SYDI script, Exporting/copying data from MS word to Excel sheet using VBA
wow it has been a while since I blogged.
I did something interesting this week and I wanted to share it with you.
This week, I got a task to check 400 servers for their startup parameters for security, now I though, I won’t log into each server and do it manually, I am so lazy for this.
SYDI script has a nice feature to export the server info along with the startup parameters, so I did SYDI commands and I exported the 400 servers data, but now I have 400 documents, again, I am so lazy for this, I want a single sheet to read.
So, it is time for some VBA scripting, after some search and copying some scripts, I built this nice script, I thought about sharing it.
The script will look in the current document, search for the latest table which should be the startup parameters, copy the word table using VBA, select the first line in the document which should be the server name, open excel sheet, lookup the written rows, and paste the table at the latest one.
Note: I named the macro AutoOpen to start when opening the documents, I built another script to loop through server names, open the documents and I am done.
now I can have a single sheet to read during drinking my coffee.
Enjoy
Sub AutoOpen()
Dim wrdTbl As Table
Dim RowCount As Long, ColCount As Long, i As Long, j As Long‘~~> Excel Objects
Dim oXLApp As Object, oXLwb As Object, oXLws As Object
Selection.MoveEnd Unit:=wdLine, Count:=1
Selection.Expand wdLine
hostname = Selection.Texttablecount = ActiveDocument.Tables.Count
Set wrdTbl = ActiveDocument.Tables(tablecount)
ColCount = wrdTbl.Columns.Count
RowCount = wrdTbl.Rows.Count
‘~~> Set your table‘~~> Get the word table Row and Column Counts
‘~~> Create a new Excel Applicaiton
Set oXLApp = CreateObject("Excel.Application")‘~~> Hide Excel
oXLApp.Visible = False‘~~> Open the relevant Excel file
Set oXLwb = oXLApp.Workbooks.Open("pathtoexcelsheet\sample.xlsx")
‘~~> Work with Sheet1. Change as applicable
Set oXLws = oXLwb.Sheets(1)
rowscount = oXLws.UsedRange.Rows.Count
If rowscount = 1 Then
rowscount = rowscount – 1
Newline = rowscount + 1
tableline = Newline + 1Else
rowscount = rowscount + 1
Newline = rowscount + 1
tableline = Newline + 1End If
oXLws.Cells(Newline , 1).Value = hostname
‘~~> Loop through each row of the table
For i = 1 To RowCount
‘~~> Loop through each cell of the row
For j = 1 To ColCount
‘~~> This gives you the cell contents
Debug.Print wrdTbl.Cell(i, j).Range.Text‘~~> Put your code here to export the values of the Word Table
‘~~> cell to Excel Cell. Use the .Range.Text to get the value
‘~~> of that table cell as shown above and then simply put that
‘~~> in the Excel Cell
With oXLws
‘~~> EXAMPLE
.Cells(tableline , j).Value = wrdTbl.Cell(i, j).Range.Text
End With
Next
tableline = tableline + 1
Next‘~~> Close and save Excel File
oXLwb.Close savechanges:=True‘~~> Cleanup (VERY IMPROTANT)
Set oXLws = Nothing
Set oXLwb = Nothing
oXLApp.Quit
Set oXLApp = NothingApplication.Quit
End Sub
Configuring Azure Multifactor Authentication with Exchange 2013 SP1
Thanks to Raymond Emile from Microsoft COX, the guy responded to me instantly and hinted me around the OWA + basic Auth, Thanks a lot Ray…
In case you missed it, Azure has a very cool new feature called Azure multifactor authentication, using MFA in Azure you can perform multifactor for Azure apps and for on-premise apps as well.
In this blog, we will see how to configure Azure Cloud MFA with Exchange 2013 SP1 on premise, this will be a long blog with multiple steps done at multiple levels, so I suggest to you to pay a very close attention to the details because it will be tricky to troubleshoot the config later.
here are the highlevel steps:
- Configure Azure AD
- Configure Directory Sync.
