“Broken By Design”

After hours of conference calls with Microsoft, and multiple tiers of support, we come to the conclusion that Nested Local Groups in Built-in Groups are “broken by design”. What does this really mean? When you nest a Local Group into a Built-in Local Group, the effective permission set for the Users within that Local Group is reduced to Guest. This remains true unless the Users are specifically added into the Built-in Local Groups, which will result in proper permissions being passed to the Users.

Nesting Issue Explained

Lets take the above graphic, where we created a new local group called ‘Geeks’ which contains users named “Brenton B” and “Jason P”. From there, we added the ‘Geeks’ local to the Built-in ‘Administrators’ local group. From that hierarchy, we should assume any users in the ‘Geeks’ Local Group, should obtain Administrative privileges by traversing through the security pathway. Unfortunately, this is not the case.

Note: This issue is for all of the Built-in Groups on the system including, but not limited to, Administrators, Backup Operators, Power Users, and Users. I used the Administrators Group, as it’s easiest to work with.

The issue has to do with second level security traversing with Built-in Groups. While the first level traversing is a trusted security relationship in the operating system, the second security relationship is not trusted. This means that the ’Geeks’ Local Group object is effectively a member of the ‘Administrators’ Group and it also means that Brenton B. and Jason P. are members of the ‘Geeks’ Local Group. It will not, however, traverse to the second level and grant Brenton B. and Jason P. group membership to Administrators.

What About Restricted Groups in Group Policies?

This issue unfortunately is also present when you have Restricted Groups. Restricted Groups within Group Policies force group associations to the local groups in the Operating System. While you mandate the ‘TestAdmin’ Group as part of the Built-in Administrators Local Group, the permission lookup occurs on the Windows Operating System; thus the Nested Groups do not traverse.

Can You Still Add Groups To Built-in Groups?

Yes, as shown above! While the GUI of Windows does not provide a method to directly add Groups within Built-in Groups, you can execute two commands that would provide for adding Groups in Groups.

Method 1 – Powershell

   1: # Obtain the Current Computer Name

   2: $cmpName = [System.Net.DNS]::GetHostName()

   3:  

   4: # Make the ADSI Call into the Computer

   5: $adsiCall = [ADSI] ("WinNT://$cmpName,computer")

   6:  

   7: # Create the worker variable

   8: $objworker = $adsiCall.Create("group","Geeks")

   9: $objworker.put("description","Geeks Local Group")

  10:  

  11: # Create Object from worker variable

  12: $objworker.setinfo()

  13:  

  14: # Create the Group Association

  15: $adsistring = "$cmpName/Administrators,group"

  16:  

  17: # Create the worker variable

  18: $group = [adsi] ("WinNT://$adsistring")

  19:  

  20: # Add the group

  21: $group.add("WinNT://$cmpName/Geeks")

Method 2 – NET Commands in BAT File

   1: net localgroup "Geeks" /Add

   2: net localgroup "Administrators" "Geeks" /Add

* The above Methods add the ‘Geeks’ local Group, then add the ‘Geeks’ Local Group to the ‘Administrators’ Group

Resolution to the Issue

I still firmly believe this is a bug, however, Microsoft says it’s by design – an undocumented feature so to say. The following can be performed to resolve the issue:

#1 Add the Users of the Geeks Group directly to the Built-in Administrators Group.

#2 Create a Domain Global Group named ‘Geeks’ and place the Domain Global Group ‘Geeks’ in the Local Administrators Restricted Group.

Supporting documents: According to Microsoft’s knowledge Base articles

http://technet.microsoft.com/en-us/library/ee681621(WS.10).aspx … “This is the expected behavior of the Computer Management snap-in.”

and

http://support.microsoft.com/kb/974815 … where we can quote directly “This behavior is by design. Windows does not support the nesting of local groups on domain clients or on workgroup clients.”

