September 2006

You are currently browsing the monthly archive for September 2006.

GrowlCamino

Thursday, September 28, 2006 in Macintosh by slowe | No comments

I’m not sure why I hadn’t noticed it before, but today I found a plugin for Camino that adds Growl support to the Mozilla-based, Mac OS X-based browser.

GrowlCamino is simple to install, simple to uninstall, and works exactly as advertised.  After installation, Camino will issue a Growl alert upon the start of a file download, completion of a file download, a failed attempt to load a page, etc.  As with all other Growl-enabled applications, the alerts come in the configured style (bezel, bubble, etc., according to your Growl preferences) and are fully configurable.

With the addition of GrowlCamino, I now have Growl support working in all my major applications:

Mail (via an AppleScript and GrowlHelperApp)
iCal (via a hack detailed here)
Camino (via GrowlCamino, of course)
NetNewsWire (via the NewsGrowl script)
Adium (native support)
Cyberduck (native support)
ecto (native support)
Colloquy (native support)
Transmission (native support)

I’d love to see Growl support in Unison, but then again I’d love to see the guys at Panic do a major upgrade on Unison and add some much-needed functionality (offline support, Spotlight integration, AppleScript and/or Automator support).  I could integrate Growl notifications into VirtueDesktops, but that just doesn’t seem useful at this time.

Anyway, if you are like me and were waiting patiently on a way to bring Growl support to Camino, your wait is over.  Go get your copy of the plug-in right away!

Tags:

Office and IE Under Fire (Again)

Thursday, September 28, 2006 in Security by slowe | No comments

News of the unpatched PowerPoint vulnerability (via eWeek) comes after a summer-long struggle to contain vulnerabilities in Microsoft Office, the office suite that maintains a venerable monopoly in the market.  As with previous PowerPoint exploits, this one uses a rigged PowerPoint file to install a backdoor application.  I found some additional information available from Symantec; read that here.

Similarly, another exploit has surfaced for Internet Explorer.  This exploit takes advantage of a flaw that was supposedly brought to Microsoft’s attention back in July and apparently still remains unpatched.  Fortunately, additional information on the IE vulnerability is available; here are some relevant links:

SecurityFocus:  Microsoft Internet Explorer WebViewFolderIcon Buffer Overflow Vulnerability
osvdb:  Microsoft IE WebViewFolderIcon setSlice Overflow

No word yet on any workarounds for this vulnerability or the published exploit.

Finally, in slightly related news…a couple of days ago Microsoft released an out-of-band patch (MS06-055) for the VML vulnerability I mentioned last week.  As usual, it’s available via Windows Update, WSUS, and various other distribution mechanisms.

Tags: , ,

Cocoalicious Fix

Thursday, September 28, 2006 in Macintosh by slowe | 2 comments

As noted in this comment on the Sci-Fi Hi-Fi weblog article about the recent problems with Cocoalicious, it turns out that it may be necessary to change the del.icio.us API URI not only in the Preferences, but also in Keychain Access.

Huh?  In Keychain Access?  Yep, you heard that right.  Changing the URI in Keychain Access from “http://” to “https://” and then relaunching Cocoalicious seems to fix the issue.  Note that you’ll have to re-enter your del.icio.us account password after making the change in Keychain Access, and note that you’ll also end up with two entries in your login keychain for the del.icio.us API.  One entry will have the “http://” prefix, and the second will have the “https://” prefix.  I tried going back and deleting the non-SSL entry, but it just ends up getting recreated anyway so you might as well not worry about it.

I can’t guarantee this will fix everyone, but it seems to have helped a number of us (for whatever reason).

Tags: ,

A Crude Document Management System

Tuesday, September 26, 2006 in Macintosh by slowe | 3 comments

My rudimentary “document management system” is comprised of a variety of technologies, some built into Mac OS X and some added on via separate third-party applications. At the core of the system is Spotlight, the search engine that is the object of a love-hate relationship with many Mac users. Despite Spotlight’s shortcomings, it is still a very useful tool to have. (I will have to admit that I am sure I am still not taking full advantage of Spotlight’s abilities.)

