Virtual Labs Office 365

KHÓA ĐÀO TẠO: XÂY DỰNG HỆ THỐNG THỰC HÀNH LABS OFFICE365


Design Labs for Office 365

I.            Giới thiệu về khóa học

1.   Mục đích:

–          Hiện nay trên thị trường hầu hết các doanh nghiệp, Trường đại học, cao đẳng hoặc phổ thông, các Tổ chức khai thác sử dùng hệ thống quản lý CNTT hầu hết là không tập trung, không có kiến trúc nền tảng về hệ thống PaaS hoặc VDI hoặc không có giải pháp sâu tới người dùng thực tế.

–          Chi phí dịch vụ, đào tạo thường xuyên cao và phải tái đầu tư liên tục.

–          Để chủ động hơn trong việc kiểm soát, cũng như phát triển hệ thống quản lý hạ tầng công nghệ, tạo điều kiện tốt cho sự phát triển của tổ chức. Chúng tôi đưa ra các khoá đào tạo tư vấn giải pháp xây dựng hệ thống thực hành LABs cho nhiều mô hình tổ chức khác nhau.

–          Một trong những nội dung đào tạo của chúng tôi đó là: “Xây dựng hệ thống thực hành LAB OFFICE365”.

2.   Nội dung:

Đến với khóa học các bạn được học và thực hành cách cấu hình, cài đặt, xây dựng, vận hành một hệ thống LAB OFFICE365 trên môi trường ảo hóa của VMware.

Khóa học hướng đến đào tạo cho các học viên những kiến thức tổng quát và xuyên xuốt các vấn đề:

  1. Cách thức, quy trình xây dựng giải pháp.
  2. Hệ thống mạng ảo (vNIC).
  3. Hệ thống máy chủ ảo (VMs).
  4. Thiết kế thành phần vApp.
  5. Quản trị viên CNTT tại  trường Đại Học, Cao đẳng, Phổ thông, Doanh nghiệp những người có nhu cầu muốn thiết lập hệ thống office365 có các chức năng:

II.         Đối tượng tham gia

–          Xây dựng hệ thống quản lý người dùng, phần quyền user.

–          Đồng bộ tài khoản người dùng ADDC cùng với office365 cloud.

–          Thiết lập hệ thống đăng nhập một lần.

  1. Các nhân viên trong phòng CNTT của các tổ chức, công ty: cũng có nhu cầu học cách thiết lập hệ thống office365 cho tổ chức của mình.
  2. Có kiến thức cơ bản về Hệ điều hành Windows / Linux, hệ thống mạng Network.
  3. Kiến thức cơ bản về hệ thống ảo hóa vSphere của VMware, Virtual Box, Microsoft Hyper-V.
  4. Ưu tiên các bạn có kiến thức về hệ thống ADDC.

III.       Yêu cầu với học viên

 

  1. Có kiến thức cơ bản về Hệ điều hành Windows / Linux, hệ thống mạng Network.
  2. Kiến thức cơ bản về hệ thống ảo hóa vSphere của VMware, Virtual Box, Microsoft Hyper-V.
  3. Ưu tiên các bạn có kiến thức về hệ thống ADDC.

IV.      Lợi ích của việc tham gia khóa học:

  1. Học viên có thể chủ động xây dựng hệ thống thực hành LABs Office365: tạo dựng môi trường thực hành phát triển và đào tạo, thực nghiệm các hệ thống quản lý người dùng, đồng bộ hóa tài khoản người dùng với Office365 Cloud, thiết lập đăng ký tài khoản domain.
  2. Phòng/ban CNTT: được đào tạo vững chắc kiến thức nền tảng hệ thống Labs, chủ động trong việc cấu hình, xây dựng hệ thống, đăng ký và triển khai office365 cho doanh nghiệp, tổ chức của mình.

Thông tin về lịch khai giảng tại Viện đào tạo và quản lý CNTT ROBUSTA Hà nội


Nếu quý khách có yêu cầu chương trình học ngoài lịch khai giảng trên xin vui lòng liên hệ với Robusta

STT

Tên khóa học

Ngày KG

Giờ học

Ngày học

Thời lượng

Học phí

Giảng viên

Các khóa đào tạo công nghệ VMware

1

 Triển khai, quản trị hạ tầng ảo hóa với VMware vSphere 5.5

05-05-2014 18h-21h Thứ 2-6 40 giờ Liên hệ Việt Nam
2
10-05-2014 09h-17h Thứ 7,CN 40 giờ Liên hệ Việt Nam
3
12-05-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
4

VMware vSphere: Optimize & Scale [v5.1]

26-05-2014 09h-17h Trong tuần

40 giờ

Liên hệ Việt Nam

 

5

Ảo hóa máy trạm và ứng dụng VMware [v5.5]

 

19-05-2014

18h-21h

Trong tuần

40 giờ

Liên hệ

Việt Nam

6

09-06-2014

18h-21h

Thứ 2,4,6

40 giờ

Liên hệ

Việt Nam

 

7

VMware vCenter Configuration Manager for Virtual Infrastructure Management [V5.x]

04-06-2014

09h-17h

Trong tuần

40 giờ

Liên hệ

Nước ngoài

8

VMware vCenter Operations Manager: Analyze and Predict [V5.x]

02-06-2014

09h-17h

Trong tuần

16 giờ

Liên hệ

Nước ngoài

9

VMware vCenter Configuration Manager for Virtual Infrastructure Management [V5.x]

04-06-2014 09h-17h Trong tuần 24 giờ Liên hệ Nước ngoài

Các khóa đào tạo Microsoft

1

Office365 Tổng hợp

 

05-05-2014 09h-17h Trong tuần 24 giờ 06 triệu Việt Nam
2 05-05-2014 18h-21h Thứ 2,4,6 24 giờ 06 triệu Việt Nam
3

 

Manage Projects with Microsoft Project 2010

 