- Configure multifactor Authentication Providers.
- Install/Configure MFA Agent on the Exchange server.
- Configure OWA to use basic authentication.
- Sync Users into MFA agent.
- Configure users from the desired login type.
- Enroll users and test the config.
so let us RNR:
Setting up Azure AD/MFA:
Setting up Azure AD/MFA is done by visiting https://manage.windowsazure.com , here you have 2 options (I will list them because I had them both and it took me a while to figure it out):
- If you have never tried azure, you can sign up for a new account and start the configuration.
- If you have Office 365 enterprise subscription, then you will get Azure AD configured, so you can sign in into Azure using the same account in Office 365 and you will find Azure AD configured for you (I had this option so I had to remove SSO from the previous account and setting it up again).
Once you login to the portal, you can setup Azure AD by clicking add:
Since I had Office 365 subscription, It was already configured, so if you click on the directory, you can find list of domains configured in this directory:
If you will add a new domain, click on add and add the desired domain, you will need to verify the domain by adding TXT or MX record to prove you domain ownership, once done you will find the domain verified and you can configure it, the following screenshots illustrates the verification process:
Once done, go to Directory Integration and choose to activate directory integration:
One enabled, download the dirsync tool on a computer joined to the domain:
Once installed, you will run through the configuration wizard which will ask you about the azure account and the domain admin account to configure the AD Sync:
Once done, you can check the users tab in Azure AD to make sure that users are sync’d to Azure successfully:
If you select a user, you can choose to Manage Multifactor Authentication
you will be prompt to add a multifactor authentication provider, the provider essentially controls the licensing terms for each directory because you have per user or per authentication payment, once selected you can click on manage to manage it:
Once you click manage, you will be taken to the phonefactor website to download the MFA agent:
click on downloads to download the MFA agent, you will install this agent on:
- A server that will act as MFA agent and provides RADIUS or windows authentication from other clients or
- Install the agent on the Exchange server that will do the authentication (frontend servers).
Since we will use Exchange, you will need to install this agent on the Exchange server, once install you will need to activate the server using the email and password you acquired from the portal:
Once the agent installed, it is time to configure the MFA Agent.
Note: the auto configuration wizard won’t work, so skip it and proceed with manual config.
Another note: FBA with OWA won’t work, also auto detection won’t work, so don’t waste your time.
Configuring the MFA Agent:
I need to stress on how important to follow the below steps and making sure you edit the configuration as mentioned or you will spend hours trying to troubleshoot the errors using useless error codes and logs, the logging still poor in my opinion and doesn’t provide much information for debugging.
the first step is to make sure the you have correct name space and ssl certificate in place, typically you will need users to access the portal using specific FQDN, since this FQDN will point to the Exchange server so you will need to publish the following:
- Extra directories for MFA portal, SDK and mobile app.
- or Add a new DNS record and DNS name to the ssl certificate and publish it.
In my case, I chose to use a single name for Exchange and MFA apps, I chose https://mfa.arabcloud.tv, MFA is just a name so it could be OWA, mail or anything.
SSL certificate plays a very important role, this is because the portal and mobile app speaks to SDK over SSL (you will see that later) so you will need to make sure that correct certificate in place as well as DNS records because the DNS record must be resolvable internally.
once the certificate/DNS issue is sorted, you can proceed with the install, first you will install the user portal, users will use this portal to enrol as well as configuring their MFA settings.
From the agent console, choose to install user portal:
It is very important to choose the virtual directory carefully, I highly recommend changing the default names because they are very long, in my case I chose using MFAPORTAL as a virtual directory.
once installed, go the user portal URL and enter the URL (carefully as there is no auto detection or validation method), and make sure to enable the required options in the portal (I highly recommend enabling phone call and mobile app only unless you are in US/EU country then you can enable text messages auth as well, it didn’t work with me because the local provider in Qatar didn’t send the reply correctly).