On top of Spotlight I’ve added a number of pieces:

  • Spotlight comments in Finder: I place relevant information in the Spotlight comments in Finder so that the Spotlight engine can find and index these comments. Keywords/tags are separated by spaces and surrounded by brackets (i.e., “[Macintosh Security]“) and additional comments—such as a brief description of the document—follow immediately thereafter.
  • Project-specific keywords/tags: I have project-specific keywords/tags for the major customer projects in which I am involved. For example, if I were handling an Exchange migration for XYZ Widgets, my project-specific keyword would be “Proj:XYZ-ExMig”. This makes it incredibly easy to locate documents relating to a specific document.
  • MailTags: MailTags, a handy add-on for Mail, lets me apply some of the same metadata to my e-mail messages as to my file system. Then, when I assign a particular message to a project (using the same naming convention as my project-specific keywords mentioned above), I can search for both project-related documents and project-related messages with a single Spotlight search.
  • Keywords/Tags in Address Book and iCal: While not specifically related to document management per se, using the same keywords/tags on Address Book contacts and iCal appointments further unifies the structure and makes it easier to see all related resources. In addition, it also makes it easy to use the Spotlight system service to find related documents when viewing a contact or an appointment.
  • Automator workflow for adding Spotlight comments: To help streamline the process of adding these comments to files in Finder, I’ve added an Automator workflow that prompts me for the text to add to the Spotlight comments and then either appends that text to the existing comments or replaces the existing comments with what I specify. This makes it easy to tag large numbers of documents at the same time.
  • Microsoft Office metadata: I also fill out the metadata for all Office documents (via File > Properties). This is something I’ve been doing for years (since the introduction of the “Find Files” command in Word for Windows 2.0, circa 1994-1995), so it’s very natural for me. All of the Office applications are configured to automatically prompt me for document properties when I save a new document. In the document properties, I specify the same keywords/tags as in the Spotlight comments as well as author, manager, title, description, etc.
  • Saved searches: To help group together documents, I use a small selection of saved searches—aka Smart Folders—based on raw Spotlight queries. Using raw Spotlight queries allows a finer level of control over what items are returned by the search. For example, the following Spotlight query shows me only active project-related documents:

    (kMDItemFinderComment =*Proj*) && (kMDItemFinderComment != *Inactive*)

    I’m still fine-tuning my use of raw Spotlight queries, trying to make sure that I stick to indexed metadata so that Spotlight doesn’t have to perform a real-time search everytime I open the Smart Folder. I’d appreciate anyone who has some tips there to share them in the comments.

So, based on my own personal workflow and these additional tools, it’s easy for me to create a new project-related document (say, a migration plan or a network diagram), attach the associated metadata (either manually or via the Automator workflow), and have easy and quick access to the document afterward, without really having to pay too much attention to where I saved the document.

I do still use regular old folders (directories) in Finder as well; I’m not sure if that’s a holdout of the “old school” way of doing things, but I’m just not ready to completely give up traditional folders just yet.

Changes and/or additions that I’m considering adding include:

  • Using Quicksilver’s “File Tags” plug-in: As my use of Quicksilver has continued to increase (I’m hoping to now start using it to track and access my del.icio.us bookmarks, since Cocoalicious went belly up), I’ve also explored the use of Quicksilver for tagging. My main concern with Quicksilver’s tagging module is the need for a prefix that is added to every tag. Right now I don’t use any sort of prefix, and you can’t (unfortunately) tell it not to use a prefix. Perhaps I’ll use Quicksilver to create a trigger for my Automator workflow…
  • Changing keyword/tag format: Partially because of Quicksilver (see previous bullet), I’m thinking of adding some sort of prefix to denote keywords/tags as such, instead of just part of the Spotlight comments or the document’s content. The idea is that searching for “@Proj:XYZ-ExMig” would get only files tagged as such, not all items that may have that content inside them. I still haven’t quite decided on this one. Anyone have any thoughts? Would it really be worth the effort?

So, there you have it…my homegrown document management system. I’m open to suggestions for improvement or additional tools to make it more effective. What am I missing that could make this better?

Tags: , , ,

Sneaking Around VMotion Limitations

Monday, September 25, 2006 in Virtualization by slowe | 5 comments

First and foremost allow me to make this disclaimer:  Do not do this on production systems.  While it may work for testing (I haven’t seen any ill effects yet), it’s definitely not recommended for production use.  I seriously doubt that VMware would provide any support for this kind of hack.

Now, with that serious warning out of the way, let’s get into the details.  Based on the information found in this VMTN forum discussion, I was able to find the information I needed to determine exactly what differences were causing VirtualCenter (VC) to report that it couldn’t VMotion between the two hosts.

The real trick here is the use of the CPUID ISO image, found on the ESX 3.0 CD.  Burn this ISO image to a CD and then boot from the CD; the results from this command will give you detailed information on the exact functionality and capabilities of the CPUs in your system.  Write this information down exactly as it appears on the screen when running the test; you’ll need it later.

For example, on one of the hosts I received information like this:

ID1ECX 0x0000641d
ID1EDX 0xbfebfbff
ID81ECX 0000000000
ID81EDX 0x20000000

This all looks like jibberish, but using this document from Intel gives the breakdown on what those numbers mean.  On a second ESX host, I received these values from CPUID:

ID1ECX 0x00004400
ID1EDX 0xbfebfbff
ID81ECX 0000000000
ID81EDX 0000000000

As you can see, the differences lie in the ECX register, which is exactly what VC was reporting during its “validation” process.  Having now identified the specific differences between the hosts, we proceed to mask (or hide) those values from the guest VMs by modifying the VM’s configuration.

For the VM that you want modified, right-click and go to Edit Settings > Options tab > Advanced > Advanced button.  From here, you’ll see a listing of the CPU registers (EAX, EBX, ECX, and EDX) and the masks that will be applied to each register at various levels.  Because all that was returned by CPUID was ECX and EDX and levels 1 and 81, that’s all we need to worry about.

ESX Server will supply a default mask that shows or hides certain flags to the VMs.  We can modify that mask to hide additional values, thus increasing VMotion compatibility at the expense of possibly lower performance (because VMs won’t be able to take full advantage of some higher-level functions of the CPUs).  For example, the default mask for ID1ECX for a Windows-based host is this (there’s a “Legend” button in the same dialog box to explain what these values mean):

RRRR RRRR RRRR RRR0 00XR R0H0 000H 0RRH

To make this work, what we need to do is change the R or H to a zero (0) where the differences between the hosts are.  However, in order to really understand where the differences are between the hosts, you must first convert the hexadecimal values above to binary.  In my particular example, here are the converted values (again, for ID1ECX):

RRRR RRRR RRRR RRR0 00XR R0H0 000H 0RRH (mask)
0000 0000 0000 0000 0110 0100 0001 1101 (first system)
0000 0000 0000 0000 0100 0000 0000 0000 (second system)

The only bits we need to mask are the bits not already masked (i.e., those marked with an R or an H in the mask) and where the values are different between the two systems.  In this case, bits 0, 2, and 4 are different and are not already masked.  (You’ll note that bit 14 is also different between the two hosts, but it’s already hidden in the mask and therefore is not an issue.)  To mask these bits, we’ll edit the line in this dialog box to put a “0” in the position for bits 0, 2, and 4, leaving all other bits intact (use a dash for all the other bits).  When you’re done, the custom mask in the dialog box will look something like this:

---- ---- ---- ---- ---- ---- ---0 -0-0

When this custom mask is added to the default mask, you get an effective mask that hides the different bits between the hosts:

RRRR RRRR RRRR RRR0 00XR R0H0 000H 0RRH (default mask)
---- ---- ---- ---- ---- ---- ---0 -0-0 (custom mask)
RRRR RRRR RRRR RRRR 00XR R0H0 0000 00R0 (effective mask)
0000 0000 0000 0000 0110 0100 0001 1101 (first system)
0000 0000 0000 0000 0100 0000 0000 0000 (second system)

As you can see, because none of the different bits between the two hosts are marked with an R or an H, then they are all masked from VirtualCenter and therefore won’t prevent VMotion from working.  (Keep in mind that an X means it’s unused or ignored; only the R and the H will come into play for computing VMotion compatibility.)

So far, I’ve tested this on VMs running Windows Server 2003, Windows 2000 Server, Solaris 10, and Linux (CentOS 4.3).  I’ve not seen any problems thus far, and I’ve VMotion’ed these VMs back and forth a number of times trying to uncover some compatibility problems.  If I discover any, I’ll be sure to post more information here.

UPDATE:  Also see this article for more information and a link to a tool that has been released to help with this process.

UPDATE 2:  Thanks to an astute commenter, I’ve updated the article accordingly to note that bit 1 (the bits are numbered starting with 0) does not need to be masked, since it is the same between the two CPU families.

Tags: , , ,

Cocoalicious Woes

Thursday, September 21, 2006 in Macintosh by slowe | No comments

A quick Google search turned up this posting by Buzz Anderson, the developer of Cocoalicious, on his Sci-Fi Hi-Fi weblog.  The posting was short and sweet, indicating all that was required was a simple change in the Preferences—exactly what I had found myself.  As you review the comments, however, you see that a number of users are reporting that even with the URL change in the preferences, Cocoalicious is still not working.  And for some, like me, the change worked initially but stopped working later.