12-05-2014
18h-21h

Thứ 2,4,6

24 giờ 05 triệu Việt Nam
4

Phát triển Biztalk Server dành cho người lập trình

12-05-2014 09-17h

Trong tuần

40 giờ Liên hệ Việt Nam
5

Quản trị Biztalk Server

26-05-2014 09-17h

Trong tuần

40 giờ Liên hệ Việt Nam
6 Phát triển Biztalk trong tích hợp ứng dụng doanh nghiệp 02-06-2014 09-17h Trong tuần 40 giờ Liên hệ Việt Nam
7 02-06-2014 18h-21h Thứ 3,5,7 40 giờ Liên hệ Việt Nam
8 Thiết kế và phát triển Ứng dụng Microsoft Sharepoint 19-05-2014 18h-21h Thứ 2,4,6 40 giờ Liên hệ Việt Nam
9 Thiết kế kiến trúc hạ tầng Microsoft Sharepoint 26-05-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
10

KHOÁ ĐÀO TẠO NÂNG CAO

ĐIỀU CHỈNH SHAREPOINT 2010 CHO HIỆU SUẤT CAO

23-06-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
11 Thiết kế các giải pháp BI với  Microsoft SQL Server 09-06-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
Các khóa đào tạo khác
1 Quản lý CNTT và An toàn thông tin 19-05-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
2 19-05-2014 18h-21h Thứ 2,4,6 40 giờ Liên hệ Việt Nam
3 IT Management Skills – Các kỹ năng quản lý công nghệ thông tin 16-06-2014 09h- 17h Trong tuần 40 giờ Liên hệ Việt Nam
4 ITIL – Information Technology Infrastructure Library Foundation V3 16-06-2014 18h-21h Thứ 2,4,6
24 giờ Liên hệ Việt Nam
5
Thiết kế Website PHP và HTML5 bằng phương pháp sản xuất công nghiệp
27-4-2014
08h-12h
Chủ nhật
4 giờ
01 triệu
Việt Nam

 

Thông tin ưu đãi:

– Giảm giá đặc biệt cho các học viên đăng ký và thanh toán trước ngày khai giảng tối thiểu 02 tuần hoặc đăng ký nhóm 02 người trở lên.

 

Thông tin chi tiết vui lòng liên hệ:

Lê Trường Sơn (Mr.) – Mobile : (+84) 0904 411 933 – Email: son.le@robusta.vn

Lê Toàn Thắng (Mr.) – Mobile : (+84) 943 851 178 – Email: thang.le@robusta.vn

Xin cám ơn và mong được hợp tác và hỗ trợ Quý Anh/Chị cùng đơn vị trong thời gian tới!

Australian International School implemented Microsoft Live@edu, Saves $ 40,000 in six months.


“Live@edu is a cloud solution which technical jobs are backed end by Microsoft engineers, therefore it reduces implementation, deployment, maintenance time as well as management time. In general, I am advanced from Live@edu…”

Tho Le, Manager of Technology, Australian International School

AIS is one of the international schools which invested high cost in technology applications for education. To meet the demand of email system for current teachers and students, the school will have to invest a significant cost to the Exchange Server, AD Server. After deploying Live@edu system in the first six months, the school have saved $40,000 cost. It also is improving email reliability and providing teachers a more convenient and collaborative work environment.

 

Business Needs

AIS first opened its doors in August 2006, and now have over 500 students in 3 campuses.  Since Day 1, AIS has been recognized for its focus on learning in an environment that is both friendly and supportive.  With excellent teachers and facilities in campuses that are conveniently located, safe and security, AIS has quickly become one of the top international schools in HCMC.

The Australian International School operates from three purpose built campuses.  The well-resourced campuses are located in beautiful, secure and serene

settings with excellent libraries, ICT suites and science labs, visual art and music studio, outdoor swimming pools, basketball courts and age appropriate playgrounds and sport fields.

Information and Communication Technologies are integral to teaching and learning at AIS and the School continually upgrades its facilities to maintain the highest standard of ICT.

The students are equipped with a broad variety of Information Communication Technologies (ICT) to stay abreast with the pace of change in our world.  ICT learning is not separate from traditional areas of

image

Customer: Australian International School

Website: http://www.aisvietnam.com

Customer Size: 100 employees

Country or Region: Vietnam

Industry: Education–K-12

 

Customer Profile

The Australian International School, located at southwest Ho Chi Minh City, The AIS has over 500 students in 3 campuses.

 

Software and Services

·    Services

   Microsoft Live@edu

   Microsoft Office Live

   Microsoft SSO Kit for SharePoint2010

   Microsoft Office Outlook Live

   Microsoft Forefront Online

   Windows Live SkyDrive

For more information about other Microsoft customer successes, please visit: http://www.microsoft.com/casestudies

learning, but embedded throughout the curriculum. Students engage in music compositions and use traditional and digital animation editing software; web design and construction; wikis; mathematics software; data probes and analysis software alongside the usual Office suite. They are encouraged to be creative with digital presentation and to stand out from the crowd, which will prepare them for a future where competition in this field will be high.

The School offers a web based learning platform.  The AIS Community Portal allows the whole school community to log in and engage with student learning and school activities globally with internet connection.  In this way ICT provides learning experiences when and where they are needed and allows students to progress at their own pace.

 

Solution

When starting in Vietnam, AIS has focused on developing Information technology to use and support learning system. Base on Microsoft platform, apply Exchange Server 2010 to manage Email and synchronize database of students, faculties, staffs

From March 2012, AIS began attending to Microsoft Live@edu program, setting up Outlook Live and SharePoint services. Now email system has about 520 student accounts and 100 staff accounts which used like one of main application for learning and teaching.

At AIS, SharePoint and Live@edu are working together; SharePoint provides not only a central place to store information, processes but also an environment where staffs can co-works in an effective way. Live@edu gives a reliable way to communicate as well as receive alerts from SharePoint via email. SharePoint together

with Live@edu open a new professional working method in organization.

After nearly 6 monthly using Live@edu, AIS are generally happy with this solution as well as partner’s support (AT.COM).

