ADFS 3.0 IWA Browser Clients Support for Firefox and Safari

Mar 27th, 2014

With Windows Server 2012 R2 ADFS 3.0 architecture have some changes, such as, no IIS requirements, etc. With no IIS, most changes will have to be done through PowerShell and java script modifications.

Currently and by design, Integrated Windows Authentication (IWA) is not supported for most browsers such as Chrome, Firefox, and Safari. And because of this, users using any unsupported browser client (By default on IE is supported) for Single Sign-On (SSO), will always be presented with the ADFS logon form for user name and password even if these users are within the internal network.

Here are the steps to add your browser client of choice for IWA. The ADFS Properties for WIASupportedUserAgents and ExtendedProtectionTokenCheck will be modified. Read more…

Create a custom Multi-Valued attribute in Active Directory

Jan 26th, 2014

Have you ever worked in an environment where because of regulations and compliance, you are required to maintain all terminated and former employees group membership long after they have left the company and their accounts disabled. Leaving their membership in groups makes the group hard to audit because it will contain both active and disabled users. One possible solution is to create a custom user attribute to store the legacy groups for all disabled users.

This brief post will demonstrate how to successfully modify the Active Directory schema to create a custom Multi-Valued user attributes. To modify the schema, the account must be a member of the schema Admins group. Before proceeding make sure you understand the full functionality of an Active Directory Schema. Since schema modification/extension is irreversible, caution must be taken for any schema modification. It is always advisable to test in a lab environment before attempting in production. More information about the Active Directory schema can be found on the TechNet site. Read more…

Enabling Access Based Enumeration -ABE on DFS Namespace-Part II

Nov 20th, 2011

In my previous post on Access Based Enumeration, I outlined procedures for enabling ABE. With Windows server  2008 and 2008 R2, there is an added option to enable ABE  on a DFS Namespace. I will show how to accomplish this on this post. Read more…

PowerShell Get-ADUserGroupMembership

Sep 14th, 2010
#Get-ADUserGroupMembership
########################################################################
# This PoSh script will read input of AD Users from a text file-c:\ADUsers.tx  and output
# the respective user’s AD Group Membership in a .csv file -C:\UserGroup.csv.
# REQUIREMENTS:
# Quest Active Directory cmdLets must be installed on the machine that script will run from.
#Witten By: www.isaacoben.com
#Version: 1.2
#########################################################################
#Add QAD cmdlets
Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
#Get User list from text file ADUser.txt
$ADUser = Get-Content “c:\ADUsers.txt”
#Count number of users on list
$ADUser_Count = $ADUser.Length
#Enumerate the number of users
$i = 0;
ForEach ($targetUser in $ADUser)
{
$Progress_bar = [int][Math]::Ceiling((($i / $ADUser_Count) * 100))
#Start Displaying Progress activity
Write-Progress -Activity “Retrieving AD Group Membership for $targetUser” -PercentComplete $Progress_bar -Status “$Progress_bar% Complete” -SecondsRemaining $Progress_bar
Sleep (1)
$Current_User = Get-QADUser $targetUser
$Current_User| Get-QADMemberOf |Select-Object $Current_User.Name, name|Out-File -FilePath ‘C:\UserGroup.csv’-Append
$i ++
}
Write-Progress -Activity “Retrieved All Users” -PercentComplete 100 -Status “Done – 100%”
Sleep (1)

How to control memberships for local computer’s builtin groups

Oct 3rd, 2009

Domain Administrators sometime face a scenerio in which they have multiple workstations or member servers as part of a domain and will like to restrict/control which user should be members of any of the built-in local groups, such as Administrators, Backup Operators, Remote Desktop Users, Power Users etc. Rather than attempting to accomplish this manually, it will be much easier and faster to use an automatic approach. I will suggest two possible automatic options to get this done, either through a computer startup script or through Restricted Groups using Group Policy Objects. But I will highly recommend using the Restricted Group option, I will explain why later. Read more…

Tags: