PowerShell New-ADUser

Many Systems Administrators can attest that creating user objects can be fun…the first time. Then you begin to realize how daunting navigating through the ‘New User’ dialogs can be. Plus, once you are finished creating a user, you still have to add that user to the appropriate security groups. Sure, there are tricks and shortcuts like creating a disabled user template, but what if your organization has an abundance of security groups? Is it really worth all the effort to create a disabled user template for each potential group? Absolutely not!

PowerShell to the rescue, of course! Create a generic function that takes the common information needed anyways and use it to create the user object, then add that user object to the general security group. This can happen in seconds and will create user objects in the OU that will be in the same format all the way through. It will save on typing and decrease the chance of spelling errors as well because you are only typing the user’s actual first and last names once.

Below is an example of a script dedicated for Department of Defense (DoD) use but can easily be adapted for industry. The bones of the function are reusable no matter the organization.

# Set these accordingly
$exerciseUsersOU = 'OU=USERS,OU=TEMPORARY,DC=aaronrombaut,DC=com'
$exerciseGroupsOU = 'OU=GROUPS,OU=TEMPORARY,DC=aaronrombaut,DC=com'
$exerciseDescription = 'Exercise Description'
$exerciseDomain = 'aaronrombaut.com'
$exerciseDefaultPassword = ConvertTo-SecureString -String '1$Pass%0' -AsPlainText -Force
$exerciseDefaultUsersGroup = 'GLS_DEFAULT_USERS_GROUP'

# Function to make standard user objects
function New-ExerciseADUser
{
    $firstName = Read-Host -Prompt 'First name'
    $lastName = Read-Host -Prompt 'Last name'
    $objectName = "$firstName.$lastName"
    $displayName = "$lastName, $firstName"
    $eDIPI = (Read-Host -Prompt 'EDIPI').ToUpper()
    $cellName = Read-Host -Prompt 'Cell name'
    # $password = Read-Host -Prompt 'Password' -AsSecureString

    # Create a new user object and place it in the correct OU
    New-ADUser -Name $objectName `
        -AccountPassword $exerciseDefaultPassword `
        -CannotChangePassword $false `
        -ChangePasswordAtLogon $true `
        -Description $exerciseDescription `
        -DisplayName $displayName `
        -EmployeeID $eDIPI `
        -Enabled $true `
        -GivenName $firstName `
        -PasswordNeverExpires $false `
        -PasswordNotRequired $false `
        -Path $exerciseUsersOU `
        -SamAccountName $objectName.ToLower() `
        -SmartcardLogonRequired $true `
        -Surname $lastName `
        -UserPrincipalName "$eDIPI@$exerciseDomain"

    # Add exercise user to the default users group for the exercise
    Add-ADGroupMember -Identity $exerciseDefaultUsersGroup -Members $objectName

    # Add exercise user to the cell group they belong to for the exercise
    $exerciseGroups = Get-ADGroup -Filter * -SearchBase $exerciseGroupsOU
    foreach ($exerciseGroup in $exerciseGroups)
    {
        $exerciseGroupName = $exerciseGroup.Name
        if($exerciseGroupName -match $cellName)
        {
            Add-ADGroupMember -Identity $exerciseGroupName -Members $objectName
        }
    }
}

New-ExerciseADUser

As you can see above, the administrator had to navigate through three dialog boxes to create a single user. If you look at the ADUC screenshot, you will see the user was created but is in ‘First name Last name‘ format where as the rest of the users are in ‘Last name, First name‘ format. This could be the resolved either at creation time or fixed after the user object is created. Either way, it is time consuming, error prone, and may not be consistent in environments with more than a single administrator. On top of that, the administrator still needs to apply the user to a security group.

Now look at the above screenshot of running the PowerShell script. It asks six questions and then creates the user and adds that user to a generic security group. A few things to note, the script can be tweaked so that the display name is in any format you would like at creation time. The script right now is set to ‘first name last name‘ as you can see in the image for the user, Arthur Dent. Also, the user does not have to be added to a security group, it’s just a common practice to add a user to a generic security group during on-boarding. See the link below for another PowerShell script that can be run on Active Directory to change all the users in an OU to a common format if desired after user creation.

https://www.aaronrombaut.com/change-the-canonical-name-cn-of-an-active-directory-user/

If your organization requires more or less information, just add or remove as needed. All of the Account options are programmable, such as forcing the user to change the password at next logon, password expiration, account expiration, or smart card usage. It’s just a matter of how much information you need or want from a user at account creation time and your organization’s policies.