 

Objectives:

1. SharePoint deployment objectives for students, lecturers, parent.
The main objective of deploying SharePoint is to create a central point for documentation as well as a place to facilitate collaboration.
2. Objective deployed Live@edu
The initial goal when implementing Live@edu is to provide a reliable, stable and cost-effective email solution
3. Single Sign On
Upgrade to new version which easily integrate with many other systems such as SSO SharePoint Portal.
Ready for integrating other solutions like SharePoint LMS E-learning, Moodle, Lync Online, Web Office Apps via Skype.

Benefits

By implementing Live@edu, Australian International School is enjoying more reliable email communications, saving significant costs, and giving teachers and staff a work environment that is more convenient and collaborative.

 

Enhanced Reliability

Since the beginning, AIS have noticed reliability improvements from having replaced the AIS’s onsite email infrastructure with Outlook Live.

Live@edu is a cloud solution which technical jobs are backed end by Microsoft engineers, therefore it reduces implement, deployment, maintenance time as well as management time. In general, I am advanced from Live@edu.” Tho le says’ 

Impressive Cost Savings

Yearly savings come from avoiding the licensing costs of email anti-virus and anti-spam software, and the bonus savings in the first year come from avoiding a server hardware replacement.

 

With the savings enabled by moving to Live@edu, AIS are able to preserve other IT initiatives that had been considered for cancellation—such as a web-based video archive that is popular with teachers and students alike.

 

Great Collaboration

With SkyDrive enabling document creation and storage to move to the cloud, teachers and staff enjoy not only more convenience but also more collaboration. Teachers are working on lesson plans and class presentations from home or elsewhere, without having to remember to back up files to a portable drive and carry it around with them, Teachers also are using the cloud for sharing photo- and video-based materials and eventually will use it for collaborating on a common curriculum.

 

The advice AIS would give another school evaluating Live@edu is encourage them to use Live@edu. Moreover, Live@edu is going to be upgraded into office 365 which even provides more great features such as Lync, SharePoint online.

This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

 

Document edited October 2012

image

Làm thế nào để đồng bộ Active Directory Sync trong khi Username và Password bị mã hoá theo OS 32/64bit ?


Part 1. Password Filter for OS

 

Contents

I.      Password Filters. 1

1.    Password Filter Functions. 2

2.    Password Filter Programming Considerations. 2

3.    Installing and Registering a Password Filter DLL. 3

To install and register a Windows password filter DLL. 3

II.     Enforce Custom Password Policies in Windows. 4

III.        Configuring Security Policy. 5

IV.       The RegEx Password Filter Sample. 6

V.    Installing the Password Filter 8

VI.       Source Code Compiler by VC++. 9

      Download boots link: 9

      Error when Building: 9

      Installation. 9

 

 

I. Password Filters

Password filters provide a way for you to implement password policy and change notification.

When a password change request is made, the Local Security Authority (LSA) calls the password filters registered on the system. Each password filter is called twice: first to validate the new password and then, after all filters have validated the new password, to notify the filters that the change has been made. The following illustration shows this process.

clip_image001

Password change notification is used to synchronize password changes to foreign account databases.

Password filters are used to enforce password policy. Filters validate new passwords and indicate whether the new password conforms to the implemented password policy.

For an overview of using password filters, see Using Password Filters.

For a list of password filter functions, see Password Filter Functions.

The following topics provide more information about password filters:

 

1.  Password Filter Functions

The following password filter functions are implemented by custom password filter DLLs to provide password filtering and password change notification.

Function

Description

InitializeChangeNotify

Indicates that a password filter DLL is initialized.

PasswordChangeNotify

Indicates that a password has been changed.

PasswordFilter

Validates a new password based on password policy.

 

2.  Password Filter Programming Considerations

When implementing password filter export functions, keep the following considerations in mind:

  • Take great care when working with plaintext passwords. Sending plaintext passwords over networks could compromise security. Network “sniffers” can easily watch for plaintext password traffic.
  • Erase all memory used to store passwords by calling the SecureZeroMemory function before freeing memory.
  • All buffers passed into password notification and filter routines should be treated as read-only. Writing data to these buffers may cause unstable behavior.
  • All password notification and filter routines should be thread-safe. Use critical sections or other synchronous programming techniques to protect data where appropriate.
  • Password notification and filtering take place only on the computer that houses the account.
  • All domain controllers are writeable, therefore password filter packages must be present on all domain controllers.

Windows NT 4.0 domains: Notification on domain accounts takes place only on the primary domain controller. In addition to the primary domain controller, the password filter packages should be installed on all backup domain controllers to allow notifications to continue in the event of server role changes.

  • All password filter DLLs run in the security context of the local system account.

For information about

See

How to install and register your own password filter DLL.

Installing and Registering a Password Filter DLL

The password filter DLL provided by Microsoft.

Strong Password Enforcement and Passfilt.dll

Export functions implemented by a password filter DLL.

Password Filter Functions

 

3.  Installing and Registering a Password Filter DLL

You can use the Windows password filter to filter domain or local account passwords. To use the password filter for domain accounts, install and register the DLL on each domain controller in the domain.

Perform the following steps to install your password filter. You can perform these steps manually, or you can write an installer to perform these steps. You need to be an Administrator or belong to the Administrator Group to perform these steps.

clip_image002To install and register a Windows password filter DLL

1.       Copy the DLL to the Windows installation directory on the domain controller or local computer. On standard installations, the default folder is \Windows\System32. Make sure that you create a 32-bit password filter DLL for 32-bit computers and a 64-bit password filter DLL for 64-bit computers, and then copy them to the appropriate location.

2.       To register the password filter, update the following system registry key:

3.  HKEY_LOCAL_MACHINE
4.     SYSTEM
5.        CurrentControlSet
6.           Control
            Lsa

If the Notification Packages subkey exists, add the name of your DLL to the existing value data. Do not overwrite the existing values, and do not include the .dll extension.

