Tag Archives: Windows

IT, This Website

Comodo vs. Microsoft

Leave a comment

As stated in the previous post, there where some issues with the Comodo Positive SSL implementation. Those where caused by the webserver supplying an incorrect certificate chain so verification failed on certain platforms, among those anything using Android as well as Firefox certificate stores.

https

A correct certificate chain shows the following certificates:

  • AddTrust External CA Root
  • COMODO RSA Certification Authority
  • COMODO RSA Domain Validation Secure Server CA
  • <your own identidy> on this website being *.dullaard.nl

However when looking at the Windows certificate store it showed the following on the two servers I tested with:

  • COMODO
  • COMODO RSA Domain Validation Secure Server CA
  • <your own identity> on this website being *.dullaard.nl

And as this is published by any service using certificates any products actually verifying the whole chain will end up with a certificate failure. What essentially needs to be done is to fix the Windows certificate store to show you the first chain and not the second, as that resolves all the issues with Android, Firefox and maybe some others as well.

Comodo supplies the right certificates on their website, but I didn’t use that approach. When looking at the chain through Firefox (running on Ubuntu 14.04) it shows the chain as it should be, it also allows you to export the certificates in the chain. Those certificates I’ve imported into the Windows certificate store. The upper one has to go into the Trusted Root Certification Authorities container, the two others have to go into the Intermediate Certification Authorities container. I then noticed that it still didn’t show properly and searching by serial number I found a certificate in the Trusted Root Certification Authorities container that I exported and then removed. Once this was done it showed up correctly and errors on both Firefox and Android are gone.

IT, Powershell

Adding photos in AD

Leave a comment

Within Active Directory of Microsoft there is a thumbnailPhoto entry where you can place a small photo. These pictures should preferably be 96 by 96 pixels and not larger than 10kb. You might create those photos from an already existing source and batch process them with something like Irfanview so they become the right size. There are several tools available to import them into Active Directory and they will also resize the picture, but it is possible to do this with PowerShell as well. The features are explained in the source code itself. In short it will read the pictures from a single source where the name of the picture should be similar to the logon name of the user and it will check if pictures are not exceeding the above mentioned limits. If successful the source picture is deleted, if not it is kept and a report is sent which can trigger a person to see what is wrong with the picture.

#requires -version 2

<#
Program  : ADPhotoImport.ps1
Author   : Eugene Dullaard
Date     : 14-Jul-2014
           - Initial Script

This script will import pictures from a source into Active Directory's
thumbnailPhoto field from a fixed content source.

Requirements:

Photo : 96x96 pixels and smaller than 10Kb
        filename in the format of <username>.jpg

Features :

- Content source is leading, it will search AD accounts by the name of the
  picture. The name without the extension of the picture should be matching
  SAMAccountName in Active Directory and can include dots, for example user
  account ab.user its picture should be ab.user.jpg.
- Check properties of picture before importing so that they comply with above
  requirements, wrong pictures will be added to an output report which is
  send after the script finishes.
- Remove photo once processed, keeping content source clean and allow for
  updating of existing pictures.
- If pictures exist and the corresponding account cannot be found this will
  be added to the output report. In this case the picture will not be removed.
- Runs with both a Content source as well as a Searchbase for the accounts.
- Searchbase will be searched recursively. Picture folder will not as it
  should delete the pictures once they've been processed. You should keep
  any existing source or have a seperate one if pictures need to be kept.
- Screen output for operator to see output while looking at the progress.
- Reporting errors will allow automated use of this script and corrective
  measures taken afterwards.
#>

#Variables (Change these to suit your environment)

$Content = "\\Server\Share\Folder"        # Content Source (Drive/UNC Path)
$Accounts = "OU=Users,DC=domain,DC=tld"   # User Accounts OU
$MailSender = "photoimport@domain.tld"    # Report Sent from mail address
$ReportAddress = "name@domain.tld"        # Report Sent to mail address
$SMTPServer = "mailserver.domain.tld"     # Mail server for relaying message

#Preliminaries

  Import-Module ActiveDirectory
  Add-Type -AssemblyName System.Drawing

  #Generate List of Photos in Content Source
  $Photos = Get-ChildItem $Content -Filter *.jpg

  #Report Header
  $Report = "Error report on ADPhotoImport
==============================
  
Maximum picture dimensions are 96 x 96 pixels, maximum size is 10Kb.

"
  $ReportCheck = $Report.Length           # Used to check for added entries

#Start processing the List of Photos (Main Loop)

$Photos | % {

  # Reset variables
  $ErrorStatus = $false
  $Basename = $_.BaseName
  Write-Host "==========================================="
  Write-Host "Processing : $Basename"

  # Check picture dimensions and size, if in error add to log and show on screen
  $jpg = New-Object System.Drawing.Bitmap $_.FullName
  if ($jpg.height -gt 96) {
    $Report = $Report + "$_ `t Pixel height exceeded.`n"
    Write-Host "Error..... : Pixel height exceeded" -ForegroundColor Red
    $ErrorStatus = $true
  }
  if ($jpg.width -gt 96) {
    $Report = $Report + "$_ `t Pixel width exceeded.`n"
    Write-Host "Error..... : Pixel width exceeded" -ForegroundColor Red
    $ErrorStatus = $true
  }
  if ($_.length -gt 10240) {
    $Report = $Report + "$_ `t Size limitation exceeded.`n"
    Write-Host "Error..... : File size exceeded" -ForegroundColor Red
    $ErrorStatus = $true
  }
  $jpg.Dispose()

  # Check for AD Account, if not existing add to log.
  $user = Get-ADUser -SearchBase $Accounts -Filter {(SAMAccountName -eq $BaseName)}
  if ($user -eq $null) {
    $Report = $Report + "$_ `t No AD user has been found.`n"
    Write-Host "Error..... : No matching user account" -ForegroundColor Red
    $ErrorStatus = $true
  }

  # If no errors are found, insert/replace picture and delete from content source
  if ($ErrorStatus -eq $false) {
    [byte[]]$photo = Get-Content $_.FullName -Encoding Byte
    Set-ADUser $_.BaseName -Replace @{thumbnailPhoto=$photo}
    Remove-Item $_.FullName
  }
 
} # End Main Loop

# Check Report Change, if changed send report
If ($Report.Length -ne $ReportCheck) {
  Send-MailMessage -From $MailSender -To $ReportAddress -Subject "AD Photo Import Error Report" `
    -SmtpServer $SMTPServer -Body $Report
}

Update: In order to see which accounts do not have a thumbnail photo you can enter the following command in PowerShell:

Get-ADUser -Filter * -SearchBase "OU=Users,DC=domain,DC=tld" -properties thumbnailPhoto | ? {!$_.thumbnailPhoto} | select Name,SAMAccountName

If you want to see a list of who has a thumbnail photo remove the ‘!’ in the code line above.

IT

Bye bye XP…

Leave a comment

xpipfilter… and did we have fun with you. One of those was the TCP/IP filtering option. Just configure it to deny all traffic and what you got was a box that would get an IP address through DHCP and then denied all traffic towards the network. Do that to an unsuspecting helpdesk employee (who forgot to lock his or her desktop) and a world of joy unfolds…

Anyway after a longer than usual lifespan it is time to look somewhere else now.

Open Source, This Website

First Post on the new Blog

Leave a comment

A continuation from the previous Windows Sharepoint Services based blog. Which I wanted to migrate for a long period to Sharepoint Foundation 2010, however the ending of Technet subscriptions forced me in looking for other alternatives that do not expire every three months to half a year or cost a fortune to maintain. I did use Technet mostly for testing but also the services that you see on the outside where build on the subscription. All of these will slowly but surely be moved to Open Source for most of the functionality used by myself and members of the family. As at writing I’m still mostly a Windows System Engineer the majority of the hardware resources in use will still be dedicated for prototyping solutions based on a diversity of software coming from Redmond, however the more continues parts of the deal are now Linux based. I doubt that Microsoft will revise the policies around Technet as it was used for pirating a lot. However since I don’t have much time to test things within the time limits that Microsoft set, there is a small penalty which currently relates directly back to my work. Or I’ll simply introduce the solutions which I now build privately to work………… Anyway I hope to make same more contributions over time compared to last few years and see if I can move over all the old entries that are currently still in the Windows Sharepoint Services Portal while retaining their metadata.