Jason Kresowaty's questions

For a subset of my users in /etc/passwd, I would like to configure PAM (on Linux) to do the password checking part of the logon against an LDAP server, ignoring that these users are actually are listed as disabled in /etc/passwd. Specially, /etc/passwd and /etc/group should be used in all cases for UID and GID so that properties such as uidnumber and gidnumber do not need to be added to the directory (here, Active Directory) unlike what is usually shown in documentation such as LDAP Implementation HOWTO.

Is this even possible (without custom PAM module development)? It is not feasible to add properties to the LDAP directory. I am not the Active Directory domain administrator, and escalating involvement to that level is out of the scope of this project. It is a case where the system is operational in an environment that is mostly Windows servers; it would be nice if designated Windows users could use their AD passwords on the system in question.

Depending on the user, the user should be checked by UNIX auth or LDAP auth, but not both. I may not add attributes to the users in Active Directory, but may add them to security groups (and actually would like to further require that the LDAP users be in a specific LDAP security group).

I am having an issue with RemoteApp through a Remote Desktop Gateway. The Remote Desktop Server and Gateway services are running on the same server running Windows Server 2012. The client is Windows 7 Professional. For the gateway web site, HTTPS is enabled, HTTP is disabled. UDP is also enabled on the gateway. Does not seem to be a network/firewall issue, but I could reconsider if this is a known explanation for this problem.

For this test, the application to be run is calc.exe.

1. Run the .rdp file. It prompts me with the certificate info, I click Connect, enter credentials, click OK. It connects and shows the calculator.
2. Close the calculator.
3. Wait for the connection to time out and drop from the Remote Desktop Server (e.g., a couple minutes). This can be verified in Server Manager.
4. Run the .rdp file. It prompts me with the certificate info, I click Connect. The certificate window disappears, but nothing further happens. The calculator does not launch.

It seems as if the client and server are in disagreement whether there is a usable connection still established.

No error message is displayed, and I could not find any error message in client or server event logs. Even if one waits many minutes thinking a timeout-related error message will eventually appear, none does. If I use Task Manager to end all instances of mstsc.exe, it will work again.

Hopefully, someone has seen these symptoms before!

The contents of the .rdp, with sensitive parts removed:

redirectclipboard:i:1
redirectprinters:i:0
redirectcomports:i:0
redirectsmartcards:i:0
devicestoredirect:s:
drivestoredirect:s:
redirectdrives:i:0
session bpp:i:16
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:0
audiocapturemode:i:0
gatewayusagemethod:i:1
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:REMOVED.DOMAIN.LOCAL
alternate shell:s:||calc
remoteapplicationprogram:s:||calc
gatewayhostname:s:rdp.removed.com:removed
remoteapplicationname:s:calc
workspace id:s:REMOVED.DOMAIN.local
use redirection server name:i:1
audiomode:i:0
authentication level:i:0
username:s:DOMAIN\
alternate full address:s:REMOVED.DOMAIN.LOCAL
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,Authentication Level,AudioMode,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect
signature:s:REMOVED

Are there any available "worksheets" out there (in Excel, PDF, etc. format) to help in planning firewall configuration? Looking for some way to systematically keep track of the machines, ports, etc. while planning how to set up an environment. I'm specifically using Windows Firewall, but a general-purpose worksheet would be fine.

The documentation contains the example:

New-ADServiceAccount service1 -DNSHostName service1.contoso.com -Enabled $true

This parameter is required. What exactly is the purpose of a DNSHostName and how should I decide what to set it to?

I am looking for a utility to which I can specify a directory to be recursively scanned. The utility should generate a batch file consisting of calls to icacls to reproduce the file and directory permissions under the specified path.

The icacls /save command is not suitable for this task particularly because it duplicates inherited permissions unnecessarily and it outputs SIDs instead of friendly account names.

When you create an account in Windows through the GUI, it is automatically added to the local Users group. It is possible to remove the account from this group. For example, when using the account for an IIS app pool, you can remove it from Users and add it to IIS_IUSRS. Or you can leave Users in place in this scenario. I've seen sysadmins do it both ways. What are the implications of each way? How do you decide?

When I remove a user from the Users group, I can still do the following commands:

runas /user:name cmd.exe
whoami /groups

Nonetheless, BUILTIN\Users is seemingly unexpectedly still displayed for this user. Where is this explained?

Is there any way to truly undo dcpromo? That is, a way that will restore all prior SAM accounts and passwords. Something less than a full drive backup?

A similar question (Will demoting a Windows Server 2003 Domain Controller reinstate local accounts?) asks if the demote command will automatically do this. This question asks if there is a way to pick up where it left off.

If I use runas /user:DOMAIN\user cmd.exe (using XP), previously mapped persistent network drives are considered unavailable. net use shows:

Status       Local     Remote                    Network
-------------------------------------------------------------------------------
Unavailable  H:        \\SERVER\SHARE            Microsoft Windows Network

dir H: fails with "The system cannot find the path specified.".

The connection is easily revived with `NET USE H: \SERVER\SHARE': not asked for a password when I do this. What is going on? Can I make Windows safely revive this drive automatically when it is first accessed.

Is it possible to use URL Rewrite to provide more complex query string functionality than the "Append query string" checkbox that it has? Specifically, is it possible to specify the keys for certain query string parameters and have it only append those name value pairs.

For example, for the input:

http://www.example.org/test?alpha=1&beta=2&gamma=3

and the list of query string parameter keys: beta gamma

it should output: http://www.example.org/redirect?beta=2&gamma=3

(Note that the query string parameters in the input appear in arbitrary order.)

We are experiencing difficulty with a Windows Server 2003 that is connected to our network via a VPN.

Everything seems to work fine with this server except file share downloads to local machines.

The local machines are running Windows XP. Remote Desktop connections to the same server work great. Uploads to file shares also work acceptibly. (This is surprising because the network between us is actually rated higher for download than upload.)

When dragging and dropping files to the local system, there is a delay > 10 seconds before any progress bar activity. Download of files via the command prompt has the same characteristics. Delay is incurred for each file to be transferred, not once for the entire connection. I have tried ping address -f -l 1472 to verify that this is not a "black hole router" problem http://support.microsoft.com/kb/314825. Same delay regardless of whether a mapped drive or a UNC path is used or whether the connection is made by specifying the IP address instead of the host name. Disabling "NetBIOS over TCP/IP" also did not help. The registry does not have any advanced TCP/IP settings (such as MTU) altered from their defaults. I tried reducing MTU in the registry and that didn't help either.

Any ideas? Also, workarounds that involve adjusting the local XP machine configuration instead of the LAN/WAN or server configuration would be greatly appreciated, if possible.