If the Notification Packages subkey does not exist, add it, and then specify the name of the DLL for the value data. Do not include the .dll extension.

The Notification Packages subkey can add multiple packages.

7.       Find the password complexity setting.

In Control Panel, click Performance and Maintenance, click Administrative Tools, double-click Local Security Policy, double-click Account Policies, and then double-click Password Policy.

8.       To enforce both the default Windows password filter and the custom password filter, ensure that the Passwords must meet complexity requirements policy setting is enabled. Otherwise, disable the Passwords must meet complexity requirements policy setting.

 

 

II.                Enforce Custom Password Policies in Windows

 

Most people take the easy way out and use the default filter in order to validate passwords. But did you know you can employ authentication modules to customize your password policies to reflect your organization’s unique security requirements? Find out how in this article.

by Yevgeny Menaker

Microsoft Windows allows you to define various password policy rules. Specifically, it allows you to enable the “Password must meet complexity requirements” setting using the Policy Editor. This validates user passwords against password filter(s) (system DLL(s)). Usually, people use the default filter. However, many admins say they’d prefer a Linux-style validation, which would allow them to install various pluggable authentication modules (Linux-PAM modules) to filter user passwords (authentication tokens). You can easily adapt these modules to reflect your organization’s security policy with help of Linux configuration text files. The ability to add-on such modules creates more flexibility in composing password policies. With help of such custom modules (of course, these modules should be developed by a Linux programmers), Linux administrators may even author a regular expression for matching user passwords. Go to www.kernel.org/pub/linux/libs/pam/ for more detailed information about Linux-PAM and the available modules.

 

The Linux model described above may be employed on Windows machines as well.

What You Need: Windows NT/2000/XP


In this article, learn how to create a
Custom Password Filter (DLL in C++) that validates passwords against a configurable regular expression. The RegEx functionality is implemented based on the Boost open source library because it has wide support for regular expressions.

Let’s start with an overview of the Windows Security system.

Windows Security
Windows Security is a policy-based system with a set of rules that compose security settings for a local machine or domain. The work of policy-based systems usually has three major stages:

  1. Creating rules to compose a policy.
  2. Searching for evidences.
  3. Enforcing policy based on the evidences.

There is a parallel between the above stages and real-life legal systems. Most countries have an authority (usually parliament or senate) that makes laws. This corresponds to the first stage—composing the policy). Police departments are the guards of the legal system, responsible for collecting evidence (e.g. measuring car speed on highways) and enforcing the existing laws based on evidences (e.g. canceling driving license in case of exceeding the speed limit). So, a police force corresponds to the second and third stages.

In Windows security, system administrators play the role of parliament. They dictate the policy for an organization domain. In some cases, regular users also design security policy (e.g. when choosing their own passwords). The police uniform is given to the local security authority (LSA) Windows sub-system. LSA collects evidences for decision-making and enforces the policies (laws). The LSA sub-system is represented by the lsass.exe Windows process and several system DLLs.

 

III.             Configuring Security Policy

System Administrators are usually responsible for configuring Security Policy. Since this article is about password filters, I’ll use configuring Password Policy as the example.

 

clip_image004

 

Figure 1. The “Local Security Policy” Management Console: This shows the list of security settings that compose your password policy on the local machine.

 

As mentioned previously, regular users are involved in composing security settings when they choose their own log-on passwords. However, because a weak password can create vulnerable system and compromise organization security, system administrators need more control over this issue and disallow the use of too simple, short and vulnerable to dictionary attacks passwords. In other words, you need to compose a password policy that meets your organization’s security requirements.

To edit security policies, you can use either the secedit.exe command line utility or the “Domain Security Policy” graphical console available from Control Panel -> Administrative Tools on the domain controller machine. With this tool, you will govern the security policy for all the computers in the Windows domain. Note that in case of workstation machine, only the “Local Security Policy” console is installed (shown in Figure 1). Local policy affects settings on the local machines and it doesn’t override domain policy. Thus, the security settings will be effective for local machine users, but not for domain users. This article uses the graphical tool to alter security settings on the local machine.

clip_image006

 

Figure 2. Editing Password Policy Rules: Double-click the “Minimum password length” item to display the dialog window.

 

The left pane of the management console contains an Explorer-like tree. Each node represents a different Security Policy. In this example, you’ll make modifications to the Password Policy to require users to choose long enough passwords (at least 10 characters). Here’s how to do it:

Expand the “Account Policies” node and select “Password Policy.” On the right pane of the management console, you should see a list of security settings (rules) that compose the password policy as shown in Figure 1. Double-click the “Minimum password length” item to display the dialog window (Figure 2). Edit the text field, setting the minimum password length to 10 characters, and click OK.

Congratulations! The new rule is ready. From now on, LSA will not allow your users to choose passwords shorter than 10 characters.

An interesting rule from the Password Policy set is “Password must meet complexity requirements.” This rule may be either Disabled or Enabled. In the Disabled state it has no effect. Enabling this rule instructs LSA to validate each password against Password Filters. If you don’t provide any filter, the default is used (which is considered relatively strong). However, the default allows simple passwords, such as Paris123. You definitely want more powerful filters and this is where Custom Password Filters can be helpful.

What Is a Password Filter?
A Password Filter plays a primary role in decision-making regarding user passwords. By definition, a Password Filter is a system DLL that exports three functions with the following prototypes (note the
__stdcall
calling convention):

BOOLEAN __stdcall InitializeChangeNotify(void);     // (1)

BOOLEAN __stdcall PasswordFilter( // (2)

PUNICODE_STRING AccountName,

PUNICODE_STRING FullName,

PUNICODE_STRING Password,

BOOLEAN SetOperation

);

NTSTATUS __stdcall PasswordChangeNotify(    // (3)

PUNICODE_STRING UserName,

ULONG RelativeId,

PUNICODE_STRING NewPassword

);

How does LSA interact with Custom Password Filters by means of the above interface? First, assume that the “Password must meet complexity requirements” rule is Enabled. On the system startup, LSA loads all the available Password Filters and calls the InitializeChangeNotify() function. When LSA receives TRUE as a return value, this means that the Password Filter loaded successfully and functions properly. Upon this call, LSA also builds a chain of available Password Filters (those that returned TRUE).