Let me explain this one a bit more – Microsoft does not have a GOOD reason for why this doesn’t work, however, it is by design and is expected. On a serious note, we were able to get the Local Groups to Accept “Global” and “Domain Local”* active directory groups. While this doesn’t help a stand alone system for nesting of groups, it does provide a work around for authentication.

** Be cautious when adding Domain Local Groups to the system as if you have any forests, or trusts, the security will not traverse through the forest or any trusts. **

This article is to aid those who are receiving the “Data is Invalid” error message in Powershell on Windows Server 2008 R2. This issue occurs while trying to import policies from one domain into their a different domain using a migration table. This issue has to do with the migration table editor referring to the “Pre-Windows 2000 Username” to migrate users instead of their Standard Username.

Syntax of Command Used for Error:

Import-GPO –BackupID {GUIDGOESHERE} –TargetName “Default_AccountingPolicy” –path “c:\scriptloc\” –MigrationTable “C:\scriptloc\DefaultMig.migtable” –CreateIfNeeded | Out-Null

Error:

“ Import-GPO : The Data is invalid. (Exception from HRESULT: 0x8007000D) “

Solution:

The issue has to do with creating Users and User Groups without the ‘SAMACCOUNTNAME’ field while coding with Powershell. Windows Server 2008 R2 generates a unique Pre-2000 username starting with ‘$’ and a series of numbers following. When using the ‘-migrationtable’ trigger, it causes import-gpo cmdlet to validate the “destination users” PRIOR to importing the group policy. If it cannot resolve the User or User group, it will cause the ‘’HRESULT error’.

The following lines were added to the Powershell Script for creating a User Group, which corrected this issue:

   1: # Where $objworker was the AD method and $ADobjname was the name of the user / group

   2: $objworker.put("sAMAccountName", "$ADobjname")

   3: $objworker.SetInfo()

Depending on your network, the fix can be done in two ways:

1. Ensure the “Pre-Windows 2000 name” is the same as the “Standard Windows Name”
2. Correct the Migration Table to Use the Pre-Windows 2000 Names for the ‘Destination’

Simple fix – just wish that the error would be more like “Errors in Migration Table”. The error message of “The Data Is Invalid “ is useless in my opinion.

Happy Coding!

The encryption and decryption of strings is essential when creating an enterprise product that has clear text passwords. This function displays how to encrypt and decrypt a string using Powershell using Richard’s code located at http://poshcode.org/116. While I found his code very useful, he didn’t explain the syntax and is why I am reposting this with the proper information.

I also decided to make this into an endless loop for an administrator to use to encrypt multiple passwords in a row. I found this to be useful as I never had to encrypt just one password.

Important for your security!!

In order to ensure your application is safe from an attacker be certain to perform each of the following:

1.  Change the $salt variable and $init variables. These variables should be at least 8 characters long but should be changed or your application is subject to a brute force attack if someone determines you are using my code!

   1: function Encrypt-String($String, $Passphrase, $salt="SaltCrypto", $init="IV_Password", [switch]$arrayOutput)

2.  Change the Passphrase that is passed into the function. I suggest a 12-18 character Passphrase to prevent the above brute force attack.

   1: $encrypted = Encrypt-String $string "MyStrongPassword"

3.  Be sure to pass the right Passphrase into the function for decryption. If you pass the wrong key into the function, you will not get the correct password returned from the function.

Function for Encrypting / Decrypting A String in PowerShell

Download PS1 Here

   1: #################

   2: # Powershell Allows The Loading of .NET Assemblies

   3: # Load the Security assembly to use with this script 

   4: #################

   5: [Reflection.Assembly]::LoadWithPartialName("System.Security")

   6:  

   7: #################

   8: # This function is to Encrypt A String.

   9: # $string is the string to encrypt, $passphrase is a second security "password" that has to be passed to decrypt.

  10: # $salt is used during the generation of the crypto password to prevent password guessing.