The common error that everyone is seeing appears to be this:

2006-09-21 16:14:44.961 Cocoalicious[308] PARSE
ERROR: NSError “Error NSXMLParserErrorDomain 5”
Domain=NSXMLParserErrorDomain Code=5
2006-09-21 16:18:58.210 Cocoalicious[311] NSError “Error
NSURLErrorDomain -1012” Domain=NSURLErrorDomain Code=-1012
UserInfo={
    NSErrorFailingURLKey = https://api.del.icio.us/v1/posts/update?;
    NSErrorFailingURLStringKey = “https://api.del.icio.us/v1/posts/update?”;
}

Anyone have any idea what might be going on?  I have determined, from reviewing the Console logs, that you should not place a trailing slash after the URL in the Cocoalicious preferences; this causes the application to create a URL like this:

https://api.del.icio.us/v1//posts/update?

Obviously, that won’t work.  However, even with the trailing slash not present, my installation of Cocoalicious immediately goes offline as soon as I launch it.  Trashing the preferences file didn’t seem to help, either.

Any insight would be greatly appreciated.  I’ve come to rely upon del.icio.us and using a browser to view my bookmarks is just too cumbersome.

UPDATE:  Macintosh users also running delimport (a Spotlight importer for del.icio.us bookmarks) should update their version of delimport to version 0.2, available from the delimport website.  I just updated delimport myself and new del.icio.us bookmarks are now showing up (they weren’t before).

UPDATE 2:  FYI, I tried a couple of other posting clients, like Postr and SiteTagger, and also received the same NSURLErrorDomain code as with Cocoalicious.  However, Pukka seems to work just fine.

Tags: ,

More on the IE VML Vulnerability

Thursday, September 21, 2006 in Security by slowe | No comments

Taken from this Dark Reading article, here are a few ways to protect yourself from the VML vulnerability:

  • Unregister the VML DLL (VGX.DLL, found in Program Files\Common Files\Microsoft Shared) using regsvr32.exe.
  • Apply a restrictive access control list (ACL) to the VGX.DLL file.  This weblog entry shows how to help automate this using Group Policy for larger organizations (very handy!).
  • Disable “Binary and Script Behaviors” in Internet Explorer 6.  Unfortunately, this measure may only be temporary, as the exploit is moving beyond its original JavaScript-based incarnation (see below).
  • Switch to an alternate browser or use a virtual browser appliance.

In case you’re wondering why it might be important to protect yourself against this vulnerability, take a look at this article describing the scope of the attacks.  As many as 10,000 web sites could end up hosting exploit code to take advantage of this vulnerability, and researchers are predicting that an e-mail variation may soon follow.

You can obtain additional information about this vulnerability and the corresponding exploit(s) at the following links:

Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability
http://www.symantec.com/enterprise/security_response/vulnerability.jsp?bid=20096

Trojan.Vimalov: A zero-day exploit in VML, in Internet Explorer
http://www.symantec.com/enterprise/security_response/weblog/2006/09/ trojanvimalov_a_zeroday_exploi.html

Exploit-VMLFill
http://vil.nai.com/vil/content/v_140629.htm

Microsoft Internet Explorer Vector Markup Language 0-Day
http://vil.nai.com/vil/Content/v_vul26881.htm

Enterprises that don’t want to deploy Group Policy but still want to protect themselves against the vulnerability can use WMIC to remotely run the regsvr32.exe command against remote computers.  Of course, this disables VML functionality, but how many enterprises out there actually use VML?  Here’s the general command:

wmic /node:<PC name> process call create
'regsvr32.exe /u “%CommonProgramFiles%\Microsoft Shared\VGX\VGX.DLL”'

As I’ve mentioned before, you could substitute a text file for the PC name above and WMIC will iterate through the list, performing the same task on each PC in the list.  To re-enable VML functionality, you could use the same process but remove the “/u” switch from the regsvr32.exe command.

UPDATE:  More resources have come to light regarding this VML vulnerability:

Zero-Day Response Team Launches with Emergency IE Patch
Internet Explorer Bug Can Be Exploited Via Email
More Defensive Tactics Against IE’s Newest Vuln

Tags: , ,

New Zero-Day IE Exploits

Tuesday, September 19, 2006 in Security by slowe | No comments

First up was this alert from eWeek that exploit code had been posted for a previously unknown code execution hole in Internet Explorer.  This article came on September 14, about 5 days ago.