When you’re giving a password to a new user or modifying an existing user’s password, LSA assures that every link in Password Filters Chain is satisfied with a new password. LSA invokes the PasswordFilter() function of each filter in the chain. If one filter in a chain returned FALSE, LSA does NOT continue calling the next filter. Instead, it asks the user to provide another password. If every call to PasswordFilter on every filter returns a TRUE value, a new password is approved and each filter is notified about it through the PasswordChangeNotify() function.

As you can see, the Password Filter is a handy tool for LSA (or, the Windows Police), acting as a speed trap for highway patrol, helping to collect evidence from the “field.” These evidences are useful in the third stage, where policies are enforced.

Before You Implement…
Consider the following issues before you start coding your own Password Filters:

*       Treat sensitive data carefully. The PasswordFilter and PasswordChangeNotify functions receive passwords in clear-text format. These passwords should be processed fast and shouldn’t leave any trails in your memory for malicious applications to capture. Introduced in Windows 2003, the SecureZeroMemory Win32 API cleans specified memory. Traditional ZeroMemory may be not enough, since “smart” compilers will optimize your code and remove calls to this API. To make sure there are no such “useful” optimizations, read a random byte from a password string after it was filled with zeros.

*       Make your filters fast and efficient. When LSA calls into the Password Filter function, most Windows processing stops, so make sure you don’t perform any lengthy operations.

*       Expect the unexpected. Because LSA loads password filters during start-up, if something goes wrong, your system may become inoperable or go into deadlock. To avoid this, develop and test your DLLs on machines that have at least two operating systems installed. I have Linux and XP on my box and I found it highly useful when preparing this article. When I encountered problems, I booted from Linux and deleted the Password Filter DLL.

*       Log your actions. Password Filters run in the context of the lsass.exe process. I don’t recommend debugging this process, because after you close the debugger and end the process, your system will shutdown. The best way to debug your already-running filter is to write the log files to disk and follow them to fix the bugs.

*       Pre-debug your DLL. While lsass.exe debugging is not recommended, you may test your fresh Password Filter by writing a small unit-test program. In this program, load your DLL with a call to LoadLibrary Win32 API and invoke exported functions (after getting their addresses within GetProcAddress Win 32 API calls). This way, you may check that your filter doesn’t crash and functions properly.

 

IV.            The RegEx Password Filter Sample

Now that you’re aware of all the possible pitfalls, it’s high time for code action. This section will walk you through the sample provided with this article. I’ve created a VS7 solution with the PasswordFilterRegEx VC project.

As the Password Filter definition requires, you export three functions. Here’s the code for the DEF file included within the sample project:

LIBRARY PasswordFilterRegEx

EXPORTS

InitializeChangeNotify

PasswordChangeNotify

PasswordFilter

 

 
 

The PasswordFilterRegEx.cpp contains source code for the exported functions. The implementations of InitializeChangeNotify and PasswordChangeNotify are quite simple:

// Initialization of Password filter.

// This implementation just returns TRUE

// to let LSA know everything is fine

BOOLEAN __stdcall InitializeChangeNotify(void)

{

WriteToLog(“InitializeChangeNotify()”);

return TRUE;

}

// This function is called by LSA when password

// was successfully changed.

//

// This implementation just returns 0 (Success)

NTSTATUS __stdcall PasswordChangeNotify(

PUNICODE_STRING UserName,

ULONG RelativeId,

PUNICODE_STRING NewPassword

)

{

WriteToLog(“PasswordChangeNotify()”);

return 0;

}

The bulk of the work is done in the PasswordFilter function (shown in Listing 1). First, create a zero-terminating copy of a password string and assign it to an STL wstring object (STL is used in conjunction with the boost regex library):

wszPassword = new wchar_t[Password->Length + 1];

if (NULL == wszPassword)

{

throw E_OUTOFMEMORY;

}

wcsncpy(wszPassword, Password->Buffer, Password->Length);

wszPassword[Password->Length] = 0;

WriteToLog(“Going to check password”);

// Initialize STL string

wstrPassword = wszPassword;

Next, the regular expression is instantiated. The sample Password Filter reads the regular expression from the RegEx value of the following registry key:

HKEY_LOCAL_MACHINE\\Software\\DevX\\PasswordFilter

If the value is not found in registry, the dummy default regular expression (“^(A)$”) is used.

Finally, validate the password against the regular expression and return the results to the caller (LSA):

WriteToLog(“Going to run match”);

// Prepare iterators

wstring::const_iterator start = wstrPassword.begin();

wstring::const_iterator end = wstrPassword.end();

match_results<wstring::const_iterator> what;

unsigned int flags = match_default;

bMatch = regex_match(start, end, what, wrePassword);

if (bMatch)

{

WriteToLog(“Password matches specified RegEx”);

}

else

{

WriteToLog(“Password does NOT match specified RegEx”);

}

. . .

return bMatch;

Just before you return the results to LSA, perform memory clean-up:

// Erase all temporary password data

// for security reasons

wstrPassword.replace(0, wstrPassword.length(), wstrPassword.length(),

(wchar_t)’?’);

wstrPassword.erase();

if (NULL != wszPassword)

{

ZeroMemory(wszPassword, Password->Length);

// Assure that there is no compiler optimizations and read random byte

// from cleaned password string

srand(time(NULL));

wchar_t wch = wszPassword[rand() % Password->Length];

delete [] wszPassword;

wszPassword = NULL;

}

return bMatch;

 

V.              Installing the Password Filter

Note: In order to filter passwords for domain users, you should use the “Domain Security Policy” console on domain controller machine and install there your password filter. In this example, the entire configuration is done on the local machine. Hence, Password Filter will validate passwords for my local machine accounts. Follow this procedure to activate your fresh Password Filter (the same procedure is applicable for the domain controller):

*       Enable the “Password must meet complexity requirements” rule of the Password Policy.