Once done, Proceed with SDK installation, again, I highly recommend changing the name, I chose MFASDK
Once installed, you are ready to proceed with the third step, installing the mobile app portal, to do this browse to the MFA agent installation directory, and click on the mobile app installation, also choose a short name, I chose MFAMobile
Once Installed, you will have to do some manual configuration in the web.config files for the portal and the mobile app.
You will have to specify SDK authentication account and SDK service URL, this configuration is a MUST and not optional.
to do so, first make sure to create a service account, the best way to do it is to fire you active directory users and computers management console, find PFUP_MFAEXCHANGE account and clone it.
Once cloned, open c:\intepub\wwwroot\<MFAportal Directory> and <MFA Mobile App Directory> and edit their web.config files as following:
For MFA portal:
For MFA mobile App:
Once done, you will need to configure the MFA agent to do authentication for IIS.
Configure MFA to do authentication from IIS:
To configure MFA agent to kick for OWA, you will need to configure OWA to do basic authentication, I searched on how to do FBA with MFA, but I didn’t find any clues (if you have let me know).
Once you configured OWA/ECP virtual directories to do basic authentication, go to the MFA agent , from there go to IIS Authentication , HTTP tab, and add the OWA URL:
Go to Native Module tab, and select the virtual directories where you want MFA agent to do MFA authentication (make sure to configure it on the front end virtual directories only):
Once done….you still have one final step which is importing and enrolling users…
to import users, go to users, select import and import them from the local AD, you can configure the sync to run periodically:
Once imported, you will see your users, you can configure your users with the required properties and settings to do specific MFA type, for example to enable phone call MFA, you will need to have the users with the proper phone and extension ( if necessary):
You can also configure a user to do phone app auth:
Once all set, finally, you can enrol users.
Users can enrol by visiting the user portal URL and signing with their username/password, once signed they will be taken to the enrolment process.
for phone call MFA, they will receive a call asking for their initial PIN created during their configuration in MFA, once entered correctly, they will be prompted to enter a new one, once validated the call will end.
in subsequent logins, they will receive a call asking them to enter their PIN, once validated successfully, the login will be successful and they will be taken into their mailbox.
in mobile app, which will see here, they will need to install a mobile app on their phones, once they login they can scan the QR code or enter the URL/Code in the app:
Once validated in the app, you will see a screen similar to this:
Next time when you attempt to login to OWA, the application will ask you to validate the login:
Once authentication is successful, you will see:
and you will be taken to OWA.
Final notes:
again, this is the first look, I think there are more to do, like RADIUS and Windows authentication which is very interesting, also we can configure FBA by publishing OWA via a firewall or a proxy that does RADIUS authentication + FBA which will work.
I hope that this guide was helpful for you.
Boosting your career and knowledge in Active Directory
Since a while I was thinking about helping others posting their TRUE knowledge and skills, I seen a lot of guys roaming around with no clues how to build true knowledge about IT infrastructure in general.
In this blog series, I will list recommended reading for several technologies and components and how you can build knowledge around that, of course; hand-on and time will give you the required experience, but these recommendations will help you to stop the no-clues auto-pilot mode.
I will start with AD, please note the following:
- You might have different opinions about the readings, again these are my recommendations.
- I read the below list so when I complied this list I wanted to cut it short for you instead of reading useless stuff.
- You will still need to build hands-on experience.
so let us start with the Active Directory reading lists:
This list will be updated on regular basis to reflect the most recent interesting reads, I wish you all successful career in AD.