On that same day Microsoft published this security bulletin, which describes an issue with the DirectAnimation Path ActiveX control.  Although it’s not immediately apparent whether this security bulletin is related to the exploit code described in the eWeek article, a review of the CVE listing provides enough information to believe that the exploit described by eWeek does, in fact, use the vulnerability described by Microsoft in their security bulletin.

This Dark Reading article also describes the same vulnerability and the related exploit, and was published yesterday, Monday, September 18.

Also yesterday, eWeek reported zero-day IE attacks spotted in the wild, but these attacks do not appear to be related to the exploit discovered last week and instead appear to be new attacks.  Although specific vulnerability information was not available in that article, a quick trip to the Sunbelt weblog provided some additional information that indicates these are new attacks against a new vulnerability that remains unpatched by Microsoft.  No formal word from Microsoft yet, but I expect we’ll probably see a security bulletin in the next few days.

In the meantime, protect yourself against these attacks by following the workarounds suggested in the Microsoft security bulletin (for the ActiveX control exploit).  Alternately, you can switch to Mozilla Firefox or (for those of you that are technically inclined) build yourself a web sandbox using VMware Workstation and undoable disks (sort of like the Browser Appliance, but using Windows instead for greater compatibility with those sites designed for Internet Explorer).

UPDATE:  As I predicted earlier today when I first posted this article, Microsoft has indeed published a security bulletin regarding the VML vulnerability I described above as discovered by Sunbelt Software.  The MSRC blog posting announcing the bulletin credits ISS as assisting in the confirmation of the vulnerability.

Tags: , ,

A Couple Handy AD Manipulation Tricks

Thursday, September 14, 2006 in Microsoft, UNIX by slowe | 2 comments

First, a couple of disclaimers: if you are an old hand with regexes (regular expressions), you won’t find anything terribly groundbreaking here. Conversely, if you are a complete newbie to regexes, some of the examples I provide may leave you confused. (I am neither a veteran nor a newbie…instead I’m somewhere in between.)

Where shall we start? Let’s say that you needed to add a prefix to all the names of the security groups in your Active Directory domain. Of course, you could do this by hand, but let’s explore something a bit more…automated. (Caveat: If you only have 20 groups in your domain, the setup work for this process may be more involved than just changing the name manually.)

First, export the list of groups out of Active Directory using a tool such as AdFind:

adfind -b ou=Groups,dc=example,dc=net -s subtree
-f "(objectCategory=Group)" displayName –csv > grp-list-1.csv

This produces a list of groups in the Groups OU at the root of the domain example.net in CSV format, listing the full DN and the group’s display name. It will look a little something like this:

"CN=Dallas Users,DC=example,DC=net","Dallas Users"
"CN=Sacramento Users,DC=example,DC=net","Sacramento Users"
"CN=Lexington Users,DC=example,DC=net","Lexington Users"

Apply this regex to the file (using your regex-capable text editing tool of choice; I used a Win32 port of sed):

s/(\",\")/\1SG-/g

The command line, if you were to use sed, would look something like:

sed -r -e s/(\",\")/\1SG-/g input-file.csv > output-file.csv

After this command (which would run very fast, even for listings of thousands of groups), the file would look like this:

"CN=Dallas Users,DC=example,DC=net","SG-Dallas Users"
"CN=Sacramento Users,DC=example,DC=net","SG-Sacramento Users"
"CN=Lexington Users,DC=example,DC=net","SG-Lexington Users"

Now, all your groups have an “SG-” prefix (for Security Group, of course).

You could then take the output file and convert it from CSV to LDIF for importing back into Active Directory, as I described in this posting. After a couple of steps with Log Parser and LDIFDE, you could have all your security groups updated in just minutes. Handy, don’t you think?

sed (or stream editor) is a Unix application that is exceedingly efficient at making changes to text files. When combined with a regex (regular expression), this gives us a tremendous amount of flexibility and power to quickly make large numbers of changes.