Ubuntu 18.04 Automatic Zime Zone

While traveling outside of my home time zone, I opened my computer and found that the time was incorrect. This was to be expected because I had yet to connect to the Internet. So naturally, I connected the Wi-Fi, and checked the date and time to see that nothing happened. Hmm, OK.

I restarted my computer thinking it will restart the ntp client, still no luck, so now Google time. Looks like a little utility called ‘gnome-clocks’ might be able to give me multiple clocks which is also something I was looking for. Once installed, I had to reboot again. Sure this is a neat utility, but it still didn’t update the clock and timezone on my computer.

On this reboot, however, I noticed a little location symbol near the system menu and it dawned on me. Of course my computer would need to have location services in order to figure out where I am. Now I just wonder why when setting the ‘Automatic Zime Zone’ toggle, that I am not prompted or warned that I must also have location services turned on.

Afterthought — Read the Fucking Manual (RTFM)

Yes, that’s right, the Ubuntu Desktop Guide literally spelled out what I needed to do and it was there the whole time.

Amazon Web Services

Moved to Amazon Web Services (AWS)! Finishing up some military training, then planning on finishing CompTIA Linux+, then starting an AWS training frenzy!!

VMware ESXi 6.5 STIG Default File Permissions

Sorry for the long title, but I wanted it to be descriptive enough to understand and search. So recently, I was testing out the VMware Fling, “DoD Security Technical Implementation Guide(STIG) ESXi VIB” to try to speed up how I secure my hosts. Unfortunately, it changed the default file permissions on my files and I didn’t have the defaults documented. So I went to my lab and installed a fresh copy of ESXi 6.5 and connected to it with SSH. Yes, I am fully aware that I should have started in my lab, then moved on to production. Eh, you win some and you lose some.

The following files are updated as part of the Fling to comply with the 6.0 STIG (http://iasecontent.disa.mil/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R4_STIG.zip). At the time of this writing, the 6.5 STIG still has not been released.

  • /etc/issue
  • /etc/pam.d/passwd
  • /etc/ssh/sshd_config
  • /etc/vmware/welcome

Here are the file permissions on a default ESXi 6.5 installation.

/etc/issue (octal 1644)

[root@localhost:~] ls -la /etc/issue
-rw-r--r-T 1 root root 0 Apr 7 2017 /etc/issue

 

/etc/pam.d/passwd (octal 1644)

[root@localhost:~] ls -la /etc/pam.d/passwd
-rw-r--r-T 1 root root 335 Apr 7 2017 /etc/pam.d/passwd

 

/etc/ssh/sshd_config (octal 1600)

[root@localhost:~] ls -la /etc/ssh/sshd_config
-rw------T 1 root root 1115 Apr 7 2017 /etc/ssh/sshd_config

 

/etc/vmware/welcome (octal 1644)

[root@localhost:~] ls -la /etc/vmware/welcome
-rw-r--r-T 1 root root 0 Apr 7 2017 /etc/vmware/welcome

 

The meaning behind each octal digit is this:

1000 is the sticky bit
0600 is read (r) and write (w) for the user
0040 is read (r) for the group
0004 is read (r) for everyone

‘chmod 1644 <filename>’ will change the mode of the file with the permission described above.

 

 

 

 

 

 

 

Introduction to Subnetting 

Intro to Subnetting by Aaron G. Rombaut

Introduction: Subnetting is a way for network administrators to use available network address space without waste. A general rule of thumb in networking is to remember a subnet = broadcast domain = vlan.

Discussion: An IPv4  address consists of four octets in dotted decimal notation. Each octet contains eight bits ranging in value from 0 to 255. A common IPv4 address many home users may be familiar with is 192.168.1.1. This by itself is called a host or node address. This address is given to a network node on a network and identifies it. It is a made up number given by a network administrator and resides at layer 3 of the OSI model. With the information given, however, we don’t know the network it resides on.

In order to find out the network the host address is on, we need to know the subnet mask. A common subnet mask home users may be familiar with is 255.255.255.0. Once we have the IP address and the subnet mask, it’s simply a matter of performing a binary calculation.

Tip: When you see a ‘255’ in a subnet mask, you carry the octet value from the IP address

Tip: When you see a ‘0’ in a subnet mask, you mark that octet with a ‘0’

Example: Using the 192.168.1.1 IP address and 255.255.255.0 subnet mask, I will demonstrate the tips given.

IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
Network Address: 192.168.1.0

A more difficult example would be as follows:

IP Address: 192.168.1.45
Subnet Mask: 255.255.255.248

The subnet mask given here is a subnet of the previous example. Notice that the last octet of the subnet mask has increased from 0 to 248. This increase indicates that the network administrator has borrowed host bits to make the network smaller.

A visual representation of 255.255.255.0 is nnnnnnnn.nnnnnnnn.nnnnnnnn.hhhhhhhh where ‘n’ represents network bits and ‘h’ represents host bits. A visual representation of the subnetted network’s subnet mask is nnnnnnnn.nnnnnnnn.nnnnnnnn.nnnnnhhh. Notice that in the fourth octet, there are five ‘n’ bits and only three ‘h’ bits? This indicates that the administrator ‘borrowed’ host bits to make a smaller network.

To calculate the Network Address here, the first tip still applies, you still carry the 192.168.1 part of the address since the subnet mask in those lined up octets are 255. Where it gets interesting is the fourth octet. This is actually called the interesting octet.

As mentioned in the beginning, an IP address is made up of four octets in dotted decimal notation. Each octet contains eight bits ranging from 0 to 255. I will break this up to illustrate.

First layout your eight bit placeholders.

_  _  _  _  _  _  _  _

The value of each of these placeholders is as follows, 128 64 32 16 8 4 2 1. Since bits are binary, you can only use a ‘1’ or a ‘0’. In order to convert the decimal number 45 given in the example to binary, you simply mark the appropriate value in the placeholder that gives you the sum. For instance, 128 does not go in 45, so you would mark a ‘0’ in the ‘128’ placeholder. 64 also does not go in 45, so again, you would mark a ‘0’. 32 does go into 45, so in this case, you would place a ‘1’ in the 32 placeholder. You continue doing this until you have met the decimal number. If there are any open placeholders to the right, you finish them with ‘0’.

The binary representation for decimal 45 is 00101101. This is the hardest part of learning how to subnet.

For subnet masks, it’s much easier as the bits have to be contiguous. This means that you will not have an octet consisting of 1, 0, and then more ones. Remember the range for an octet is 0 to 255. A ‘0’ octet is where all binary bits are turned off. So, the binary representation of decimal ‘0’ is 00000000. A ‘255’ octet is where all binary bits are turned on. So, the binary representation of decimal ‘255’ is 11111111. Since subnet masks consist of contiguous ‘1’, then there is a finite number of addresses to remember.

Tip: remember the eight permutations for subnet masks

128.0.0.0 (128 + 0 + 0 + 0 + 0 + 0 + 0 + 0)
192.0.0.0 (128 + 64 + 0 + 0 + 0 + 0 + 0 + 0)
224.0.0.0 (128 + 64 + 32 + 0 + 0 + 0 + 0 + 0)
240.0.0.0 (128 + 64 + 32 + 16 + 0 + 0 + 0 + 0)
248.0.0.0 (128 + 64 + 32 + 16 + 8 + 0 + 0 + 0)
252.0.0.0 (128 + 64 + 32 + 16 + 8 + 4 + 0 + 0)
254.0.0.0 (128 + 64 + 32 + 16 + 8 + 4 + 2 + 0)
255.0.0.0 (128 + 64 + 32 + 16 + 8 + 4 +2 + 1 )

Putting it all together: So now that we know our binary representation for decimal 45, we also know our binary representation for the subnet mask. Place the binary 45 above the binary 248. From here, you will apply binary AND rules to get the result. The result of this operation is the network (or subnet) address.

00101101 – 48
11111000 – 248

Tip: When you see a ‘1’ and a ‘1’, the result is ‘1’
Tip: When you see a ‘1’ and a ‘0’, the result is ‘0’
Tip: When you see a ‘0’ and a ‘0’, the result is ‘0’

The result of the above calculation is 00101000. Now you convert this back to decimal. 0 + 0 + 32 + 0 + 8 + 0 + 0 + 0 = 40, therefore, the network address is 192.168.1.40 for the IP Address 192.168.1.45 with a subnet mask of 255.255.255.248. Easy, right?

Learning the Magic Number Method

Remember when I said to learn the eight subnet mask permutations? It’s going to be very important for quickly finding subnetting answers. This method does not require you to convert decimal to binary and then back to decimal.

Let’s use the following example:
IP Address: 192.168.20.34
Subnet Mask: 255.255.255.224

First, lay out the eight permutations again:
128 192 224 240 248 252 254 255

Next, lay out the octet placeholder values:
128 64 32 16 8 4 2 1

Let me also mention that the tips regarding ‘255’ or ‘0’ in the subnet mask still apply to figuring out the network address.