How to configure RSA SecureId 130 Appliance to integrate with Active Directory
In this lab we will configure the RSA SecureID 130 appliance to integrate with AD and allow users to login using their tokens to AD, here are the steps to setup the appliance:
Setting up the Device:
the RSA appliance can be setup either as primary or secondary, the primary mode if either standalone or used in conjunction with the secondary one to provide HA, in our setup we will setup the primary device.
setting up the device is fairly simple, connect the device to the network, it comes pre-set with the IP 192.168.100.100, you will connect to that IP and set it up:
the wizard walks you through the initial setup wizard, where you import license file that came with the appliance, set the date and time, set the OS password, set the superadmin password, configure networking, after that it will take around 10 minutes to setup the device and reboot to start with the new configuration.
once rebooted, you can login to the operations console, you can access it using any web browser and browse to: :7072/operations-console">https://<IP Address>:7072/operations-console
once you login and to integrate with AD, you need to configure identity sources, to do so go to Manage Identity Sources .
Click on add new identity source
the add new identity source wizard opens, and it allows you to add your identity source, in our case we are using Microsoft Active Directory, enter the AD information including a dedicated username and password to connect and manage AD (in this lab I am using the administrator account please make sure to use a dedicated account in production environment), and click on test connection to verify your settings.
once successfully, you will be prompted with map wizard, this wizard will allow you to map AD attributes to AD (make sure not to include user base DN or Group base DN if you are adding a global catalog) confirm the attribute mapping and click next
now you will have your identity source configured
now you will login to the security console, and configure the realm,
now go to Realm management and create a new one for the AD or choose edit and include AD in the existing realm
now from the security console, you can go for token management and search for your tokens that you have imported you will find them in the console
now you can search for a user and assign the token to him
the final step is to install the RSA client on the machine the user will login (local machine or XenApp Server for example), once the client installed it will disable the AD password login and will require the user to login using the token, these settings can be set using GPO or registry.
Note: for some reasons the latest version of the client didn’t work with me so I used the previous version which worked great, but it requires registry editing to enforce RSA login GINA.
hope that this quick guide helped you out.
Configuring Dynamic Access Controls and File Classification-Part4-#winservr 2012 #DAC #microsoft #mvpbuzz
Part1: The Windows Server 2012 new File Server–part 1- Access Condition http://goo.gl/9miY1
Part2: The Windows Server 2012 new File Server–part 2- Install AD RMS http://goo.gl/dRHro
Part3: The new file server part3 using file classification & AD RMS: http://goo.gl/A4JlC
In previous parts we have walked through the new file server features and permissions wizard, Data Classification, AD RMS installation and File Classification and AD RMS integration, in the final part of this series we will take about how to implement a new feature of Active Directory called claim based authentication and utilize it for something called Dynamic Access Control.
but wait a minute, what is the claim based authentication, from this reference: http://www.windowsecurity.com/articles/First-Look-Dynamic-Access-Control-Windows-Server-2012.html
Claims-based authentication relies on a trusted identity provider. The identity provider authenticates the user, rather than every application doing so. The identity provider issues a token to the user, which the user then presents to the application as proof of identity. Identity is based on a set of information that, taken together, identifies a particular entity (such as a user or computer). Each piece of information is referred to as a claim. These claims are contained in the token. The token as a whole has the digital signature of the identity provider to verify the authenticity of the information it contains.
Windows Server 2012 turns claims into Active Directory attributes. These claims can be assigned to users or devices, using the Active Directory Administrative Center (ADAC). The identity provider is the Security Token Service (STS). The claims are stored inside the Kerberos ticket along with the user’s security identifier (SID) and group memberships.
Once the data has been identified and tagged – either automatically, manually or by the application – and the claims tokens have been issued, the centralized policies that you’ve created come into play.
Now you can turn user’s attribute whatever they are, into security controls, now we have the power to control the access to files and set the permissions to files using attributes, we no longer controlled by group permissions only.
With that in mind, you can set the permissions on the files based on department attributes, connecting machine, location or any other attribute in Active Directory and you don’t have to create specific groups for that, also the permissions will be set on the fly, not only that, but you can set the permissions not based on the user’s properties but also based on the device the user is using, you can set the permissions to full control from corporate devices, but readonly from kiosk or non-corporate devices.