  11: # $init is used to compute the crypto hash -- a checksum of the encryption

  12: #################

  13: function Encrypt-String($String, $Passphrase, $salt="SaltCrypto", $init="IV_Password", [switch]$arrayOutput)

  14: {

  15:     # Create a COM Object for RijndaelManaged Cryptography

  16:     $r = new-Object System.Security.Cryptography.RijndaelManaged

  17:     # Convert the Passphrase to UTF8 Bytes

  18:     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)

  19:     # Convert the Salt to UTF Bytes

  20:     $salt = [Text.Encoding]::UTF8.GetBytes($salt)

  21:  

  22:     # Create the Encryption Key using the passphrase, salt and SHA1 algorithm at 256 bits

  23:     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8

  24:     # Create the Intersecting Vector Cryptology Hash with the init

  25:     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]

  26:     

  27:     # Starts the New Encryption using the Key and IV   

  28:     $c = $r.CreateEncryptor()

  29:     # Creates a MemoryStream to do the encryption in

  30:     $ms = new-Object IO.MemoryStream

  31:     # Creates the new Cryptology Stream --> Outputs to $MS or Memory Stream

  32:     $cs = new-Object Security.Cryptography.CryptoStream $ms,$c,"Write"

  33:     # Starts the new Cryptology Stream

  34:     $sw = new-Object IO.StreamWriter $cs

  35:     # Writes the string in the Cryptology Stream

  36:     $sw.Write($String)

  37:     # Stops the stream writer

  38:     $sw.Close()

  39:     # Stops the Cryptology Stream

  40:     $cs.Close()

  41:     # Stops writing to Memory

  42:     $ms.Close()

  43:     # Clears the IV and HASH from memory to prevent memory read attacks

  44:     $r.Clear()

  45:     # Takes the MemoryStream and puts it to an array

  46:     [byte[]]$result = $ms.ToArray()

  47:     # Converts the array from Base 64 to a string and returns

  48:     return [Convert]::ToBase64String($result)

  49: }

  50:  

  51: function Decrypt-String($Encrypted, $Passphrase, $salt="SaltCrypto", $init="IV_Password")

  52: {

  53:     # If the value in the Encrypted is a string, convert it to Base64

  54:     if($Encrypted -is [string]){

  55:         $Encrypted = [Convert]::FromBase64String($Encrypted)

  56:        }

  57:  

  58:     # Create a COM Object for RijndaelManaged Cryptography

  59:     $r = new-Object System.Security.Cryptography.RijndaelManaged

  60:     # Convert the Passphrase to UTF8 Bytes

  61:     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)

  62:     # Convert the Salt to UTF Bytes

  63:     $salt = [Text.Encoding]::UTF8.GetBytes($salt)

  64:  

  65:     # Create the Encryption Key using the passphrase, salt and SHA1 algorithm at 256 bits

  66:     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8

  67:     # Create the Intersecting Vector Cryptology Hash with the init

  68:     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]

  69:  

  70:  

  71:     # Create a new Decryptor

  72:     $d = $r.CreateDecryptor()

  73:     # Create a New memory stream with the encrypted value.

  74:     $ms = new-Object IO.MemoryStream @(,$Encrypted)

  75:     # Read the new memory stream and read it in the cryptology stream

  76:     $cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read"

  77:     # Read the new decrypted stream

  78:     $sr = new-Object IO.StreamReader $cs

  79:     # Return from the function the stream

  80:     Write-Output $sr.ReadToEnd()

  81:     # Stops the stream    

  82:     $sr.Close()

  83:     # Stops the crypology stream

  84:     $cs.Close()

  85:     # Stops the memory stream

  86:     $ms.Close()

  87:     # Clears the RijndaelManaged Cryptology IV and Key

  88:     $r.Clear()

  89: }

  90:  

  91: # This clears the screen of the output from the loading of the assembly.

