Unlock an Active Directory Account Using Mac OS X Directory Utility

Recent versions of OS X integrate well with Microsoft’s Active Directory. As an IT professional working in a primarily Windows-based environment, I can still perform most of my job just fine with a Macbook without resorting to Bootcamp or virtual machines. I do use Jump Desktop for remoting into servers to run Windows-only administrative tools though. One of those tools I frequently need to use is Active Directory Users and Computers. More and more though I’ve been using the native OS X Directory Utility to perform some of the tasks that I previously would have needed ADU&C for. This tool is more like the Active Directory Services Interface Editor (adsiedit.msc) than ADU&C because it presents you with all the attributes of an object without simple GUI buttons for common tasks. But that doesn’t mean it can’t be used for those tasks if you know how.

One common situation is unlocking a user’s account after too many invalid password attempts. To unlock an AD account using Directory Utility follow the steps below. Note: the screenshots below are redacted to hide any internal details of my workplace AD environment.

  • Launch Directory Utility(This handy app is hiding in /System/Library/CoreServices/Applications/)
  • Switch to the Directory Editor tab
  • Set the node to your domain rather than /Local/Default
  • Click the lock to authenticate with an account that has the necessary rights. This doesn’t need to be the same account you are currently logged in as.
  • Search for the user in question and then scroll down to the lockoutTime attribute. If this value is anything other than zero, the account is locked out.
Directory Utility
Directory Utility
lockoutTime
lockoutTime
  • Change the lockoutTime attribute to 0 and the user’s account is now unlocked.

Throttle Apple Photos Upload

Apple’s new Photos app was publicly released as part of OS X 10.10.3. It is the replacement for both iPhoto and Aperture. Without getting into an in-depth review, overall my early impression is that I like it a lot but the initial iCloud upload of all your photos is terrible. It will completely saturate your upload bandwidth leaving the internet unusable for other computers on your network. Your only obvious option is to “pause for one day” which will provide temporary relief but constantly starting and stopping the upload for a week or more is a huge hassle.

A better solution would be to throttle the upload so it doesn’t leave your network unusable. Photos, strangely, doesn’t offer this feature but, thankfully, there is a way. User mayall posted a solution to an Apple support community forum. Just download the Hardware IO Tools from the Apple Developer site and you can use the Network Link Conditioner to create a profile that limits your upload bandwidth.

My internet connection is 30 mbps down / 3 mpbs up so I configured my iMac to be able to use the full download speed but only 2 mbps to upload and everything seems to be working well now without my constant need to pause and resume.

Network Link Conditioner
Network Link Conditioner

Jump Desktop - Mac OS X Remote Desktop RPD Client

I just wanted to write up a quick endorsement for Jump Desktop. I’ve been using Microsoft Remote Desktop to manage Windows servers from my Mac for a few years now and I finally decided I’d had enough. I looked a little bit at CoRD but didn’t actually even download it to give it a try. It’s strangley blocked by my corporate proxy server, but it didn’t seem to offer much in the way of managing a large number of saved connections so I didn’t bother trying to download it through other means. Instead I found myself settling on Jump Desktop. It was pretty hard to accept the idea of paying $30 for something when I use Terminals for free on Windows but after the initial purchase I haven’t regretted it.

Tagging

One of the best features is that your RDP connections are organized by tags and each can have multiple tags. So I can easily click on the tag group to see all the servers in my lab domain, or I can see a group of domain controllers to see all the domain controllers including both the lab and prod domains. With a good system of tags it’s very easy to find the server(s) you are looking for.

Screen Sizing

It is also much better at dealing with my dual monitor setup than Microsoft’s RDP client. With the Microsoft client, if I didn’t want to run in full screen mode then I was pretty much limited to setting a specific resolution. The selection of resolutions was pretty limited and never seemed sized right because sometimes I’d be using an external monitor and sometimes I’m just running native on my 11" MacBook Air. Jump Desktop always sizes the RDP session correctly to make the best use of my monitor without going full screen.

Conclusion

I don’t have much more to say other than I’m sorry that I didn’t spend the $30 sooner. It makes working on my Mac in a Windows environment so much more pleasant and productive. If you are on the fence then I’d say just buy it. $30 isn’t really much money for something I use every day.

Mac OS X WPA2 Enterprise Authentication Using a Microsoft CA - Part 2

This is the second in a series of posts describing the process of joining a corporate wifi network that uses a certificate from a Microsoft certificate authority with a Mac. There are four primary tasks to accomplish this:

  • Bind the Mac to Active Directory
  • Add the Microsoft CA to the keychain
  • Request a Machine certificate from the CA
  • Configure the wifi network using the certificate for authentication

Part 1 covered the Active Directory binding. Part 2 will cover the other 3 steps.

Trusting the Certificate Authority

certmgr.msc
certmgr.msc

You can request a certificate from a Microsoft CA without actually trusting the CA, however you will have problems trying to use theis certificate for wifi authentication unless the issuer is trusted. There are multiple ways to get the root certificate to trust. If you have a domain joined Windows machine handy then you can go to Start > Run and enter certmgr.msc. Find your corporate root CA under Trusted Root Certification Authorities > Certificates and then right-click and select Export from All Tasks. Note that it will not most likely not be named “Corporate Root CA”, this is just an example. If you don’t know what it is called, look for something with your company’s name in it.

certificate payload
certificate payload

Create another configuration profile to handle the certificate trust. Again, I recommend doing this as a stand-alone profile with a single payload so that it can be updated independently of other settings.

Requesting the AD Certificate

Wifi Profile

Wifi Profile

You will need to combine both the AD certificate request payload and the network configuration payload in the same configuration profile. This is the only way you can select the certificate as an authentication option for the network.

AD Certificate Request
AD Certificate Request

Apple has a KB article describing the AD certificate request. The example shown in Apple’s screenshot did not work for me. Whereas Apple’s example simply has a hostname, I had to fill in a complete URL in the format http://pki.kevinbecker.org/certsrv, as shown below. Figuring out the name of the CA also gave me some trouble. Looking at a certificate that had been issued to a Windows machine it would appear that the name of my company’s CA is “MyCompany Corporate Issuing CA”. At least in my case, this is incorrect. I found the correct name using adsiedit.msc as described in this Microsoft KB Article. You will also need to provide the credentials for an account that has rights to request certificates.

Network Payload
Network Payload

Again, in the same profile that has the AD Certificate payload, you will also have a payload to join your wifi network using that certificate. The Username for connection to the network needs to be the computer name followed by a dollar sign. The computer name can be specified in several places in OS X so it’s important to make sure you use the same name specified in the Sharing Preference pane and when binding to AD. In this example, I’m using a payload variable %ComputerName%. A complete list of payload variables can be found in this Apple KB Article. For the Identity Certificate select the AD Certificate name that you used in your AD Certificate payload.

Troubleshooting

Mike Boylan wrote an article at afp548.com covering this process on Mountain Lion. Following his guide, I still had some challenges, which I’ve tried to detail in this article, but his instructions for enabling logging were very helpful. The highlights are duplicated here:

If an error occurs when requesting the AD certificate, the profile will fail to install. To enable logging for the profile installation, and thus the certificate failure, issue the following commands in the terminal: sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1

You will need to log out or reboot for the change to take effect. Logging information will show up in /Library/Logs/ManagedClient/ManagedClient.log. which you can easily view with the Console app. To disable debug logging, delete /Library/Preferences/com.apple.MCXDebug.plist.

eapolclient handles the EAP-TLS negotiation when joining a WPA2 Enterprise network. Errors are logged to /var/log/system.log. You can also enable more verbose logging by issuing the following command in the terminal:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int -1

The log(s) will be written to /var/log/eapolclient.[interface].log. To disable the verbose logging, simply change the value to 0.

Mac OS X WPA2 Enterprise Authentication Using a Microsoft CA - Part 1

Getting a Macintosh to join a corporate wifi network that uses a certificate from a Microsoft certificate authority for authentication is pretty easy after Mountain Lion (OS X 10.8) added support for DCE/RPC certificate requests. There are four primary tasks to accomplish this:

  • Bind the Mac to Active Directory
  • Add the Microsoft CA to the keychain
  • Request a Machine certificate from the CA
  • Configure the wifi network using the certificate for authentication

Configuration Profiles

These tasks can all be done using configuration profiles. Configuration profiles are XML files that can be created/edited by hand or through various tools like OS X Server Profile Mananager. You can do this in a single configuration profile if desired, but I recommend splitting these into multiple profiles. By using multiple configuration profiles you are able to more easily make changes and troubleshoot problems that may be profile-related. For example, if all the items are in a single profile and you want to remove the wifi settings, you will also undbind the machine from Active Directory.