Not only that, but you can also include the attributes of the resources that is being accessed in the permissions equation, so you want “on the fly” to examine the resource classification and allow only specific users with specific attributes to access the resource (so files classified of country classification “Egypt” will be accessed by only users who are in country “Egypt” for example).
Dynamic Access Control (DAC) is a new era for permissions, I am blown by the power of DAC and how flexible it is, mixed with AD RMS you can have ultimate control on data within your corporate.
Lab Setup:
We will use the steps described here in this TechNet article: http://technet.microsoft.com/en-us/library/hh846167.aspx#BKMK_1_3 , the steps here are illustration of the steps, and prior parts of the blog series (part 1 to 3) are used as foundation to demonstrate the final environment:
Implementation steps:
the first ting to configure is the claim type, claim types represents what are the data queried in the user/device/resource attribute and then used in the permission evaluation, you want to query about the country, you create a claim type for that, you want to use department you create a claim type for that.
In our Lab we will create a claim type of Department and Country:
to create a claim type open the AD Administrative Center and go to Claim Types, and from the menu select new:
Create a new claim for Department :
and for Country :
In the Country, Supply suggested values (to specify values for the claims as Egypt and Qatar):
Note: By defaults claims are issues to users, if you want to issue it for computers you must select that on the claim
Create a new reference resource property for Claim Country:
Now got to Resource Properties and enable the department claim;
Now let us create a Central Access Rule, This rule will include the template permissions that will be applied when the claims are matched with the rules defined in the CAR:
In the rule, specify the security principle you want to use, in this demo we will grant access to Finance Admins full control and Finance Execs read only access, and this will be applied to all files “resources” that is classified in the Finance Department, we can also go with devices claims and specify the country of this device or any other property that we can to query about the device:
The Final rules will be :
Now create a Central Access Policy that will be applied using GPO to all file servers and the Administrator can select and apply them on individual folders:
In the CAP, include the finance data rule:
No you need to apply this CAP using GPO and make it available to file servers, now create a GPO and link it to the file servers OU:
In the Group Policy Management Editor window, navigate to Computer Configuration, expand Policies, expand Windows Settings, and click Security Settings.
Expand File System, right-click Central Access Policy, and then click Manage Central access policies.
In the Central Access Policies Configuration dialog box, add Finance Data, and then click OK.
You need now to allow the Domain Controllers to issue the Claims to the users, this is done by editing the domain controllers GPO and specify the claims settings:
Open Group Policy Management, click your domain, and then click Domain Controllers.
Right-click Default Domain Controllers Policy, and then click Edit.
In the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-clickAdministrative Templates, double-click System, and then double-click KDC.
Double-click KDC Support for claims, compound authentication and Kerberos armoring. In the KDC Support for claims, compound authentication and Kerberos armoring dialog box, click Enabled and select Supported from the Options drop-down list. (You need to enable this setting to use user claims in central access policies.)
Close Group Policy Management.
Open a command prompt and type gpupdate /force
.
Testing the Configuration:
Going to the file server, and clicking on our finance data file, we can now find the data classification that we specific in the Claims:
Now let us classify the data as Finance Department.
Note: In order to allow DAC permissions to go into play, allow everyone NTFS full control permissions and then DAC will overwrite it, if the user doesn’t have NTFS permissions he will be denied access even if DAC grants him access.
Now checking the permissions on the folder:
going to the Central Policy tab and applying the Finance Data Policy:
now let us examine the effective permissions:
for the Finance Admins:
If the user has no claims (so he is a member of the group but not in the finance department and is not located in Egypt) he will be denied access:
Now, let us specify that he is from Finance Department, no luck, Why?!
This is because he must access the data from a device that has claim type country Egypt:
Now test the Finance Execs Permissions and confirm it is working.
You can test applying this rule also when the following condition is set, and wee what happens:
Note: the above rule will grant use access when his department matches the file classification department, so you can have a giant share from mix of departments and permissions will be granted to files based on users’ departments.
