That’s a tricky question. Every user we create in active Directory require an initial password that user will use to connect for the first time. At this step, user account can (and should be configured) to enforce a password change.

From a security point of view there might have some problems with this initial password. It must be communicated to the end-user. If someone have access to the initial password and user identity, he can perform operation on behalf of someone else. To avoid such a situation, one solution can be to disable this account until user contact the help-desk and required activation. Unfortunately this solution may lead to complex situations (eg, email address is not generated for disabled users, …).

Another approach is to be sure that the newly created user cannot be used because nobody know the password. With a random generated password this should be fine. I found an elegant way to respond to this problem with a single PowerShell command : New-ADUser. The trick is to enforce the Smartcard at logon as illustrated bellow :

Enabling the ‘Smartcard is required for interactive logon’s checkbox’ have multiple side effects :

• Resetting it’s password with a random complex password
• Enable the ‘User Must change password at Next Logon’

Because I enabled the Smart card enforcement, a password has been generated and allow me to use the ‘PasswordNotRequired’ parameter configured to ‘$True’. At last we can check, my newly created user exists and is enabled.

At this stage, the user identity exists and I can use it in my Tenant provisioning process for a Private cloud. Because there is no certificate associated to the user and because no one know the initial password, I’m sure that my tenant administrator account cannot be used by someone else.

BenoîtS – Simple and Secure by Design but Business compliant

Pour ceux qui comme moi ont connu Windows 2000, on avait un outil nommé REPLMON.EXE qui nous permettait d’avoir une vue globale de la réplication Active Directory. Cet outil avait disparu avec l’arrivée de Windows Server 2008. La raison invoquée était que REPLMON.EXE avait été développé par les équipes support et non le groupe produit.

Heureusement, une équipe au sein de Microsoft a repris le flambeau avec le AD Replication Status Tool disponible sur le Download Center de Microsoft.

En ce qui me concerne, c’est que du bon. En plus, c’est à la page en terme d’interface graphique et prêt pour Windows Server 2012. Personnellement, je ne pense pas que cela remplace une véritable supervision d’Active Directory mais au moins on a déjà de quoi travailler pour comprendre les problèmes de réplication d’annuaire.

Pour raison de modernité, le produit repose sur le Framework Dot.Net 4.0. Penser donc à l’installer avant. Pour les nostalgiques, la solution n’a pas été testée avec Windows 2000 et de toute façon, elle ne serait pas supportée.

Simple and Secure by design but Business compliant

We’ve been waiting for next major update of Microsoft Forefront UAG 2010 for a while. Today, the UAG product team announced availability of UAG 2010 Service Pack 2. Detailed information about this new service pack are available in the KB2710791. This Service Pack aim to provide more scenarios around ADFSv2 (and Office 365 integration), improved SharePoint support and support for new client devices such as :

• Windows Phone 7.5
• Apple IOS 5.0 on Apple IPhone and Ipad
• Android 4.0 Tablet and phones devices

Service Pack 2 is available from today at this location.

BenoîtS – Simple and Secure by Design but Business compliant

Writing our Direct Access book took us a long time. For this reason and some others, we decided to do not produce an English version. But now, that’s a book I will to have to Write. Ben Ari, is currently writing it’s own Windows Server 2012 DirectAccess book.

It’s book will be dedicated to DirectAccess feature of Windows Server 2012 release. Stay tuned for more news about it.

BenoîtS – Simple and secure by Design but Business compliant