  92: cls

  93:  

  94: # $me will never = 1, so It will run indefinately

  95: $me = 0

  96:     write-host "To End This Application, Close the Window"    

  97:     Write-host ""

  98: do

  99: {

 100:     # Prompt the user for the password    

 101:     $string = read-host "Please Enter User Password"

 102:     # Encrypt the string and store it into the $encrypted variable

 103:     $encrypted = Encrypt-String $string "MyStrongPassword"

 104:     # Write result to the screen

 105:     write-host "Encrypted Password is: $encrypted"

 106:     write-host ""

 107:  

 108:     write-host "Testing Decryption of Password..."

 109:     

 110:     # Decrypts the string and stores the decrypted value in $decrypted

 111:     $decrypted = Decrypt-String $encrypted "MyStrongPassword"

 112:     # Writes the decrpted value to the screen

 113:     write-host "Decrypted Password is: $decrypted"

 114:     write-host ""

 115: }

 116:  

 117: while ($me -ne 1)

To use this Function:

Start > Run > Type powershell.exe –noexit c:\location\EncryptDecryptString.ps1

** When you are done close the window.

Function for Encrypting Username and Passwords in PowerShell

Download PS1 Here

You will notice that I changed the Passphrase for both the username and the password. This is not necessary, however, it adds another layer of security. Try not to encrypt everything with the same passphrase. If one item gets compromised, everything encrypted under that passphrase is compromised.

   1: #################

   2: # Powershell Allows The Loading of .NET Assemblies

   3: # Load the Security assembly to use with this script 

   4: #################

   5: [Reflection.Assembly]::LoadWithPartialName("System.Security")

   6:  

   7: #################

   8: # This function is to Encrypt A String.

   9: # $string is the string to encrypt, $passphrase is a second security "password" that has to be passed to decrypt.

  10: # $salt is used during the generation of the crypto password to prevent password guessing.

  11: # $init is used to compute the crypto hash -- a checksum of the encryption

  12: #################

  13: function Encrypt-String($String, $Passphrase, $salt="SaltCrypto", $init="IV_Password", [switch]$arrayOutput)

  14: {

  15:     # Create a COM Object for RijndaelManaged Cryptography

  16:     $r = new-Object System.Security.Cryptography.RijndaelManaged

  17:     # Convert the Passphrase to UTF8 Bytes

  18:     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)

  19:     # Convert the Salt to UTF Bytes

  20:     $salt = [Text.Encoding]::UTF8.GetBytes($salt)

  21:  

  22:     # Create the Encryption Key using the passphrase, salt and SHA1 algorithm at 256 bits

  23:     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8

  24:     # Create the Intersecting Vector Cryptology Hash with the init

  25:     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]

  26:     

  27:     # Starts the New Encryption using the Key and IV   

  28:     $c = $r.CreateEncryptor()

  29:     # Creates a MemoryStream to do the encryption in

  30:     $ms = new-Object IO.MemoryStream

  31:     # Creates the new Cryptology Stream --> Outputs to $MS or Memory Stream

  32:     $cs = new-Object Security.Cryptography.CryptoStream $ms,$c,"Write"

  33:     # Starts the new Cryptology Stream

  34:     $sw = new-Object IO.StreamWriter $cs

  35:     # Writes the string in the Cryptology Stream

  36:     $sw.Write($String)

  37:     # Stops the stream writer

  38:     $sw.Close()

  39:     # Stops the Cryptology Stream

  40:     $cs.Close()

  41:     # Stops writing to Memory

  42:     $ms.Close()

  43:     # Clears the IV and HASH from memory to prevent memory read attacks

  44:     $r.Clear()

  45:     # Takes the MemoryStream and puts it to an array

  46:     [byte[]]$result = $ms.ToArray()

  47:     # Converts the array from Base 64 to a string and returns

  48:     return [Convert]::ToBase64String($result)

  49: }

  50:  

  51: function Decrypt-String($Encrypted, $Passphrase, $salt="SaltCrypto", $init="IV_Password")

  52: {

  53:     # If the value in the Encrypted is a string, convert it to Base64

  54:     if($Encrypted -is [string]){

  55:         $Encrypted = [Convert]::FromBase64String($Encrypted)

  56:        }

  57:  

  58:     # Create a COM Object for RijndaelManaged Cryptography

  59:     $r = new-Object System.Security.Cryptography.RijndaelManaged

  60:     # Convert the Passphrase to UTF8 Bytes

  61:     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)

  62:     # Convert the Salt to UTF Bytes

  63:     $salt = [Text.Encoding]::UTF8.GetBytes($salt)

  64:  

  65:     # Create the Encryption Key using the passphrase, salt and SHA1 algorithm at 256 bits

  66:     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8

  67:     # Create the Intersecting Vector Cryptology Hash with the init

  68:     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]

  69:  

  70:  

  71:     # Create a new Decryptor

  72:     $d = $r.CreateDecryptor()

  73:     # Create a New memory stream with the encrypted value.

  74:     $ms = new-Object IO.MemoryStream @(,$Encrypted)

  75:     # Read the new memory stream and read it in the cryptology stream

  76:     $cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read"

  77:     # Read the new decrypted stream

  78:     $sr = new-Object IO.StreamReader $cs

  79:     # Return from the function the stream

  80:     Write-Output $sr.ReadToEnd()

  81:     # Stops the stream    

  82:     $sr.Close()

  83:     # Stops the crypology stream

  84:     $cs.Close()

  85:     # Stops the memory stream

  86:     $ms.Close()

  87:     # Clears the RijndaelManaged Cryptology IV and Key

  88:     $r.Clear()

  89: }

  90:  

  91: # This clears the screen of the output from the loading of the assembly.

  92: cls

  93:  

  94: # $me will never = 1, so It will run indefinately

  95: $me = 0

  96:     write-host "To End This Application, Close the Window"    

  97:     Write-host ""

  98: do

  99: {

 100:     # Prompt the user for the password    

 101:  

 102:     $ustring = read-host "(Case Sensitive) Please Enter Username"

 103:     $pstring = read-host "(Case Sensitive) Please Enter User Password"

 104:     # Encrypt the string and store it into the $encrypted variable

 105:     $uencrypted = Encrypt-String $ustring "U_MyStrongPassword"

 106:     $pencrypted = Encrypt-String $pstring "P_MyStrongPassword"

 107:  

 108:     # Write result to the screen

 109:     write-host "Encrypted Username is: $uencrypted"

 110:     write-host ""

 111:     write-host "Encrypted Password is: $pencrypted"

 112:     write-host ""

 113:  

 114:     write-host "Testing Decryption of Username / Password..."

 115:     write-host ""    

 116:     # Decrypts the string and stores the decrypted value in $decrypted

 117:     $udecrypted = Decrypt-String $uencrypted "U_MyStrongPassword"

 118:     $pdecrypted = Decrypt-String $pencrypted "P_MyStrongPassword"

 119:     

 120:     # Writes the decrpted value to the screen

 121:     write-host "Decrypted Password is: $udecrypted"

 122:     write-host ""

 123:     write-host "Decrypted Password is: $pdecrypted"

 124:  

 125: }

 126:  

 127: while ($me -ne 1)

To use this Function:

Start > Run > Type powershell.exe –noexit c:\location\EncryptDecryptStringUP.ps1

** When you are done close the window.

This article explains the the method by which one would be able to Search Active Directory for the distinguished name of a User or Group. This is helpful when trying to add an object to Active Directory or adding Users to Groups.

Function Find-DN Finding Distinguished Name: Download PS1 Here

   1: # Function Find Distinguished Name

   2: function find-dn { param([string]$adfindtype, [string]$cName)

   3:     # Create A New ADSI Call

   4:     $root = [ADSI]''

   5:     # Create a New DirectorySearcher Object

   6:     $searcher = new-object System.DirectoryServices.DirectorySearcher($root)

   7:     # Set the filter to search for a specific CNAME

   8:     $searcher.filter = "(&(objectClass=$adfindtype) (CN=$cName))"

   9:     # Set results in $adfind variable

  10:     $adfind = $searcher.findall()

  11:     

