Monthly Archives: December 2010

The Blog Wrap Up and Happy New Year

Hello Everyone!

In this last post I wish you Happy New Year!

I also wish you to be healthy and fit:


Have fun:


and no bad news:


And just in case you care to reread something from this month’s blog posts, here is the wrap up:

IPv6 is great. But Are we really ready yet?

Yeah, those free books are great, but I need another 24 hours per day to read them.

Plan, implement, win. No malware is good news, but be prepared… Just in case…

The first part of “How to change attribute in AD”. The second is quite tricky for me, so I am still working on it.

I was good! Well, at least they told me so Winking smile

For the situation when you know what, know how, but cannot find where. If you don’t see your attributes then read it.

Good stuff. No kidding. I use it and I recommend at least to try it.

Want new blog or sight based on .NET? Here is the list.

IPv6: hopes, disappointments…



This scary gadget screenshot (26th of December here) tells us that it is only a question of a month, may be, two to run out of IPv4 addresses. Well, not exactly “we”. It is IANA who will run out of it. Of course, some time since then it will affect some customers who want to buy their own autonomous system, and large providers and sooner or later – end users. I won’t do any predictions about the time it will become a real problem (you know, there were too many of these predictions) but now it is more than ever obvious that IPv4 must R.I.P just soon enough to think about it at least today, in case you didn’t do it yesterday.

Some guys are not only prepared for it, but even more: they are in it almost totally (some say that China has almost half of their addresses in IPv6), or partially (US governmental institutions are to be on IPv6 by now, AFAIK), or not ready at all.

I’m ready to roll towards implementation in my mind: I subdued to the necessity in my mind, but… Again those “but”. There is too many problems in security (LOL: security problems with the protocol which has built-in IPSec, huh? =) ). My ISA cannot filter it. Darn: TMG cannot also! I need some transition technologies to implement DirectAccess, because some legacy software just cannot do well with IPv6.

Well… Anyway, how are you feeling about IPv6? Do you need it? Can you implement it just with good planning, without some crutches or changing your firewalls, network equipment and company you work for? Why?


(Pictures: a screenshot of Windows gadget from Hurricane electric and IPv4-picture from

Freebies: some more free eBooks

Being ill I’m not currently in the state to write anything smart, so I will just provide you with some more free eBooks (and their parts) from the list which were announced at MS Press blog (And were kindly mustered together by one of MS employees for me. Thanks, pal):



Moving to MS Visual Studio 2010



Sample code




Introducing Microsoft SQL 2008 R2 (Yeah, another two hundred pages for me to read)






Programming Windows Phone 7 Series (DRAFT Preview). We still don’t have WP7 here, but already have some programmers for it… Strange, isn’t it? =)



Sample code



Own Your Future: Update Your Skills with Resources and Career Ideas from Microsoft. Read in case of emergency. Or rather earlier Winking smile







First Look Microsoft Office 2010. Sometimes looking at some office pro work in, say, excel, I’m being just jealous. So the book is in my reading list too.






Windows 7 troubleshooting tips. 12 pages of “must read”!







Introducing Windows Server 2008 R2. Well… It is somewhat outdated proposal for me, but if you are new to R2 – that’s where to start.







Deploying Windows 7, Essential Guidance. Here you have an excerpt from Windows 7 Resource Kit and TechNet.





Enough for today. Enjoy your reading!

IPD Guide: Beta for malware response

I love those IPDs. You don’t know what “IPD guide” stands for? Well… I suggest it to be for “I Plan Darn good”. MS, all of a sudden, thinks that it is for “Infrastructure Planning and Design guide”. Anyway, what has been just issued is a beta for one more process: answer to a malware infection in your organization (I bet I can adopt it for home usage too, but it can wait). Why is it important to have such a plan (we do have one, by the way Winking smile)? Well… It is like everything with security: if something went wrong it is a disaster… unless you have a plan which is good and which is known to be implemented and is known how to implement. Because if you have a plan, you can just go and do what’s in the paper. If you don’t – you are beginning with a creation of some plan and usually it doesn’t work from the first try, you go for the second and so on…

If you plan something like that:


but in more details and delivery the training on the process, then you will be able just to get rid of your troubles in a very effective manner.

