Bulk Export Users From One Domain, and Import Into Another

KB ID 0000794 

Problem

I’ve written in the past about bulk importing users with CSVDE, but what if you want to move/migrate your users to another domain? You first need to export all the users, then import them into the new domain.

Solution

Step 1 Export Domain Users to CSV File

1. Here all my users are in one OU, if that OU has ‘nested OU’s within it that’s OK.

2. The command to ‘export’ is as follows;

Note: You need to ‘run as administrator

[box]

csvde -d {LDAP Path} -f c:\filename.csv

Example

csvde -d "ou=Main-Site,dc=pnl,dc=com" -f C:\ExportedUsers.csv

[/box]

3. The users will be exported. If it fails at this point it will give you a descriptive error, CSVDE has been around for a while, Google the error (most fixes are pretty simple).

4. Now open the CSV File with Excel, the second line will probably be the OU, you can leave this here if you want but if your target OU is different (or Like me you prefer to create it manually), then delete row 2 (Don’t delete Row 1!).

5. You do not need all the columns, delete all the columns EXCEPT,

DN
objectClass
ou
distinguishedName
name
cn
sn
givenName
displayName
sAMAccountName
userPrincipalName

So when complete it should look like the following;

6. Change any details in the LDAP path that are different for the new domain.

7. You may also need to change the domain name that’s listed on the userPrincipleName.

Step 2 Import Domain Users from CSV File

1. On the target domain, (if you are not importing the OU’s, then make sure they already exist). The syntax for the import is;

[box]

csvde -i -f c:\filename.csv

 

[/box]

9. Your users should be imported.

10. By default they will be disabled, but you can bulk enable them.

11. At this point all the users have no password, this can also be bulk set.

Windows – Reset all User Passwords in an OU

 

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA – Policy NAT

KB ID 0001042

Problem

I’ve been working on a large firewall deployment for a client, each of their DMZ’s have both a production and a management network. nothing particularly strange about that, but each of their DMZ’s has its own firewalled management network and it’s routable from the LAN.

So If I’m an admin and I want to talk to a Linux appliance in their DMZ via its management interface, my traffic leaves the LAN through the management firewall, but the appliance sees my source IP as being on the LAN, and routes the traffic back to me via the clients production firewall.

Now the simplest way to fix it would be to put a static route on the appliance to route my traffic back via the management firewall, which is fine, BUT what if that appliance is the proxy server? Now I can administer it, but I cant get on the Internet!

Note: I’m NOT performing NAT anywhere in this scenario!

Solution

Well I could simply PAT the network my laptop is on, lets say its 172.16.1.0/16 to the DMZ interface of the management firewall.

[box]

object network Admin_PCs
 subnet 172.16.1.10 255.255.0.0
 nat (inside,dmz) dynamic interface[/box]

The problem with that is it will translate all traffic from my laptop’s subnet going into this DMZ and I might not want to do that.

Solution Pre ASA 8.3

We used to have a really simple way of solving this problem, ‘policy based nat’, you specify a set of conditions with an ACL then anything that meets that ACL is tied to a specific NAT rule.

[box]

access-list POLICY-NAT permit ip host 172.16.1.10 11.11.11.11 255.255.255.0
 !
 static (inside,outside) interface access-list POLICY-NAT[/box]

Solution Post 8.3

To do the same now the syntax is a little different. To demonstrate I have built a small lab in GNS3 to demonstrate. If I want the internal host to talk to the DMZ host, I want the traffic when it gets there to ‘appear’ to have come from 192.168.131.1

To demonstrate, if I ‘ping’ the DMZ router from the Host router, and Wireshark the traffic when it gets there, I see its coming from its actual IP address.

To NAT this traffic use the following commands;

[box]

 For a Single IP

object network obj-Host
 host 11.11.11.10 
 !
 object network obj-DMZ
 host 192.168.131.10
 nat (inside,DMZ) source static obj-Host interface destination static obj-DMZ obj-DMZ

For the Entire Subnet

object network obj-Host-LAN
 subnet 11.11.11.0 255.255.255.0
 !
 object network obj-DMZ-LAN
 host 192.168.131.10
 nat (inside,DMZ) source dynamic obj-Host-LAN interface destination static obj-DMZ obj-DMZ

[/box]

Now if we repeat the process, and ping the DMZ host.

Now when I capture the traffic, the source IP has changed accordingly.

Related Articles, References, Credits, or External Links

NA

Cisco ASA – View The Contents of an Object and Object-Group

KB ID 0001043 

Problem

My colleague loves the ASDM, I put up with it and prefer command line. We were troubleshooting a problem the other day and he said, there this is why I prefer the ASDM, just ‘hover’ over an object-group and it will show you the contents of it.

Now if (like my test firewall above) you only have a few hosts, then I don’t see the point, but if you have a very complicated config with hundreds of object-groups and thousands of hosts, even troubleshooting why host ‘x’ can’t get to server ‘y’ on port ‘z’ can be a painstaking process.

So I dropped to CLI and tried to do the same;

[box]

Petes-ASA(config)# show object-group Obj-ALL-PROD-DMZ
                                   ^

ERROR: % Invalid input detected at '^' marker.

Petes-ASA(config)# show object-group network Obj-ALL-PROD-DMZs 

                                           ^

ERROR: % Invalid input detected at '^' marker.

[/box]

 

Solution

View Contents of an Object Group

Turns out you need to use the ‘id’ parameter, or it won’t work;

[box]

Petes-ASA(config)# show object-group id Obj-ALL-PROD-DMZs

object-group network Obj-ALL-PROD-DMZs

network-object 192.168.110.0 255.255.255.0

network-object 192.168.121.0 255.255.255.0

network-object 192.168.130.0 255.255.255.0

network-object 192.168.141.0 255.255.255.0

network-object 192.168.140.0 255.255.255.0

network-object 192.168.210.0 255.255.255.0

network-object 192.168.220.0 255.255.255.0

Petes-ASA(config)#

[/box]

I’ve been using that a lot this week.

View Contents of an Object

If you try an to the same this for an object, you will get nothing, you need to add the run keyword as follows;

[box]

Won't Work!
Petes-ASA# show object id Internal_RDP_Server    
object-group Internal_RDP_Server does not exist
Petes-ASA# 

Use 'run'
Petes-ASA# show run object id Internal_RDP_Server
object network Internal_RDP_Server
 host 192.168.100.10

[/box]

Related Articles, References, Credits, or External Links

Original article written 25/03/15