OK, let’s run with another example. What if your organization decides its going to split into two different companies, sharing the same infrastructure, and you are charged with the task of stamping every user account with a suffix that denotes the company for which that user works. After separating the users into separate OUs (which would be useful for separate Group Policy object application anyway), export the user list using AdFind:

adfind -b ou=NewCompanyB,dc=example,dc=net -s subtree
-f "(&(objectCategory=User)(objectClass=User))" name displayName
–csv > usr-compb-list-1.csv

This will create a more complex listing that includes full DN, name, and display name attributes of the users in that OU. With this file, use sed to transform it automagically:

sed -r -e s/(,DC=net\",\")(.*)(\",\")(.*)(\")($)/\1\2 [New
Org]\3\4 [New Org]\5\6/g usr-compb-list-1.csv > output-file.csv

You may find it easier to put the regex in a file (say, called fixnames.sed or similar) and use this command instead:

sed -r -f fixnames.sed usr-compb-list-1.csv > output-file.csv

When this command is complete, your output-file.csv would look something like this:

"CN=Smith\, John,OU=NewCompanyB,DC=example,DC=net",
"Smith, John [New Org]","Smith, John [New Org]"
"CN=Public\, Joan,OU=NewCompanyB,DC=example,DC=net",
"Public, Joan [New Org]","Public, Joan [New Org]"

(Each entry would all be on a single line; they’ve been wrapped here for readability.)

You could then use a variety of methods to get these changes back into Active Directory. If you wanted to modify only the display name (of course, you’d need to adjust the commands above accordingly) you could use “for /f” with “dsmod user” and pipe the correct information to the command to modify the users; that technique is described here and here. Or, you could just use Log Parser again to convert from CSV to LDIF using a template file and then import back in with LDIFDE. The real trick here is again the use of sed and regexes to quickly and efficiently make bulk changes to a text file, and that’s something that is uniquely Unix-like. Nevertheless, it holds great value in other areas and on other platforms as well.

Tags: , , ,

Embracing Diversity

Tuesday, September 12, 2006 in Interoperability by slowe | No comments

Hopefully it’s no secret that I enjoy working with a variety of operating systems—VMware ESX Server (OK, so maybe not “technically” a full operating system, but I’ll include it anyway), Windows, Mac OS X, various flavors of Linux (mostly CentOS and Ubuntu), OpenBSD, and (more recently) Solaris on x86 (haven’t had the opportunity to do Solaris on Sparc yet).  All this while I work full-time as a primarily “Microsoft engineer” specializing in Active Directory.  Yet I find value in the diversity of my knowledge.

For example, a few months ago my experience in Unix/Linux-AD integration helped me to resolve an issue for a customer that was experiencing problems with Vintela Authentication Services.  Even though I wasn’t familiar with VAS per se, my knowledge and experience of PAM helped the customer find a workaround to a crippling performance issue until the vendor could identify the root cause of the problem.  In addition, I was able to take that information and apply it back to open source Unix/Linux-AD integration projects to help improve performance and scalability.

Don’t get me wrong; I’m not trying to brag or be boastful.  It’s just that someone who wouldn’t take the time to become familiar with these other platforms wouldn’t have been able to bridge the gap and make the connection.  If for no other reason, you owe yourself as a technical professional to broaden your knowledge, extend your reach, and stretch your mind.  Too many IT professionals get pigeonholed as “the Cisco guy” or “the Microsoft guy” or “the Unix guy”.  I don’t want to be labeled that way (although often I am anyway), and somehow I don’t think you do, either.

Let me share the example I experienced today.  I’m working on a project where I needed to migrate about 850 security groups from one Active Directory forest to a new Active Directory forest, and I needed to rename the groups in the process.  The particular migration tool we’re using didn’t offer that functionality, so I turned to other mechanisms.  In the end, I was able to use the Directory Service command-line tools (dsquery group, specifically) and a Win32 version of sed (the stream editor) to manipulate a text file containing all the group names, then imported that back into Active Directory using LDIFDE.  Using only “Windows” tools or only “Unix” tools the job wouldn’t have been as easy as it was, but combining the tools—bridging the gap between the “OS wars”—allowed me to create a solution that matched the need at hand.  Isn’t that what it should be about, anyway?

<aside>If you haven’t yet experienced the power of regular expressions…you need to take a look.</aside>

Likewise, adding Windows and Active Directory to a heterogeneous network comprised of Windows and Unix/Linux/Unix-like operating systems brings together two very different sets of technologies, yet together they can easily reap the benefits of a centralized directory service.  (Yes, yes, I know—you could do the same with an open source LDAP implementation.  But would that open source LDAP implementation support the Windows clients that will inevitably be required on your network?)

If you’re an IT professional (and it’s likely you are if you are reading this), go expand your horizons.  Learn something new that isn’t necessarily related to your core expertise, and see if you can’t also start to bridge the gaps and make some connections that will help you be more effective in your career.

Tags: , , , , , ,

« Older entries