So, at the moment I am still reading the IPD guide and already have something to say to its authors. If you are interested in it, then go for download to the MS Connect site, read and tell the authors what you think of it.

How to change attribute in AD: alternatives

After my post on delegation and filtered attributes I got a question about more convenient means of editing an attribute (say, employeeID) than Attribute Editor in ADUC.

Well, let me enumerate everything I can suggest from tools for the task.


It is the most common tool for the single attribute change.

Just launch Active Directory Users And Computers, check that Advanced Features are on:


Then find your object and open its properties, select Attribute Editor tab and find your attribute:


Drawbacks of the method:

  • You need to find the object in AD tree, else you won’t be able to find Attribute Editor tab.
  • Think of the situation in which you are to change attributes for, say, 100 objects… Crazy, huh?


It is more powerful than ADUC, but actually is kind of overkill in this situation. Still some can like it. Almost the same, but first connect to default naming context, found your object and change the attribute in editor. Almost the same window and exactly the same problems.

Active Directory Administrative Center

It is one of the most appropriate tools for managing users and some other objects on a one-by-one basis. Unfortunately in this case it is almost the same as ADUC:


the only difference is that you don’t need to go down the AD tree to find your objet. Here you can just search for it from a search box and just edit what you need.


I love it. Really. Even though I am not very proficient in it I can do soooooo much with it. In this case, for example, we can assign a new employeeID attribute value just like that:


I’m almost sure it can be done in one line, but here I hadn’t such task. As you can see, this method already can help us to create some script with even something like GUI. You can too create a script for doing some bulk changes. It’s pretty good method, actually.

Enough for today. In one of the following messages I will try to introduce to more methods for changing objects’ attributes.

Bragging: Platforma results

As I already wrote, I visited the “Russian TechEd” being an expert in AtE and a lab instructor for “UAG and DirectAccess: better together”. Well, I cannot tell you If I was good enough (though I think I wasn’t bad): there weren’t any quantitative measurements. But the attendees of my lab surprised me, stated my 8.8 out of 9 mark. Thanks, guys!

Now I am just obliged to implement both UAG and DirectAccess in my company to be really professional in them Winking smile

Delegating something… “I don’t see the attribute I want to delegate!”

As I have been dealing with some delegation tasks recently, I had to recall some basic stuff. Actually, it took me two occasions of “suddenly missing attributes” to get on the problem seriously and find out the fact that “filtered attributes” can be related not only to RODCs =)

So, the situation generally renders as the following: you are trying to delegate permissions for an attribute in AD through the Delegation wizard and find out that you cannot, because you don’t see the attribute in the wizard. Let me show you an example. Suppose I’m trying to delegate permissions for changing attribute emplyeeID in contact to some group. In the delegation wizard you will see the following dialog:


As you can see there are no employeeID checkboxes to fill in. Where are they? That’s simple enough: they are filtered out from our sight. It is done so that to ease our life, actually: there is too much of attributes for some objects, which usually are not needed. Removing them from our wizard (not only from it) makes it not so overcrowded. “But, but, but… I need it!”, you tell me. Well, no problem: let’s get the attribute back. To do so we need to make some changes to dssec.dat file in %systemroot%system32 folder (make a backup copy!). It has very simple and easy to understand structure: a section for each object we can use, which begins with [<attributename>] and ends with the beginning of the next section. For instance, the section for contact looks like the following:


As you can see, in the section there are lines, consisting from attribute name, “=” sign and a number. In red rectangle you see the property we cannot delegate access to. Why? Obviously it is because of number 7. What should we put in there instead? There is only three options:

  • to display both read and write options use 0
  • to display only write option use 1
  • to display only read check box use 2
  • and 7, of course will hide both options again

So, let us put here “employeeID=0” string


restart our ADUC console, then start Delegation wizard and:



Some extra reading: