Bulk Creating Users For Your Test Network

KB ID 0000784 

Problem

Update Jan 2023: Feel free to use this Bulk-Create-AD-Users-Script (Just remeber to change the domain details in the “Global Variables’ Sections to give you 10o0 users, with sensible names addreeses etc.

Having a test network, is great for both learning, and testing. I’ve got some major migrations coming up in the next few months, so I’m in the process of running up some new test servers. I usually run a quick .vbs file like this;

[box]

Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://cn=Users," & _
objRootDSE.Get("defaultNamingContext"))

For i = 1 To 1000
Set objLeaf = objContainer.Create("User", "cn=UserNo" & i)
objLeaf.Put "sAMAccountName", "UserNo" & i
objLeaf.SetInfo
Next
WScript.Echo "1000 Users created."

[/box]

Save that as createusers.vbs and run it on your domain controller and it will churn out 1000 users (named UserNo1 – UserNo1000). They will be disabled, with no passwords, but that can be rectified with a few mouse clicks.

But I want something a little more realistic, so I found a random name generator, and decided to have a script to create 1000 users that were a little more ‘lifelike’.

Solution

1. Download this zip file, and extract it to your desktop. To run the script you will need to set your Execution Policy with the following command;

[box]
Set-ExecutionPolicy Unrestricted[/box]

2. You will need to change a couple of lines in the newusers.ps1 file open it with notepad and change the domain details to match yours;

[box]

$TargetOU = [ADSI]“LDAP://CN=Users,DC=pnl,DC=com”
foreach ($user in import-csv usernames.csv)
{
$newUser = $TargetOU.Create(“user”,“cn=” +$user.login)
$newUser.put(“sn”, $user.Last)
$newUser.put(“DisplayName”, $user.First + ” “ +$user.Last)
$newUser.put(“givenName”, $user.First)
$newUser.put(“sAMAccountName”,$user.login)
$newUser.put(“userPrincipalName”,$user.login + “@pnl.com”)
$newUser.SetInfo()
$newUser.SetPassword($user.password)
$newUser.put(“userAccountControl”, 512)
$newUser.SetInfo()
}

[/box]

3. Change directory to the folder with your script in, and run it, it will put the details from the usernames spreadsheet;

[box]

cd Desktop/New_Users
./Newusers.ps1

[/box]

3. Look in Active Directory and there are your new users.

Bulk Creating Mailbox’s for your Users

Now I’ve got my users in AD, I want them all to have a mailbox, so a quick PowerShell command;

[box]
Get-User -OrganizationalUnit “pnl.com/users/” -ResultSize Unlimited | Enable-Mailbox -Database “Mailbox-Database” [/box]

It will throw out the odd error (e.g. if it finds users that are already mail enabled), that’s OK.

Related Articles, References, Credits, or External Links

NA

Exchange: ‘Can’t find the Organizational Unit that you specified’

KB ID 0001561

Problem

I’ve not actually seen this myself, but it was asked on a forum, and I managed to replicate it on the bench. When working on a user or mailbox in Exchange  you may see the following error;

Error
Can’t find the organisational unit that you specified, Make sure that you have typed the OU’s identity correctly

Solution

This happens because you have a ‘Slash’ ‘/‘in the Organisational Unit that the user object is inside in Active Directory, like so;

Rename the OU to something more sensible!

Why does this happen? It’s because when there’s a slash in the OU name, like ‘MyOU/Name‘ it gets rejected by the system, as programatically it should be ‘MyOU\/Name‘.

I Don’t Have a Forward Slash in My OU Name, and I’m Still Seeing this Error?

Make sure your user, is NOT in a ‘Container‘ rather than an OU. In the example above you can see the icon for ‘Users‘ is different from the icon for “PNL” or “Test” that’s because this is NOT an OU it’s a container, move your user to an OU, then try again. Note: This can happen to the Administrator amount as well, because that’s in a container called ‘Builtin‘.

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Remote IPSEC VPN With the NCP Entry Client

KB ID 0001260 

Problem

I’ve covered Cisco IPSEC Remote VPNs a long time ago, and I’ve also blogged about the Cisco IPSEC VPN Client Software. Yes you can get the Cisco VPN Client Working on Windows 10, but can you imagine rolling that out to a few hundred users?

The bottom line is Remote Cisco IPSEC VPN is a dead technology, Cisco, (and Me!) want you to use AnyConnect. For a couple of users you can use the work arounds above, but that wont scale well. So if you don’t want to ditch IPSEC VPN, then you will have to go with third party software to connect to your device. In this example I will use the NCP Secure Entry Client.

Solution

Configure the ASA, I’ve done this to death in the past, (read the links above), so here’s the config (taken from a firewall running version 9.x) to copy and paste in.

[box]

!
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ipsec ikev1 transform-set TS-IPSEC-VPN esp-3des esp-sha-hmac
!
ip local pool PNL-POOL-IPSEC 192.168.198.1-192.168.198.254 mask 255.255.255.0
!
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
!
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 dns-server value 192.168.100.10
 vpn-simultaneous-logins 3
 default-domain value petenetlive.com
!
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
 address-pool PNL-POOL-IPSEC
 default-group-policy IPSEC-VPN
 authentication-server-group LOCAL
tunnel-group IPSEC-VPN ipsec-attributes
 ikev1 pre-shared-key Cisco123456
!
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set ikev1 transform-set TS-IPSEC-VPN
!
crypto map CRYPTO-MAP 65535 ipsec-isakmp dynamic DYNAMIC-CRYPTO-MAP
!
crypto map CRYPTO-MAP interface outside
!
crypto ikev1 enable outside
!
object network OBJ-IPSEC-SUBNET
 subnet 192.168.198.0 255.255.255.0
!
nat (inside,outside) source static any any destination static OBJ-IPSEC-SUBNET OBJ-IPSEC-SUBNET no-proxy-arp route-lookup
!

[/box]

Points to Note:

  • I’m using 3DES and SHA1 for Phase 1 (ISAKMP,) and phase 2 (IPSEC).
  • The Network behind my ASA is 192.168.100.0/24.
  • I’ve allocated 192.168.198.0/24 to my remote VPN clients. (If you have a complicated network, ensure this is routable from the LAN back to the firewall!)
  • I’ve enabled split tunnelling.
  • My interfaces are called inside and outside, yours might be different!
  • Crypto Map Warning: If you already have a crypto map applied to the outside interface use the name of the existing one (i.e NOT CRYPTO-MAP,) or your exiting VPN’s will stop working! Issue a ‘show run crypto map‘ command to check.
  • I have not enabled PFS. (If I had it would have been in the crypto map).

Configure NCP Entry Client

OK it’s not free, but you do get a 30 day trial to give it a test run an see if you like it. Once installed and rebooted launch the software. Configuration > Profiles > Add/Import > Link to Corporate Network Using IPSEC > Next

Note: As indicated below if you have a PCF file you can import that. 


Give the profile a name i.e. ‘Connection to Office’ > Next > Communication Medium = LAN (over IP) > Next > Gateway = Public name or IP of your Cisco ASA > User ID details is the username and password that you need to enter to connect. (Note: Not the Group name and pre-shared key) > Next.

Usernames should be supplied by your firewall admin (tell them to issue a ‘show run | begin username’ command).

Exchange Mode = Aggressive Mode > PFS Group = {blank} > Next > Local Identity IKE Type = ‘Free string used to identify groups’ > ID = {Your Tunnel Group-Name} > Shared Secret = {Your Group Pre-Shared-Key} > Next.

Tunnel group name, and Pre-Shared Keys also need to be given to you by your firewall admin. Ask them to run  ‘more system:running-config | begin tunnel-group‘ if they don’t know.

Change IP Address Assignment to IKE Config Mode > Next > Firewall (leave it off) > Finish.

OK > Click switch to enable.

It Wont Work?

On the client you can go to Help > Logbook to see what the problem is.

On the firewall debug crypto isakmp 255 will debug phase 1 and debug crypto ipsec sa 255 will debug phase 2.

Related Articles, References, Credits, or External Links

NA

OWA 2016 – Change Login From Domain\Username to Username

KB ID 0001254 

Problem

Out of the box, if you want to log into Outlook Web App, you need to use the Domain\Username format, like so;

Seeing as how Microsoft are making a big song and dance about using UPN’s to log into Office 365, I thought they might have changed from the NT4 way of doing things, but hey what do I know?

As we all know users are stupid, Domain\Username is up there with string theory and quantum mechanics. So how do you change the format to simply Username?

Solution

Log into the Exchange eAdmin Center > Servers > Virtual Directories > Locate OWA > Edit.

Authentication Tab > Use Forms Based Authentication > User name only >Browse > Select your domain > OK > OK.

Now on the server that’s hosting the OWA Website you need to Restart IIS.

[box]iisreset /noforce[/box]

Now your users can authenticate with just their username.

Exchange Admin Center Logon Note

This will also change the login method for the Exchange Admin Center website (ECP). because by default it has this set in it’s properties;

Related Articles, References, Credits, or External Links

 

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

KB ID 0001175 

Problem

I always forget the syntax for this, and I’ve been meaning to publish this for a while so here you go. If you have AAA setup and people can’t log in, then the ability to test authentication against a user’s username and password is a good troubleshooting step!

Usually I’m on a Cisco ASA but I’ll tag on the syntax for IOS as well.

 

Solution

Cisco ASA Test AAA Authentication From Command Line

You will need to know the server group and the server you are going to query, below the ASA is using LDAP, but the process is the same for RADIUS, Kerberos, TACACS+, etc.

[box]

Petes-ASA# show run | begin aaa
aaa-server TEST-LDAP-SERVER protocol ldap
aaa-server TEST-LDAP-SERVER (inside) host 192.168.110.10
 ldap-base-dn dc=TEST,dc=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=asa,OU=Users,OU=Test-Corp,dc=TEST,dc=net
 server-type auto-detect

[/box]

To test your user, (username: ttester password: Password123);

[box]

Petes-ASA# test aaa-server authentication TEST-LDAP-SERVER host 192.168.110.10 username ttester password Password123
INFO: Attempting Authentication test to IP address  (timeout: 12 seconds)
INFO: Authentication Successful

[/box]

Cisco ASA Test AAA Authentication From ASDM

Log into the ADSM  > Configuration > Device Management > Users/AAA  > Select the Server Group > Select the Server > Test.

Select ‘Authentication’ > Enter Username/Password > OK.

Cisco IOS Test AAA Authentication From Command Line

As above, you need to know which server group, and server, you are going to test authentication against;

[box]

Petes-Router#show run aaa
!
aaa authentication login default local
aaa authorization exec default local
!
aaa group server radius RADIUS-GROUP
 server-private 192.168.110.10 key 666999
!
aaa new-model
aaa session-id common
!

[/box]

Text

[box]

Petes-Router#test aaa group RADIUS-GROUP tester Password123 legacy
Attempting authentication test to server-group RADIUS-GROUP using radius
User was successfully authenticated.

OR

Petes-Router#test aaa group RADIUS-GROUP tester Password123 new-code
User successfully authenticated

USER ATTRIBUTES

Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
noescape 0 True
autocmd 0 " ppp negotiate"
Petes-Router#

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

Cisco ASA 5500 Client VPN Access Via Kerberos (From CLI)

Set Cisco ASA for Kerberos Authentication

Event ID 9323

KB ID 0000481 

Problem

Seen when an Exchange server attempts to build the Offline Address book but encounters an error.

Source: MSExchangeSA Event ID: 9323 Task Category: (13) Level: Warning Keywords: Classic Description: Entry ‘{Username}’ has invalid or expired e-mail certificates. These certificates will not be included in the offline address list for ‘Global Address List’.

Solution

1. Go to a domain controller, Launch “Active Directory Users and Computers”, Select View and enable “Advanced Features”. Locate the username reported in the error (In this example it’s the administrator), On the properties for that user locate the “Published Certificates” tab.

If you can’t see the published certificates tab you are probably on the Exchange Server and NOT on a domain controller.

2. You will see that this user has a certificate which you can see by pressing the view certificate button, In this case we can see that the certificate has expired.

3. I didn’t need to renew this certificate, so I simply removed it.

Then rebuild the Offline address Book

1. Launch the Exchange Management Console > Organization Configuration > Offline address book Tab > Right click “Default Offline address Book” > Update.

2. Select “Yes” when prompted.

3. Wait a few minutes the re-check the server application log, to make sure it now completes without error.

Related Articles, References, Credits, or External Links

NA

Event ID 9323

KB ID 0000481 

Problem

Seen when an Exchange server attempts to build the Offline Address book but encounters an error.

Source: MSExchangeSA
Event ID: 9323
Task Category: (13)
Level: Warning
Keywords: Classic
Description:
Entry '{Username}' has invalid or expired e-mail certificates. These certificates will not be included in the offline address list for 'Global Address List'. 

Solution

1. Go to a domain controller, Launch “Active Directory Users and Computers”, Select View and enable “Advanced Features”. Locate the username reported in the error (In this example it’s the administrator), On the properties for that user locate the “Published Certificates” tab.

If you can’t see the published certificates tab you are probably on the Exchange Server and NOT on a domain controller.

2. You will see that this user has a certificate which you can see by pressing the view certificate button, In this case we can see that the certificate has expired.

3. I didn’t need to renew this certificate, so I simply removed it.

Then rebuild the Offline address Book

1. Launch the Exchange Management Console > Organization Configuration > Offline address book Tab > Right click “Default Offline address Book” > Update.

2. Select “Yes” when prompted.

3. Wait a few minutes the re-check the server application log, to make sure it now completes without error.

 

Related Articles, References, Credits, or External Links

NA

VMware error on HP Proliant “Host Baseboard Management Controller status”

KB ID 0000418 

Problem

Saw this today on a HP Proliant DL380 G7 Server.

Solution

1. It’s a simple one to solve, the server was built with the HP ESXi build, and the management agents are complaining because the iLO is not connected to the network.

2. When you connect the iLO socket to the network the alarm should change as shown below.

3. Once you have connected or disabled it you can reset the alarm.

4. Take the opportunity to log in and configure the iLO. Access via an internet browser (it will get a DHCP address by default, you can set a static IP address by entering the iLO setup at boot (see disabling iLO section below)).

5. The user name is Administrator (capital A) and the password will be either on a pull out tab on the front of the server, or a brown cardboard label tied to the front of the server (you did keep that didn’t you!), or on a brown sticker on top of the server chassis. On certain models HP also stick this information under the server lid.

6. Then you can log in and configure.

Disable the iLO

1. If you do not want to use the iLO then you can disable it (I cant think why you would want to, because its a handy piece of kit, but heres how to do it.)

2. Reboot the server, and when prompted press F8 to enter the iLO setup.

3. Settings > Configure.

4. These are the default settings, use the cursor keys to select and the space bar to enable/disable the options.

5. All disabled.

 

Related Articles, References, Credits, or External Links

NA