I've got a problem where I need to interleave settings made on the host/user/containers/domain/site with the group policy settings attached to the containers/domain/site.
We can walk the ad tree for the host and the user and have those settings.
We have our group policy list & objects and those settings.
I'm just having trouble joining the 2 heirarchies back together, I can't seem to find the appripriate API/info to do it.
You need to look at the gpLink attribute of each site, domain, and OU. You can also look at gpOptions for a handful of related flags. The gpLink attribute will have the DNs of each GPO applied to that object as well as whether or not the link is enabled or not.
Related
I've been using project-id as a prefix in my GCS bucket-names to easily get a unique name.
When I read GCS-best practises
It says clearly not to use project-names or project-numbers (nothing about projectId:s)
But on the other hand, when I spin up GAE, two buckets containing the project-id are automatically created.
Is Google not following their own best practices or did I miss something?
Are the greatest risk of having projectId in bucket name that I give clues to a potential attacker about the project since bucket-names are publicly visible?
It does appear, to some degree, that Google might not be following its best practices (as listed on that page, assuming that project names and numbers mean GCP names and numbers). The default bucket for Firebase projects layered on top of GCP does the same.
The documentation you linked states the reason to avoid using project names:
... because anyone can probe for the existence of a bucket ...
The idea is that if someone knows the name of your project, they could use that to build the full name of the bucket, and use that knowledge in an attack in order to gain its contents. However, if your security configuration is exactly what it should be, then knowing the name of the bucket won't be a problem. This is particularly true for Firebase projects, which use security rules to determine who should be able to access what objects.
I'd take the advice in the documentation as a measure of security through obscurity in order to prevent attackers from guessing the names of your buckets and any of its contents. But if that's not your concern, then ignore it.
It looks like they're just worried about leaking PII. I'm not sure why they mentioned project names, unless it's because someone might include PII in their project name.
Don't use user IDs, email addresses, project names, project numbers, or any personally identifiable information (PII) in bucket names because anyone can probe for the existence of a bucket. Similarly, be very careful with putting PII in your object names, because object names appear in URLs for the object.
The two buckets I see created in my account have an appspot.com suffix. You cannot create arbitrary appspot.com buckets because they have a . in the name and thus are subject to verification:
Bucket names must contain only lowercase letters, numbers, dashes (-), underscores (_), and dots (.). Spaces are not allowed. Names containing dots require verification.
You are right though that the automatic bucket creation is inconsistent with their best practice guidelines.
I tried to create new AWS key pairs and the option to create disappeared
Does anyone know why?
It would be worth checking the IAM permissions associated with the User who is trying to create the key pair. Contact the Administrator (presumably you?) and investigate. I would suggest creating a Group with Permissions and adding them to that.
I performed an experiment and added aDeny policy to my IAM User that prevented me from being able to create a keypair.
I then tried to launch an instance and the option to create a keypair (in the dialog box you show above) was still available. So, the display does not vary according to permissions.
Therefore, something else is causing your situation. I would recommend trying it in a different browser. Also, check the underlying HTML to see whether the option is coded on the web page. Something is causing it to disappear.
It seems that there are two different Web UI for AWS Tag Editor (you need an AWS account to try them):
https://resources.console.aws.amazon.com/r/tags
I got this link from AWS Doc
https://eu-west-1.console.aws.amazon.com/resource-groups/tag-editor/find-resources?region=eu-west-1
In Management Console, if you select Resource Group > Tag Editor on the top of the console page, it will take you to this page
The two WebUI behave differently:
The former is global but the latter is region-specific (it will put you into a region even if you don't put the region parameter in the URL)
The former allows you to search for Not tagged in the filter; but the latter does not
The UI are slightly different
Is one of UI a newer version?
Update (2019-05-14)
(Please also see an explanation about the two links being NEW and OLD UIs that AWS offered at a certain point in time) By now the first link is gone. If you visit it, you will get a 404 Not Found error from AWS.
I am part of the team building the new Tag Editor. Yes, you are correct: Classic Tag Editor is deprecated, and will be shut down soon entirely. We are working on full feature parity between the two Editors, so you will very soon find everything you can do in the old one as well in the new one.
To add some more context on your different items below:
1) Both old and new Tag Editor use the same underlying tagging infrastructure, so this should never happen. Maybe there is some browser issue involved here? Feel free to open a support issue so we can look deeper into it, if this continues the case.
2) Yes, the new one also includes Lambda, and will very soon add more resource types. The same by the way for regions: The old Tag Editor supports not all regions, for example eu-north-1 or eu-west-3.
3) No, Route53 Hosted Zones are supported in both Editors. Route53 resources only exists in the us-east-1 region, so maybe you used the Tag Editor in another region?
4) Both Editors show the same data. The old editor merged what you used as Name Tag and the ID in the same field - in the new one, you see only the ID in the column ID, and the Name Tag is displayed in the column Tag: Name.
Searching across regions is something the new Editor soon will support, too, and the same applies for the filter you mention. For showing resources without a specific tag, there is a workaround you already can do: Click on the settings icon in the top right of the table, and enable the tag you are interested in as a column. You then can sort this column so that all untagged ones show up on top.
If you have any other ideas or requests for the Tag Editor, please let us know. The fastest and most reliable way is to just use the 'Feedback' Button in the console in the bottom left.
Cheers,
Florian
Hi I am providing my own answer here (thanks my colleagues Kannan for the insight)
#1 above is what AWS called Class Tag Editor. If you click on the Question mark on the Web UI (upper right corner), you will be taken to a page that says:
This documentation is for classic Tag Editor, which has been
deprecated
So #2 is the version that AWS want us to use.
Below I will called #1 Old and #2 New
I compared the example outputs from our environment (about 50 resources). The two outputs differ in these respects:
New seems to retain past resources for a longer time. For example, if an EC2 instance has been terminated, it may take a
longer time to be removed from the listing of New
New seems to include resources for DynamoDB but Old does not
Old seems to include resources for Route 53 Hosted Zones but New does not.
Both New and Old show Security Groups, but the ID strings are rendered slightly differently.
New renders an ID as sg-xxxxxxxxxxxxxxxxxxxxxx
Old renders an ID as someName (sg-xxxxxxxxxxxxxxxxx)
The shares at my company are becoming unwieldy and we have now officially ran out of letters to map shares to having exhausted A, B, H-Z. Not all of our users need access to some of these shares, but there are enough people who need access to enough different shares that we can't simply recycle letters for them which are used by other shares. At this point we're going to need to start moving shares over to network locations.
Adding a network location shortcut on My Computer isn't difficult, I right click and use the Wizard, but how do I do it through Group Policy? I don't want to have to set up 100 or so computers manually
This absolutely can be done using only existing Group Policy preferences, but it's a little tedious.
Background Info
When you create a network location shortcut it actually creates three things.
A read-only folder with the name of your network shortcut
A target.lnk within that folder with your destination
A desktop.ini file that contains the following
[.ShellClassInfo]
CLSID2={0AFACED1-E828-11D1-9187-B532F1E9575D}
Flags=2
I found this information on this Spiceworks community forum post.
How to make it happen
I figured out how to do this from a comment in the same forum post linked above.
You need to create four settings in a group policy. All of the settings are located in the group policy editor under: User Configuration>Preferences>Windows Settings
as seen in this image.
Folders Setting
Add a new folder with preference with the following settings as seen in this image.
Path: %APPDATA%\Microsoft\Windows\Network Shortcuts\SHARENAME
Read-only checked
Ini Files Settings
There are two setting that you must make in this setting, as seen in this image.
Create one for the CLSID2 settings image
File Path: %APPDATA%\Microsoft\Windows\Network Shortcuts\SHARENAME\desktop.ini
Section Name: .ShellClassInfo
Property Name: CLSID2
Property Value: {0AFACED1-E828-11D1-9187-B532F1E9575D}
And another for the Flags setting image
File Path: %APPDATA%\Microsoft\Windows\Network Shortcuts\SHARENAME\desktop.ini
Section Name: .ShellClassInfo
Property Name: Flags
Property Value: 2
Shortcuts Setting
Add a new shortcut preference with the following settings image
Name: %APPDATA%\Microsoft\Windows\Network Shortcuts\SHARENAME\target
Target type: File System Object
Location: <Specify full path>
Target path: SHARETARGET
Closing Notes
This will work to create the network location using group policy. I would recommend using item level targeting to keep all of your network locations in one group policy.
It can be a handful to manage all of these separate preferences, so I created an application to help with managing the shares, and the user security group filters. Here is my application on github, you must create the first share using the settings above, but the application can handle adding more shares, deleting shares, and updating existing shares.
You can make a bat script which you can add to startup policy to run:
net use <driver letter> \\<servername>\<sharename> /user:<username> <password>
Example:
#echo off
net use w: \\server /user:Test TestPassword
And this will add on every computer a network shortcut to \\server with letter W .
And you can modify to make some this only on some computers or users.
Let's say you want only on user 'MikeS' to run this command, so you put something like that:
IF %USERNAME% == 'MikeS'(
net use w: \\server /user:Test TestPassword
)
I am currently working on a project where I need to query Active Directory to determine group membership of a user. I initially was locating the user and retrieving the memberOf attribute. The problem with this is that there is a domain and a child domain. The groups are universal groups so they can be used in both domains and they don't show up in the memberOf attribute. Unfortunately there doesn't seem to be much info around for Active Directory access with C++. Is there anyway to determine group membership in this case in C++?
If you are using managed C++, you can use UserPrincipal.GetAuthorizationGroups.
If you are not using managed C++, to solve this particular problem, you should bind to Global Catalog and do a LDAP search on the member attribute of the group object to find out which Universal Group containing the user. You should limit your search by specifing the groupType, objectCategory and objectClass.
However, like I mentioned in another post , group enumeration in general is very hard to do it right. If you just need to find out all the groups a user belongs to, your best bet is to use S4USelf