significant events. Reporting is the creation of reports whether manual (on-demand) or automatic (scheduled). On the surface these activities may look like mundane activities, but in reality they are the most important tools for managerial oversight.
Applications such as the Active Directory Manager, Active Directory Change Notifier and the Active Directory Reporter help IT organizations prepare for audits and implement solid policies that will have long-term, positive effects on the enterprise. For example, the Active Directory Manager and Active Directory Reporter offer an extensive report library, ready to use right out of the box. IT users can customize those reports to satisfy even the most detailed audit requirements.
These applications help IT managers with their audits and provide the tools needed to successfully complete the process.

Identity and access management policies

/0 Comments/in /by

In many cases, adding personnel accounts and application is tedious, and involves inputting information about a new hire by hand, which could take days in some instances. Even then, some users may not have access to the applications they need, and often will have to log in using a colleague’s name and password while access was requested, cleared and granted. This is a huge security black hole for the enterprise. Implementing identity and access management software is a security process improvement that is essential in today’s corporate environment.
Identity and access management can also play a role in compliance issues. Using the native tools, all the audits involve the manual process of finding out who had access to what? Who authorized that access? When was it authorized? When was the last time they reset their password? Using an identity and access management application like the Active Directory Manager or the Active Directory Reporter will vastly improve and automate your audit process.
You may think a departed employee is gone forever, but if your organization doesn’t have a comprehensive identity and access management plan, you may be in trouble. Disabling user accounts during the employee termination process is a gaping flaw in most companies. Weeks, months and even years after an employee has left you can still see their names and personal information floating around. Compounding this security breach is the fact that in some cases, former employees’ accounts are still active. This access crisis can also happen when an employee changes jobs within the same company, but retains access to applications and information that isn’t appropriate for their new job anymore. If an identity and access management policy is too lax, it can create data loss and security breaches, and if the policy is too strict, employees who need access will simply find a way around it and defy the set policy.
If you’d like to talk more about the identity and access management policies in place at your company, please contact us directly.