So, with what we know up to this point, we have the network address as 192.168.20.something. The something in this case is our interesting octet as well. The subnet mask is where we will focus our attention. Notice that the fourth octet in the subnet mask is ‘224’? Now look at what place this is in with regards to an octet, in this case the third place from the left. We always work from left to right, the most significant bit (MSB) to least significant bit (LSB). The third value of the octet is ’32’, so in a zero-based network (the router uses the ‘0’ subnet), you would have:

0
32
64
96

256

Basically, you start with ‘0’ and count in intervals from your ‘magic number’. The magic number is the value of the placeholder where your subnet mask is. You are looking for the number before the interesting octet value of the IP Address, in this case ’34’, and the value after. So in this case, ’34’ is between ’32’ and ’64’, therefore our Network Address is 192.168.20.32.
If you are on a test and forget your octet values, you can simply deduct the value of the subnet octet from 256. The reason you use 256 is because there are 256 possible values including zero. In our example, 256 – subnet octet value of 224 = 32. This is our magic number and also the number you increment by. See, the magic number method is tons easier and much faster, especially when you are sitting for a networking certification!

Practice Questions

Decimal to Binary Conversions
23
223
255
123
12

Binary to Decimal Conversions
00100010
11111111
10101010
11010110
11001100

Binary AND Operations
11010110
11101010

10101010
11110101

10100111
11010110

11010101
10111011

11000011
11111100

Find the Network Address

IP Address: 192.168.1.234
Subnet Mask: 255.255.255.0

192.168.168.23
255.255.255.128

172.10.10.123
255.255.0.0

10.25.123.47
255.0.0.0

10.10.20.30
255.255.255.252

Configuring a Do-It-Yourself Web Server

So the time has come again that I would like to build a web server! This time, though, I want to build it with software that is not from any distribution’s package management. You may ask why I would want to do something like this? Well, I want to learn the process because up until this point, I have only ever relied on a distribution’s package manager.

[edit] Holy crap! Now I’m asking myself why I wanted to do this. Unfortunately, I am not skilled enough in the ways of Linux fu to accomplish this task. I was able to
./configure
make
make install

a few programs, but now I definitely have an appreciation for the distribution’s package manager. Hopefully someday I will be smarter in that area. For now, I’m going to stick with the package manager.

What’s wrong with the software from the distribution? Nothing, except it’s always just slightly out of date and it’s been configured by someone that I don’t know.  I don’t understand “why it just works” so how do I know that I can trust it and that my web server’s security is not at risk?

I would also like to muck around with this project to better prepare for the CompTIA Linux+ exam. I bought a testing voucher awhile back and have yet to use it. Without any purpose on my system, I haven’t really had a chance to exercise and use the skills I learned.

I will try my best to document the process on here and even may get into making a video tutorial. I don’t want to promise anything I can’t deliver, so I’m not promising videos at this point.

So…the “L” in my “LAMP” will be the Ubuntu 18.04.1 LTS (“Bionic Beaver”). What a crazy name; yes, my mind went there!

The “A” will of course be Apache HTTP Server, version 2.4.35.

“M” will be MySQL Community Server, version 8.0.12.

“P” will be PHP, version 7.2.11.

I will add a second “P” for phpMyAdmin, version 4.8.3 to help administer my MySQL database.

I will be setting up this server to host WordPress so I will install the latest version from WordPress.org, version 4.9.8.

I wouldn’t be surprised to see a few of these vendors release updates from now until when I am able to complete this project.

[edit] I am going to install and configure the above components, but use apt in this case since I am using Ubuntu. I am also going to install Webmin, which I have been using for years and absolutely love the look and feel of it. It makes updating and securing a lot faster and easier for me. I guess I went from hero to zero real quick in this post; you’ll forgive me, won’t you?

ITIL Service Lifecycle

There are five stages of the IT Infrastructure Library (ITIL). They start with Service Strategy at the core. Once you know what and why you need to do something, you can move to Service Design. The Service Design stage is where you start to meet services with identified business strategies. Once you have designed the services to coincide with objectives, you move into Service Transition. Service Transition is how you move from the conceptual design phase into the implementation stage of actually performing or offering the service. The Service Operation stage is the actual use of the identified and designed service. The last stage, Continual Service Improvement, encompasses all the previous four stages. It’s the stage where you assess and alter services to new goals or outcomes. We all want to be perfect 100% of the time, but reality has taught us that 100% of the time, things change. Business objectives or goals may change, industry may change, needs or wants may change. It’s this stage where those changes get recognition and improvements get made.