Active Directory users aren’t able to update their password via SonicWall NetExtender

This seems to be a problem for a lot of people on the ‘net so I figured I’d document it here.

First, we need to make sure LDAP authentication is setup properly; take a look at the following screenshots (this assumes that you’ve already created a separate account for binding to the AD/LDAP database… in my examples below, this account is referred to as the “ldap bind” account.)

Security Settings

Security Settings (from https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=5097)

Make to select 'LDAP' and not 'LDAP + Local Users' .

Make to select ‘LDAP’ and not ‘LDAP + Local Users’ .

Use the "display name" of the user account that you'd like to use for binding to the Active Directory server. Make sure that this account does NOT have Administrative privileges.

Use the “display name” of the user account that you’d like to use for binding to the Active Directory server. Make sure that this account does NOT have Administrative privileges.

Click "Import user groups" and select the group that contains the users who will should be granted SSLVPN access. Then set that group as the "Default LDAP User Group". I usually create a separate group for this purpose.

Click “Import user groups” and select the group that contains the users who will should be granted SSLVPN access. Then set that group as the “Default LDAP User Group”. I usually create a separate group for this purpose.

This is where you'll configure the locations of the OUs that contain Groups and Users who will have SSLVPN access.

This is where you’ll configure the locations of the OUs that contain Groups and Users who will have SSLVPN access.

Once you’ve done all of that, you’ll need to delegate the ability to change user passwords to your “ldap bind” account. This “sandboxes” the account; i.e., it allows the account to be able to change passwords without requiring administrative privileges. This way, the account only has the exact level of privilege it needs to do its job. Active Directory will allow you to use the Delegate Control wizard to delegate the Reset user passwords and force change at next logon task, but depending on which version of Windows Server you are running, this might not work as expected. In order to provide an LDAP Bind user with the ability to authenticate users and change passwords via NetExtender and Virtual Office, you can instead delegate access in the following manner:

  1. In Active Directory Users and Computers, right click on the desired OU and select Delegate Control
  2. Click Next.
  3. Click Add.
  4. Select a user or group, then click OK.
  5. Click Next.
  6. Select Create a custom task to delegate, and then click Next.
  7. Click Only the following objects in the folder, click to select the User objects check box, and then click Next.
  8. Click to select the General and the Property-specific check boxes.
  9. Click to select the Reset Password, Read pwdLastSet, and Write pwdLastSet check boxes in the Permissions box.
  10. Click Next, and then click Finish.

If for some reason it’s still not working, ensure that User objects are configured to Include inheritable permissions from this object’s parent, from the Advanced Security Settings page on each user object that needs to be able to update their password via NetExtender and/or Virtual Office. Note: You must have Advanced Features enabled in the view from within ADUC in order to see this page. To enable it, navigate to View and select Advanced Features. Now you’ll be able to see the Security tab of any Organizational Unit or Object.

Advanced Security Settings for [user object]

If you delegated the ability to change/reset passwords to your ldap bind account on the parent container of the target user objects, then each child user object must have this option selected. Alternatively, you could add the ldap bind account to the security settings on each user, manually.

References:

http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=5097

Accessing Domain Resources When Connected To External VPN Via Windows 7 VPN Client

Recently one of my users was having trouble printing from remote workstations. In this scenario, the user needed to print some reports from a system that resided on a client’s network. She would start up the Windows 7 VPN client, provide credentials, and once connected to the client’s network through VPN, she would start the Microsoft Terminal Services Client and login to the system she needed to print reports from. During this time, the printers on our network (managed by a domain-wide printserver; mapped to workstations via GPO) would become inaccessible. The printers would “show up” on the remote side (as TS Session Printers) as they should, but they just would not accept print jobs.

After some troubleshooting, I found that this only happened when she was connected to the VPN. Whenever I tried to access the print server through a UNC path (i.e., \\printserver\printer ) a username/password box would appear, asking for her domain credentials — but here’s the kicker: the username field would be pre-filled with the username she used to login to the VPN. After some more digging, I came across this blog post and it immediately solved the problem. This was such a pain in the ass that I’ve decided to recreate the text of the resolution here, just in case that post should disappear for whatever reason:

  1. Locate the .pbk file (VPN session file) for the session you want to fix
    • Windows Vista/7: C:\Users\\AppData\Roaming\Microsoft\Network\Connections\Pbk
    • Windows XP: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk
  2. Open the file in notepad and search for the following text: UseRasCredentials=1
  3. Change the “1” to a “0”, save, exit.

This tells the operating system not to rely on the RAS credentials that get cached upon initiating the VPN session. In Windows Vista / 7, this option is enabled by default; it wasn’t in Windows XP. I have yet to see/hear a good explanation for why it was changed.

Configure Windows Server 2008/2012 To Sync With Internet Time Servers



Question: There is no “Internet Time” tab in the date/time dialog box on Windows Server, is it still possible to configure the server to use NTP? If so, how?

Answer: Yes, as far as I know, you have to do this from the command prompt. Here’s how:

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"time-a.nist.gov, time-b.nist.gov, time-c.nist.gov, time-d.nist.gov"
w32tm /config /reliable:yes
net start w32time

That will configure the time service to sync with the list of servers (time-*.nist.gov in the above example) and it also tells the server that it is a reliable time source that client machines on your domain can sync with. In other words, these steps configure the server as an NTP server in addition to configuring it to sync with Internet time servers. If you do not want that functionality, do not run the following command:

w32tm /config /reliable:yes

If you need to view the NTP configuration, type the following command from a prompt:

w32tm /query /configuration

This produces the following output:

[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: time-a.nist.gov, time-b.nist.gov, time-c.nist.gov, time-d.nist.gov (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 0 (Local)

If you are still having trouble responding to NTP requests after following these steps, make sure that there are no firewalls blocking udp/123. After you’ve checked your firewall, confirm that your NTP server responds by running the following command on a different Windows machine:

w32tm /stripchart /computer:10.0.8.3 /samples:2

or:

w32tm /stripchart /computer:10.0.8.3 /dataonly /samples:2

In the following screenshot, I have run the two commands above, and then on the third execution, I attempt to query a server that does not exist, just so you can see what the output looks like if the client still can’t connect to your NTP server.

Querying an NTP server from another computer

Adding “Trusted Sites” to Internet Explorer, via the registry

Update! 5 February 2014 This can also be accomplished via GPO.

  • Open the group policy editor.
  • Create a new policy (or edit an existing policy.)
  • Navigate to:
    Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/
  • The setting to add sites to the “Trusted Sites” zone is called “Site to Zone Assignment List”. Read the explanation in the “Help” box before configuring anything!
  • Then, to set configuration options for the “Trusted Sites” zone, you’ll want to navigate to the subdirectory/subkey titled “Trusted Sites Zone”. There you will find every setting that governs the behavior for that zone.

Original Article Follows

A while ago I needed to add a list of websites to the Internet Explorer’s “Trusted Sites” zone for multiple users, scattered across multiple terminal servers. IE’s “Enhanced Security Configuration” (ESC) is configured by default on windows terminal services and it’s normally a good idea to leave it intact.

However, this can have unintended consequences for users who require the use of websites that employ ActiveX, javascript, etc. because, by default, ESC does not allow those items to run. Sometimes, this means that the site in question will only be partially non-functioning. Other times, the entire site will be completely unusable. Furthermore, most users on terminal services have only a limited ability to actually modify the settings for an entire zone. Normally the best thing they can do is add the site to their trusted sites zone, if in fact the site is legitimate (i.e., “trusted”).

Originally, I explained to the users the steps involved in adding a site to their trusted sites, however many of the users used many of the same websites that other users were using. Also, new users needed to be trained on how to do this as well. Needless to say, it got very repetitive, very fast; so I came up with a “global” list of sites that can be trusted, and imported them to the registry on each terminal server. The list consisted of about 40+ sites, and I was able to generate the list mostly by exporting the following registry key:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

…from a few user accounts who had already added most of the sites to their trusted sites zone. After grepping out the duplicates (among other things), I had my list.

Now, I’m going to cover two ways of making this list of domains “globally trusted”—both of them involve writing to the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

Pay attention! This is not the same key as previously mentioned. This key resides in the ‘HKEY_LOCAL_MACHINE’ hive, whereas the previous key resides in the ‘HKEY_CURRENT_USER’ hive.

The first way is via the following visual basic script:

Option Explicit
Dim DomainArray(5), strComputer, strHTTP, strHTTPS
Dim dwordZone, regPath, objReg, counter, subkeyPath
Dim subkeyValue
Const HKEY_LOCAL_MACHINE = &H80000002
DomainArray(0) = "testdomain0.com"
DomainArray(1) = "testdomain1.com"
DomainArray(2) = "testdomain2.com"
DomainArray(3) = "testdomain3.com"
DomainArray(4) = "testdomain4.com"
strComputer = "."
strHTTP = "http"
strHTTPS = "https"
dwordZone = "2"
regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" &_
        "\ZoneMap\EscDomains\"
Set objReg = GetObject("winmgmts:{impersonationLevel = impersonate}!\\" & _
        strComputer & "\root\default:StdRegProv")
For counter = 0 to 4
        subkeyPath = regPath & DomainArray(counter)
        objReg.CreateKey HKEY_LOCAL_MACHINE,subkeyPath
        objReg.SetDWORDValue HKEY_LOCAL_MACHINE,subkeyPath,strHTTP,dwordZone
        objReg.SetDWORDValue HKEY_LOCAL_MACHINE,subkeyPath,strHTTPS,dwordZone
Next

This script will insert ‘testdomain0.com’, ‘testdomain1.com’, […] into IE’s trusted sites zone when run on any machine. It must be run by an Administrator (or another user who has access to write to the HKEY_LOCAL_MACHINE registry hive), and the changes are global (to the machine).

The next way involves creating a “registry entries” (.reg) file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\testdomain0.com]
"http"=dword:00000002
"https"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\testdomain1.com]
"http"=dword:00000002
"https"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\testdomain2.com]
"http"=dword:00000002
"https"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\testdomain3.com]
"http"=dword:00000002
"https"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\testdomain4.com]
"http"=dword:00000002
"https"=dword:00000002

Just like the previous script, this must also be run by a user with Administrator privileges and any changes will be global to all users on the machine.

(Of course, you would want to customize these snippets of code to suit your needs.)

For more information, please visit the following sites:

Internet Explorer Enhanced Security Configuration changes the browsing experience
Enhanced Security Configuration for Internet Explorer
Internet Explorer security zones registry entries for advanced users