*       Copy the Password Filter DLL to the %SystemRoot%\system32 folder on your machine.

*       Open the Registry Editor (regedit.exe) and locate the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

*       Modify the “Notification Packages” multi-string value of the above key and add your Password Filter file name without the “.dll” extension. Add the PasswordFilterRegEx string as shown in Figure 3.

clip_image007

 

Figure 3. Editing “Notification Packages”: Add the PasswordFilterRegEx string.

 

*       Close Registry Editor and restart your machine.

Your Password Filter in Action
After you’ve installed Password Filter and restarted your machine, you’re ready for testing. The source code includes a simple regular expression for testing purposes. Find it in the
RegEx value of the HKLM\Software\DevX\PasswordFilter key (the PasswordFilter.reg
file is provided with the code for your convenience):

^([a-zA-Z]+)(\d+)([a-zA-Z]+)$

In other words, start with letters, have some digits in the middle and end up with letters again. This regular expression is not recommended as a strong Password Regular expression, but it is useful for assessing whether your Password Filter does its job.

clip_image009

 

Figure 4. Creating a New User: Select Expand Local Users and Groups, right-click on the Users node, and choose the New User menu item.

 

Remember that this filter stands after the default Windows filter in the chain. So, in order to have any effect, you’ll need tougher requirements than the default. The Paris2003 password will validate against the default filter, but the test regular expression won’t match it. To check this, create a new user. If you use Domain Controller, create a user with Active Directory. On the stand-alone Workstation machine, right-click on My Computer and choose the Manage item from the context menu. Select Expand Local Users and Groups, right-click on the Users node, and choose the New User menu item as shown in Figure 4.

Fill-in the new user’s details and assign a password. Try a simple one (e.g.: Paris2003) and you will get an error message from LSA (Figure 5). Try a different, more complex password (e.g.: Paris2003A) and it will be accepted.

The Secret Is Out
While there are several commercial products that implement Password Filters, it isn’t really all that difficult. Now, that you understand how they work, you can provide your own, customized solution.

clip_image011

 

Figure 5. Error!: This password doesn’t meet the complexity requirements.

 

 

 

 

 

 

VI.            Source Code Compiler by VC++

 

       Download boots link: http://nchc.dl.sourceforge.net/project/boost/boost/1.50.0/boost_1_50_0.zip

 

       Error when Building:

I writed project which uses <boost/thread/locks.hpp>, i added include directory to Additional Include directories, and lib folder to linker. But when i try to build solution, error:

Error 1 error LNK1104: cannot open file ‘libboost_thread-vc100-mt-sgd-1_50.lib’

I searched this file in lib directory, but no file with this name in lib directory. I found file with similar name libboost_thread-vc100-mt-gd-1_50.

       Answer: i built them by guide boost.org/doc/libs/1_50_0/doc/html/bbv2/installation.html

       Installation

To install Boost.Build from an official release or a nightly build, as available on the official web site, follow these steps:

1.     Unpack the release. On the command line, go to the root of the unpacked tree.

2.     Run either .\bootstrap.bat (on Windows), or ./bootstrap.sh (on other operating systems).

3.     Run

./b2 install –prefix=PREFIX

where PREFIX is a directory where you want Boost.Build to be installed.

4.     Optionally, add PREFIX/bin to your PATH environment variable.

If you are not using a Boost.Build package, but rather the version bundled with the Boost C++ Libraries, the above commands should be run in the tools/build/v2 directory.

Now that Boost.Build is installed, you can try some of the examples. Copy PREFIX/share/boost-build/examples/hello to a different directory, then change to that directory and run:

PREFIX/bin/b2

A simple executable should be built.

How to Create User Accounts from a Spreadsheet with VBScript


This is this THE key VBScript page for creating Active Directory accounts. The User object has many attributes, consequently the VBScript will be complex. My tutorial will provide step-by-step instructions to import Users into your domain from values held in an Excel spreadsheet. The benefit of mastering how to build a user object is that creating the other objects such as computer, group or OU will be so much easier.

Our Mission and GoalsVBScript to create a user account from an Excel spreadsheet

Our goal is to read user properties from a spreadsheet, and to use that data as a source of names for new User Accounts. Whilst my previous user script only created one user, with this script could create an account for every user in your organization.

In order to access the user’s properties in the spreadsheet we need a new scripting object. Fortunately, VBScript has a method called CreateObject(“Excel.Application”), which handles data transfer between the spreadsheet and Active Directory. The other scripting technique is the classic loop. In this instance I chose: Do… Until empty, this cycles through the cells reading the users’ properties. (Other scripts employ For… Then…. Next constructions.)

Example Script to Create User Accounts from a Spreadsheet

It is best to divide our mission into two phases, firstly build the spreadsheet, secondly master the VBScript techniques to open that spreadsheet and create a new user based on the data in each row.

VBScript create users Excel Before you script any object, have a walk though with Active Directory Users and Computers. Creating the object manually will remind you of the properties an object possesses, properties that you will need in your script.

Prerequisites

Recommended: that you complete my basic script as a refresher on how VBScript binds to Active directory. If possible, logon as administrator, preferably at a domain controller.

Create a spreadsheet with your prospective users’ properties. My advice is to spend time researching the LDAP attributes, which correspond to the property sheets in Active Directory Users and Computers. See more on LDAP properties here.

Be aware that where you save this .xls file should correspond to the strSheet variable in the script below. For example: E: \scripts\Computers.xls.

Guy Recommends: SolarWinds’ Free Bulk Mailbox Import Tool

Import users from a spreadsheet, complete with their mailbox. Just provide a list of the users with the fields in the top row, and save as .csv file. Then launch this FREE utility, match your Exchange fields with AD’s attributes, click and import the users. Optionally, you can provide the name of the OU where the new mailboxes will be born.

There are also two bonus tools in the free download, and all 3 have been approved by Microsoft:

  1. Bulk-import new users and mailboxes into Active Directory.
  2. Seek and zap unwanted user accounts.
  3. Find inactive computers.

Instructions for Creating User Accounts from a Spreadsheet

Phase 1 Build the Spreadsheet

LDAP properties VBScript to create users sAMAccountName

  1. Each user will occupy one row, for example John Evans, Row 3. Each attribute will always be in the same column, for example givenName in Column C.
  2. Mandatory LDAP attributes: sAMAccountName and CN (ObjectClass is taken care of by VBScript).
  3. Important LDAP attributes: givenName, sn
  4. Optional LDAP attributes: physicalDeliveryOfficeName, email, phone, description, displayName.
  5. Note how you can use the power of Excel’s functions to derive one column from another, for example, sAMAccountName could be build up from the first three letters of the givenName added to the 4 left most characters of the sn.
    See =LEFT(C3,3)&LEFT(D3,4) in the above diagram. (Reference Now corrected thanks to Brian C)

Instructions for Phase 2 – Copy and amend my VBScript

  1. You need access to a Windows Active Directory domain.
  2. Check the prerequisite to create an Excel spreadsheet.
  3. Copy and paste the example script below into notepad or a VBScript editor.
  4. Amend the path for strSheet. I will be surprised if strSheet = “E:\ scripts\UserSpread1.xls” works without modification to reflect the location of Your spreadsheet.
  5. Save the file with a .vbs extension, for example: ComputerSpreadsheet .vbs.
  6. Double click ComputerSpreadsheet .vbs and check the Computers container for strComputer.

Example Script to create User Accounts from a spreadsheet

‘ UserSpreadsheet .vbs
‘ Sample VBScript to create User accounts from a spreadsheet
‘ Author Guy Thomas http://computerperformance.co.uk/
‘ Version 4.6 – June 2010
‘ ——————————————————‘
Option Explicit
Dim objRootLDAP, objContainer, objUser, objShell
Dim objExcel, objSpread, intRow
Dim strUser, strOU, strSheet
Dim strCN, strSam, strFirst, strLast, strPWD

‘ ———————————————–‘
‘ Important change OU= and strSheet to reflect your domain
‘ ———————————————–‘

strOU = “OU=Accounts7 ,” ‘ Note the comma
strSheet = “E:\scripts\UserSpread1.xls”

‘ Bind to Active Directory, Users container.
Set objRootLDAP = GetObject(“LDAP://rootDSE”)
Set objContainer = GetObject(“LDAP://” & strOU & _
objRootLDAP.Get(“defaultNamingContext”))

‘ Open the Excel spreadsheet
Set objExcel = CreateObject(“Excel.Application”)
Set objSpread = objExcel.Workbooks.Open(strSheet)
intRow = 3 ‘Row 1 often contains headings

‘ Here is the ‘DO…Loop’ that cycles through the cells
‘ Note intRow, x must correspond to the column in strSheet
Do Until objExcel.Cells(intRow,1).Value = “”
strSam = Trim(objExcel.Cells(intRow, 1).Value)
strCN = Trim(objExcel.Cells(intRow, 2).Value)
strFirst = Trim(objExcel.Cells(intRow, 3).Value)
strLast = Trim(objExcel.Cells(intRow, 4).Value)
strPWD = Trim(objExcel.Cells(intRow, 5).Value)

‘ Build the actual User from data in strSheet.
Set objUser = objContainer.Create(“User”, “cn=” & strCN)
objUser.sAMAccountName = strSam
objUser.givenName = strFirst
objUser.sn = strLast
objUser.SetInfo

‘ Separate section to enable account with its password
objUser.userAccountControl = 512
objUser.pwdLastSet = 0
objUser.SetPassword strPWD
objUser.SetInfo

intRow = intRow + 1
Loop
objExcel.Quit

WScript.Quit

‘ End of free example UserSpreadsheet VBScript.

VBScript Tutorial – Learning Points – Excel Spreadsheet

Excel Spreadsheet showing LDAP attributes for VBScript

Note 1: In this example, the basic Excel spreadsheet has just 5 columns of properties / LDAP attributes. Trace how each of the 5 columns is used in the VBScript, see line 33 onwards. Once you master the concept, then you can add many more columns of LDAP properties.

Note 2: As I mentioned earlier, I love the power of Excel to calculate one column from another. Column A, sAMAccountName (logon name) is derived from the first three letters of the givenName, joined with an & to the first 4 letters of the sn column. =Left(C3,3)&LEFT(D3,4). The beauty of this technique is that you can then use Excel’s fill down to calculate the rest of the users.

Note 3: I always reserve Row 2 for indexing the Column letters, e.g. A = 1, B=2 etc. This makes it easier to reference .cell properties, for example, intRow, 4).Value) corresponds to Column D.

Note 4: It is worth commenting on what is not explicitly required in the spreadsheet. VBScript takes care of the objectClass (“User”). It also calculates the DN (Distinguished Name) from the name of the OU and the DNS domain as specified by objContainer.

Recommended: Solarwinds’ Permissions Analyzer – Free Active Directory Tool

I like thePermissions Monitor because it enables me to see WHO has permissions to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user’s access to a resource.

Download SolarWinds’ Free Permissions Analyser – Active Directory Tool

VBScript Tutorial – Learning Points – VBScript

Note 1: In this example see how CreateObject(“Excel.Application”) creates an instance of Excel. Equally see how objExcel.Quit closes Excel at the end of the script.

Note 2: Here we employ the Open method, just as if we clicked on the File menu: objExcel.Workbooks.Open(strSheet)

Note 3: It is worth studying the Do.. Loop from lines 33-54. If you break the loop into 3 sections, you can see at the first section where it interacts with the spreadsheet, extracting the values with the aid of the trim function to get rid of any spaces.