Active Directory Binding

Apple has a whitepaper that describes binding a Mac to AD. There is also a KB article describing all the parameters in detail. I recommend using a dedicated profile with a single payload just for the AD binding.

AD Profile

AD Profile

AD Profile General

AD Profile General

In the description field of the general section of all my profiles I include a version number to keep track of profile revisions. You can also require a password to prevent users from removing the profile without authorization.

How you configure the profile will depend on your environment. At a minimum you will need to provide:

  • Server Hostname - Just entering the domain name should let the client find a domain controller on its own. It is not recommended to enter a specific domain controller name as this may change.
  • Username/Password - This is the name and password of an account with rights to join machines to AD. Using default groups this would be at least Account Operator but I’d recommend creating an account just for domain joining machines to the domain that has less rights.
  • Client ID - This is the hostname of the Macintosh. In the example below, I use the naming convention “MAC” followed by the machine’s serial number. %SerialNumber% is a payload variable that will resolve to the serial number of the client the computer it is installed on. Apple has a list of payload variables that are supported.
  • Organizational Unit - The default location for machine accounts in Active Directory is the computers container which is specified by entering “cn=computers,dc=domain,dc=com” however if your organization puts machines into an alternate OU then the format is “ou=foo,ou=bar,dc=domain,dc=com”. Note the syntax difference between the default computers container (cn=computers) and the custom organizational unit (ou=foo,ou=bar).
  • Create mobile account at login - This is not strictly required but it is recommended. If you neglect to create a mobile account at login then the user will not be able to log in when not on your corporate network.
Directory Payload

Directory Payload

Other settings worth noting in your AD binding profile are under the Administrative tab. Here you can add additional usernames and/or groups that are automatically granted administrative rights on your Macintosh machines. By default the default Active Directory groups enterprise admins and domain admins are included. It is also worth noting that the namespace defaults to domain which may create some naming issues with your mobile accounts. With the namespace set to domain, local user profiles are created in /Users/DOMAIN\userid/ , which has a backslash in the folder name. In general, this is a valid character but some apps (Powerpoint, I’m looking at you!) may not work well with files in the user’s home directory when named this way. It’s also just generally unpleasant and awkward to work with. Changing the namespace to forest will result in mobile profiles in the format /Users/userid/ which is counterintuitive, but nevertheless the desired naming convention.

Administrative Tab

Administrative Tab

Part 2 covers the rest of the process.

Locking Mac OS X With a Keyboard Shortcut

On Windows computers, in a work environment, I've always had the habit of locking my screen whenever I walk away by hitting either Windows-L or Ctrl-Alt-Del and then Enter (because "lock this computer" is selected by default in the dialog displayed after Ctrl-Alt-Del).  For the past few years of using a Mac at my workplace I've missed this functionality. There are various workarounds like displaying the keychain status in the menu bar (this adds a quick "Lock Screen" menu option), screensaver hot corners, assigning a script to a keyboard shortcut, etc. but I never found a simple and stock solution. It finally occurred to me when looking at some keyboard shortcuts recently that you can achieve this by setting "Require password immediately after sleep" in Security & Privacy and then simply hitting Shift-Control-Power to put the display to sleep.  It's a much better solution and pretty easy to do once you develop in the habit.

EDIT:  I had googled this a few years ago and never found this tip, but now I see that lots of others have come up with this same idea.

Grand Circus

Two weeks ago my manager told me that our VP of IT had gotten us 5 seats in any class offered by Grand Circus, a new Detroit tech training startup.  The only stipulation was that at least one of the seats had to be in the Build an iPhone App course.  Presumably he wants to see some internal iOS development come out of this.  Needless to say, all 5 of us opted for the iPhone class. The place is pretty much exactly what you would imagine if someone told you that they were taking a class at a hot new tech startup (they've even been named a Google tech hub, whatever that is).  There are unconventional weeble chairs in the lobby, kegs of disappointingly old beer, whiteboard paint in the classroom (we just write on the walls here man, it's cool), etc.

grandcircus

Although it almost seems like a parody of itself I still think the class will be cool. It's actually a little fun to be part of the Detroit Tech Scene even though I'm the cynical old guy that finds it all sort of amusing.  Nevertheless, I've been wanting to learn iOS programming for a few years now but I just never seem to find the motivation to dig into it.  Taking a class will force me to focus on it which is exactly what I need right now.  The downside is that it's a 10 week class, 2 nights a week, and I'm also enrolled in a class for my Master's Degree at OU so this semester will be rough.