  12:     # If Search has Multiple Answers 

  13:     if ($adfind.count -gt 1) {

  14:         $count = 0 

  15:         foreach($i in $adfind)

  16:         {

  17:             # Write Answers On Screen

  18:             write-host $count ": " $i.path

  19:             $count += 1

  20:         }

  21:         # Prompt User For Selection

  22:         $selection = Read-Host "Please select item: "

  23:         # Return the Selection

  24:         return $adfind[$selection].path

  25:     }

  26:     # Return The Answer

  27:     return $adfind[0].path

  28: }

Using this Function:

   1: # To use the function to find a User:

   2: find-dn "user" "Blawat"

   3:  

   4: # To use the function to find a Group:

   5: find-dn "group" "IT Help Desk"

This article is the first of many car reviews for 2009/2010 vehicles. I chose the Volkswagen CC as the first review as it was the most intriguing to write about out of the 20 or so vehicles I was able to test drive.

2010 Volkswagen CC 

In an effort to raise the ‘class’ bar for VW, the Volkswagen created the Passat CC to replace standard VW Passat. At a first glance, you see a Mercedes CLS-class but after closer inspection, you realize the branding on the front is Volkswagen. This immediately intrigued me, and a test drive was in the works for the vehicle. After the test drive, I thought, with such sleek exterior styling, how did they get it so wrong?!!

Interior – Is it really that Luxurious?

Can anyone tell me which vehicle is the CC and which is the Passat?

With interior reminiscent of its Passat predecessor, I was really hoping for more. The dashboard gauges and steering wheels are exactly the same, while the shifter and the seats are slightly different. To answer my question above, the image on the [left] is the Passat CC and the Image on the [right] is the Standard Passat. Scary how close the interiors are.

Why is this such a big deal? The Washington Times raved the Passat CC as having “classy-looking interior”. The new slogan speaks of luxury – but is it really? The stereo is touch screen, however, it is a bit scary to use/learn in heavy traffic. I still don’t like the cylindrical shifter. It really forces me to stay away from playing in sport mode. While I can admit that the CC’s seats are comfortable, I get very close to the same support in the Passat. The rear seat has a cup holder as part of the seat making the vehicle a true four seat vehicle (no cramming kids in the back). My second concern with this center console is hauling any items in the back seat such as a TV (one which wouldn’t fit in the opening of the trunk). I would be afraid of cracking the plastic on the cover, or damaging the TV.

The ride is what I would expect from a German car with low road noise and it passes the door closing test. The door closing test is one where when you shut your door it is a solid thud. It shouldn’t have any radiating vibrations or rattles coming from inside the door or in the cabin. While the frame and chassis of the vehicle are solid, the interior still needs some major work to make you feel like you are in a luxury car.

Performance? Nothing new… nothing real exciting. They still have the same 2.0T and VR6 engines.

How did they miss the mark?

The first gripe I have with the Volkswagen CC has to do with the 2.0 liter turbocharged automatic. The dual clutch system (DCS) in the vehicle gives the feeling that you are consistently missing the gear at take-off, and during mid-gear acceleration (like the Lancer Rally Sport). While the salesman insisted it was the turbo lag – any seasoned turbo driver (such as myself) – knows that it’s the gear not engaging smoothly in the vehicle. To know the difference — turbo lag dips the RPM prior to an explosive take-off. The feeling you will get is that you are riding the clutch before it engages. The result is feeling like you are going to break the transmission when driving it. The throttle response is thus affected, and takes the fun out of driving the vehicle. When switching to the VR6 version of the VW CC, you’re immediately engaged and the engine grunt makes you feel – this is cool. The numerous reported issues with the VR6 engines require a second thought which purchasing the vehicle for engine longevity over 90k. Any salesman that states that the engine issues have been fixed, is just feeding you a line.