The second section builds most of the user, while the third section deals with setting the password and enabling the account with userAccountControl = 512. If I try to join the second and third sections without that intermediate .SetInfo, the script fails.

Note 4: When I first ran this script I noticed zillions of instance of Excel in the Task Manger, this is how I cured that problem objExcel.Quit. However, without error-correcting code, watch out for numerous instances of Excel in your Task manager, some of these may prevent you editing your spreadsheet. I also confess that if the script fails, then you get an orphaned Excel which you need to zap with Task Manager.

Summary of Creating User Accounts from an Excel Spreadsheet

Creating users from a spreadsheet is one of the high points of VBScript. Pay equal attention to the Excel spreadsheet, your VBScript code, and Active Directory Users and Computers. To climb this scripting peak obey the old saying, ‘Yard by yard and it’s hard, but inch by inch and it’s a cinch’

Làm thế nào để cho chạy PowerShell Script theo lịch trình ?


Run the Synchronisation Operations by Using a Windows PowerShell Script

When you run OLSync setup, the script, StartSync.ps1, is copied to the following directory: :\Program Files\Microsoft Identity Integration Server\SourceCode\Scripts. Use this script to automate synchronisation operations with Windows PowerShell:

1. On the computer that is running Identity Lifecycle Manager FP1, click Start, click All Programs, click Windows PowerShell V2, and then click Windows PowerShell V2.

2. Navigate to :\Program Files\Microsoft Identity Integration Server\SourceCode\Scripts.

3. Run the following command.

.\StartSync

Windows PowerShell will run each synchronisation operation and then report on the status.

All data in the Status column should say “success”. If you get errors, see Troubleshoot Outlook Live Directory Sync.

To create a scheduled task that runs the StartSync.ps1 script, run the following command.

.\StartSync –schedule

This command creates a scheduled task that runs the StartSync.ps1 script every two hours from 8 A.M. to 8 P.M. You can change the frequency of the task by opening the StartSync.ps1 script and modifying the sc, mo, st and du parameters in the following line of code.

schtasks.exe /create /sc HOURLY /MO 2 /st 08:00:00 /du 0012:00 /tn “$taskname” /tr “$PSHOME\powershell.exe -c $($myinvocation.mycommand.definition)”

For more information about the sc, mo, st and du parameters, and how to modify Schtask.exe, see How to use Schtasks.exe to Schedule Tasks in Windows Server 2003.

lỗi khi cài System Center 2012 để quản lý các Agent trên máy chủ ảo hóa Windows Server 2008 R2.


Recommended Action

Check that WinRM is installed and running on server dt.edu.sg. For more information use the command “winrm helpmsg hresult”.SC2012Agent_error_WSM

lỗi khi cài System Center 2012 để quản lý các Agent trên máy chủ ảo hóa Windows Server 2008 R2.

 

Cách xử lý:

Bước 1. Tham khảo: http://help.outlook.com/en-us/140/cc952756.aspx

Cách cài đặt PowerShell và WỉnM / WinRS

Mục số 4. Verify that Windows PowerShell can run scripts

  1. Click Start > All Programs > Accessories > Windows PowerShell.
  2. Do one of the following to open Windows PowerShell:
    • If you’re running Windows Vista, Windows 7, or Windows Server 2008 R2, right-click Windows PowerShell and select Run as administrator. If you get a user account control prompt that asks if you would like to continue, respond Continue.
    • If you’re running Windows XP or Windows Server 2003, click Windows PowerShell.
  3. Run the following command:

    Get-ExecutionPolicy
    
  4. If the value returned is anything other than RemoteSigned, you need to change the value to RemoteSigned.
    Note When you set the script execution policy to
    RemoteSigned, you can only run scripts that you create on your computer or scripts that are signed by a trusted source.

Enable scripts to run in Windows PowerShell

In Windows PowerShell session you just opened as an administrator, run the following command:

Set-ExecutionPolicy RemoteSigned

 

Mục số 5. Verify that WinRM allows Windows PowerShell to connect

  1. Click Start > All Programs > Accessories.
  2. Do one of the following to open a command prompt:
    • If you’re running Windows Vista, Windows 7, or Windows Server 2008 R2, right-click Command Prompt and select Run as administrator. If you get a user account control prompt that asks if you would like to continue, respond Continue.
    • If you’re running Windows XP or Windows Server 2003, click Command Prompt.
  3. At the command prompt, run the following commands:

    net start winrm
    winrm get winrm/config/client/auth
    

    Note If the WinRM service is already running, you don’t have to start it. You can check the status of the WinRM service by running the command sc query winrm.

  4. In the results, look for the value Basic = . If the value is Basic = false, you must change the value to Basic = true.
    Note If you started the WinRM service, and you don’t need to change the
    Basic value, run the command net stop winrm to stop the WinRM service.

Configure WinRM to support basic authentication

  1. At the command prompt you just opened as an administrator, run the following commands. The value between the braces { } is case-sensitive:

    winrm set winrm/config/client/auth @{Basic="true"}
    
  2. In the command output, verify the value Basic = true.
    Note If you started the WinRM service, run the command
    net stop winrm to stop the WinRM service.

 

Bước 2. Trong trường hợp vẫn nhận được lỗi sau:

WSManFault     Message = Access is denied. Error number:  -2147024891 0x80070005
Access is denied.

 

Chỉ dẫn tìm trên CMD cảnh báo lỗi vẫn là:
winrm helpmsg hresult –>  winrm helpmsg 0x5  –> Access is denied.

 

Vậy bạn chỉ cần mở run:\CMD  chạy bằng Run As Administrator

và gõ lệnh sau:

rem -----------------------------------------------

rem Setting LocalAccountTokenFilterPolicy for WinRM

rem -----------------------------------------------

reg add  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Chú thích: Cần phải thêm quyền Token vào với quyền Administrator local

image

“To fix that set LocalAccountTokenFilterPolicy to True in the registry by executing the following command in a command prompt”

Sau cùng hãy chạy lệnh để kiểm tra kết quả

image