Tunnel SSH through a proxy on MacOS X Mountain Lion

Until recently my workplace allowed direct ssh traffic to pretty much anywhere.  They recently blocked this, which makes sense from a security point of view but is very inconvenient at times.  Luckily it is pretty easy to tunnel ssh through our http proxy so I can still get to external hosts and they can still monitor what I am doing. The first step is to install Xcode if you haven't already.  In Mountain Lion, Xcode is now available through the Mac App Store.  After you've installed Xcode, you'll need to install the command line tools.  Launch Xcode and go to Preferences > Downloads to install the command line tools.

Next, download corkscrew.  The corkscrew README has more or less everything you need to know from here, but the basic procedure is to launch Terminal and then enter the following commands:

cd ~/Downloads
tar -xfv corkscrew-2.0.tar
cd corkscrew-2.0
./configure --host=apple

The configure command is the only part that varies from the README.  Without specifying the host I was getting an error "configure: error: can not guess host type; you must specify one".  After configure is done, then run two more commands.

make
sudo make install

Next you will need to create the file ~/.ssh/config if it doesn't already exist and add the following lines, where proxy.example.com is your proxy server and 8080 is the port it is listening on:

ProxyCommand /usr/local/bin/corkscrew proxy.example.com 8080 %h %p

If your proxy requires authentication like mine then you need to modify your ~/.ssh/config slightly.

ProxyCommand /usr/local/bin/corkscrew proxy.example.com 8080 %h %p ~/.ssh/myauth

And then also create the file ~/.ssh/myauth and put your username and password for the proxy in it.

username:password

You should also modify the permissions on myauth for a little added security.

chmod 600 ~/.ssh/myauth

Lastly, I only want to go through the proxy for external hosts.  The current setup will apply to all hosts.  You can modify the entry in the ~/.ssh/config file to apply only to a particular host or hosts.  If you only have a small number of hosts you need to access the simplest way would be to just put each entry on one line separated by whitespace.  If you want to get more advanced you can use pattern matching as described in the ssh config manpage.

Host host1.external.com host2.external.com
ProxyCommand /usr/local/bin/corkscrew proxy.example.com 8080 %h %p ~/.ssh/myauth

 

Reverse Scrolling on Windows 8

Somehow I managed to get a Mac Mini for my primary work desktop (even though my job is primarily Windows based).  I also have a company MacBook Air and an iMac at home.  So basically grown so used to the reverse scrolling introduced in Mac OS Lion that Windows drives me crazy now.  We've been evaluating Windows 8 and I'm trying to use it as my primary OS to immerse myself but I just can't take the "normal" scrolling, especially when I'm using it on my MacBook. There are lots of links on the internet pointing to 3rd party tools to modify this but eventually I found a better solution, editing one registry key.  That blog specifies Windows 7 but it also works on Windows 8.  In addition to "FlipFlopWheel" I also changed "FlipFlopHScroll".

The steps, as copied from Volker Voecking's blog are:

  1. Find the hardware ID of the mouse
    • Go to the mouse control panel
    • Select “Hardware” tab
    • Click “Properties” button
    • Select “Details” tab
    • From the drop-down list choose “Hardware IDs”
    • Save the VID*** entry ( e.g. VID_045E&PID_0039 )
  2. Find and change the corresponding configuration settings in the registry
    • Run regedit.exe
    • Open Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\HID
    • Here you should find an entry for the hardware ID of your mouse
    • In all sub-keys of the hardware id key look for the “DeviceParameters” key and change the “FlipFlopWheel” value from 0 to 1
  3. Make it work
    • Unplug the mouse
    • Count to five :-)
    • Plug the mouse back in

Safari 6 Never Remember Passwords for Any Site

I never configure my browser to remember passwords for me.  I work on too many different computers to rely on my browser to remember things for me so I have my own system to keeping track of passwords.  Usually the first time I get a popup offering to remember my password on a new computer or browser I immediately go into the preferences and turn the feature off completely. After upgrading to Mountain Lion, which included Safari 6, I couldn't find this option.  You can choose to never remember passwords for a particular website but you are still prompted at least once for every website.  I asked google right after I upgraded and didn't find an answer but after upgrading two more macs and living with Mountain Lion for a few weeks the popups were starting to wear on me.  Luckily by this time, google had an answer.  Apparently it the option is now under "autofill" instead of "passwords".  If you turn off "usernames and passwords" you won't be prompted to remember any more passwords.  Thanks google!