The second gripe I have with the Volkswagen CC has to do with the headroom – more appropriately the sunroof-headroom-ish-thingy (aka S.H.I.T.). While the manufacturer calls the feature a sunroof -  it really isn’t by normal standards – its top vent. The sunroof doesn’t retract it only pops open to provide added cabin sunlight and ventilation. If you get a VW without the sunroof, your headroom is decreased by several inches and any six foot man would start to get a claustrophobic feeling inside the cabin. Also to mention, during the test drive, I was fortunate to have a friend with me, and she confirmed (with her being 5’9”) she felt as if the roof was collapsing on her as well. It seems anyone over 5’8” requires the sunroof which is only available on the luxury package – another “really??” moment.

Even if I were to overlook the $33,880 starting price tag for the luxury package (for which I can get a All Wheel Drive 2010 BMW 3 series with better residual), my two grips are immediate deal breakers when purchasing the vehicle.

End Result: EPIC FAILURE.

While there are many posts that describe the code to do this function, there aren’t many posts that provide variables with meaning or actually describe the syntax. This post describes the method by which you can retrieve a Distinguished Name from a Fully Qualified Domain Name.

Quick Reference:

Fully Qualified Domain Name (FQDN): division.domain.root

Distinguished Name (DC): DC=division,DC=Domain,DC=root

Canonical Name(CN): division.domain.root/OrganizationalUnit/

If you are looking for a quick way to obtain a Distinguished Name or Fully Qualified Domain Name See this article.

Mr. Weaver’s Code

Mark A. Weaver’s post Powershell – Recursive Group Membership, he describes the methods by which you can convert to and from multiple variables. Here is how Mr. Weaver performs the conversion operation:

   1: function Convert-DNStoDN ($DNSName)

   2: {

   3:    #  Create an array of each item in the string separated by "."

   4:    $DNSArray = $DNSName.Split(".")

   5:   # Let's go through our new array and do something with each item

   6:    for ($x = 0; $x -lt $DNSArray.Length ; $x++)

   7:       {

   8:         #I don't want a comma after my last item, so check to see if I am on my last one and set

   9:         # $Separator equal to nothing.

  10:         # Remember that we need to go to Length-1 because arrays are "0 based indexes"

  11:          if ($x -eq ($DNSArray.Length - 1)){$Separator = ""}else{$Separator =","}

  12:          [string]$DN += "DC=" + $DNSArray[$x] + $Separator

  13:       }

  14:    return $DN

  15: }

My Code – Explained

While my code is almost identical to Mr. Weaver’s Code, my only criticism is not providing useful variables and describing the functions. I can state, however, Mr. Weaver’s code provided a platform for a function that I use in a large production environment. I took the liberty to optimize the code (slightly) to meet my needs (Thank you sir!).

My Function looks like: Download PS1 Here

   1: function Get-Domain {

   2:     

   3:     #Retrieve the Fully Qualified Domain Name if one is not supplied

   4:     # division.domain.root

   5:  

   6:     if ($FQDN -eq "") {

   7:         [String]$fqdn = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain()

   8:     }

   9:  

  10:     # Create a New Array 'Item' for each item in between the '.' characters

  11:     # Arrayitem1 division

  12:     # Arrayitem2 domain

  13:     # Arrayitem3 root

  14:     $FQDNArray = $FQDN.split(".")

  15:     

  16:     # Add A Separator of ','

  17:     $Separator = ","

  18:  

  19:     # For Each Item in the Array

  20:     # for (CreateVar; Condition; RepeatAction)

  21:     # for ($x is now equal to 0; while $x is less than total array length; add 1 to X

  22:     for ($x = 0; $x -lt $FQDNArray.Length ; $x++)

  23:         { 

  24:  

  25:         #If it's the last item in the array don't append a ','

  26:         if ($x -eq ($FQDNArray.Length - 1)) { $Separator = "" }

  27:         

  28:         # Append to $DN DC= plus the array item with a separator after

  29:         [string]$DN += "DC=" + $FQDNArray[$x] + $Separator

  30:         

  31:         # continue to next item in the array

  32:         }

  33:     

  34:     #return the Distinguished Name

  35:     return $DN

  36: }

To use the Function to get the Distinguished Name of the Domain:

   1: # Store the distinguished name in a variable named $objCrntDN.