Conclusion:
Mixing DAC with AD RMS and file classification is a powerful mix that helps organizations with the DLP dilemma, and with Windows Server 2012 organization has total control for the first time on the files and data within the files. please try the lab and let me know your feedback
Upgrade your Active Directory from 2008 to Windows Server 2012 #Microsoft #winserv2012
Windows Server 2012 introduces new ways of managing and configuring your Windows infrastructure, one of these components are the Active Directory.
First, Microsoft removed the famous “DCPROMO” and the functionality of installing and promoting a new Domain Controller is moved entirely to the Server Manager.
in this lab, we have a single DC that we would like to move all of its roles to a new fresh installed Windows Server 2012.
Configuration Steps:
1- Install your Windows 2012 Server and Join it to the Domain.
2- open Server manager and from tasks, select “Add Roles and Features”:
3- In the Welcome screen click next:
4- In the select Installation type, select Role-based:
5- in the select server, select the desired server or server group (for server groups refer to my previous article “Windows 2012 first look”:
6- from the list of roles, select Active Directory Domain Services:
7- Active Directory Domain Services in Windows Server 2012 depends on other roles/features, you must add them, the wizard will add them if they are not pre-installed, so accept adding those missing roles/features:
8- In the installation summary, review your selection, also you might want to restart the Server directly after installation completes:
Until this point, we have not actually configured the server as domain controller, we were just adding the roles, after completing the installation, the wizard will inform you that there is post installation configuration to configure this server as domain controller, select more
In the following screen you will find the post deployment tasks are pending:
1- When you select the “Promote this server to domain controller” the following wizard opens:
from the previous screen you can select to install new forest, new domain or a new forest, in our case we are upgrading so select “add a domain controller to an existing domain”.
Note: you have the option to select the domain information if you have multiple domains.
Important Note: if this is the first Windows Server 2012 DC to be installed in the forest and you didn’t extend the schema yet, then you will need to make sure that this account has the necessary permissions to extend the schema (Enterprise Admin/Schema Admin), otherwise the setup will fail.
In Windows Server 2012, you don’t need to extend the schema separately as the wizard will handle this for you, unless you really want to perform it in a separate step.
If you do not run adprep.exe command separately and you are installing the first domain controller that runs Windows Server 2012 in an existing domain or forest, you will be prompted to supply credentials to run Adprep commands. The credential requirements are as follows:
- To introduce the first Windows Server 2012 domain controller in the forest, you need to supply credentials for a member of Enterprise Admins group, the Schema Admins group, and the Domain Admins group in the domain that hosts the schema master.
- To introduce the first Windows Server 2012 domain controller in a domain, you need to supply credentials for a member of the Domain Admins group.
- To introduce the first read-only domain controller (RODC) in the forest, you need to supply credentials for a member of the Enterprise Admins group.
2- from the Domain Controller Options, select if this server will be a Global Catalog and DNS server or not, since we are upgrading, we need to make sure that this server is a DNS and GC, also select the site where this server will be assigned to:
3- in the DNS delegation page, next:
4- In the additional options, you might have to select Install from media or replicate from a specific DC, or let it automatically:
5- Review the Paths for NTDS, SYSVOL, customize them if needed:
6- In the prerequisites check, make sure that you passed successfully and Install.
7- After installation finishes server will reboot and you will AD DS role installed and the server is identified as a DC:
You can now run “DCPROMO” on the old server to remove it, if it is a single server environment the FSMO roles will be moved to the 2012 DC, if not and you have multiple servers then you can move them as before from the ADUC and ADDT MMCs.
Raising the Forest/Domain Functional level:
Raising the Forest/Domain levels is needed only to enable one new feature: the Support for Dynamic Access Control and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. otherwise and if you are not using these and not comfortable with raising the Forest/Domain Function yet, don’t.
You have successfully upgraded you domain controller, congrats.