   2: $objCrntDN = Get-Domain

To use the function to get the Distinguished Name From a Fully Qualified Domain Name:

   1: # Store the distinguished name in a variable named $objCrntDN

   2: # Pass the Fully Qualified Domain Name with call

   3: $objCrntDN = Get-Domain division.domain.root 

Note: This function also works if you place the division.domain.root in parentheses with quotations:

Get-Domain(“division.domain.root”)

What’s Different??

While the output is basically the same, I’ve made a few changes in the code:

1. “DNSname” is technically inaccurate, while I understand what he is meaning. He is referring to is the FQDN – a point of confusion for the readers.
2. I made the passing of a FQDN (optional) – as sometimes we don’t need to determine the FQDN (outside the function) before we get the Distinguished Name.
3. I named my function ‘Get-Domain’ . DNS-DN is a very specific function. Your will see that Marc has to call three different functions to convert between each of these. I chose to make a single function, and establish what the ultimate output will be. Name the function what you are getting or creating with the function. Get-Domain –> You already know what the output will be — the Domain.
4. I removed the Else { $separator } out of the loop. In batch processing such as PowerShell, the interpreter will replace the $separator variable each time it passes through the loop for the items in the array. To make the code more efficient, I set the variable outside the loop as it only gets changed for the last array evaluation.

By: Brenton Blawat

This article is designed to be short and sweet. This article displays the method by which one would retrieve the FQDN or Distinguished Name of the Domain. This is code is very useful for any operations in Active Directory. A must know for any scripter that needs to call the domain on a system without hard coding the value in the script.

Lets take a theoretical network that consists of ‘division’ subdomain, ‘domain’ as the domain, and ‘root’ as the domain root.

Root Distinguished name – Easy Method in PowerShell

   1: # Instantiate The ADSI Provider

   2: $root = [ADSI]''

   3: $CurrentDN = $root.DistinguishedName

Result:

The variable $CurrentDN will contain:

DN=division,DN=domain,DN=root

E.G. DN=bittangents,DN=com

Root Fully Qualified Domain Name (FQDN) – Easy Method In PowerShell

   1: # Retrieve the Fully Qualified Domain Name and store it in $FQDN Variable

   2: [String]$FQDN =  [System.DirectoryServices.ActiveDirectory.Domain]::getCurrentDomain()

   3:  

Result:

The variable $FQDN will contain:

division.domain.root

E.G. bittangents.com

What would seem like a quick reference item to find on Google, seems to have been lost in the billions of web pages. This article is intended as a quick reference to what the Default Domain Policies are for Windows Server 2003 SP2 and Windows Server 2008 R2. Please note that while some of the policies appear to be identical, the hierarchical structure behind the policies are different.

Default Domain Policies: Windows Server 2003 SP2

+ Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

- Enforce Password History = 24 Passwords

- Maximum Password Age = 42 Days

- Minimum Password Age = 1 Days

- Minimum Password Length = 7 Characters

- Password must meet complexity requirements = Enabled

- Store Passwords using reversible encryption = Disabled

+ Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy

- Account lockout threshold = 0 invalid logon attempts

+ Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy

- Enforce user logon restrictions = Enabled

- Maximum lifetime for service ticket = 600 minutes

- Maximum lifetime for user ticket = 10 hours

- Maximum lifetime for user ticket renewal = 7 days

- Maximum tolerance for computer clock synchronization = 5 minutes

+ Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

- Network Security: Force Logoff when logon hours expire = Disabled

+ Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System

- Administrator Issued File Recovery Certificate

+ User Settings > Windows Settings > Security Settings > Public Key Policies > Autoenrollment Settings

- Enroll Certificates Automatically

Default Domain Policies: Windows Server 2008 R2 64-bit

+ Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy

- Enforce Password History = 24 Passwords

- Maximum Password Age = 42 Days

- Minimum Password Age = 1 Days

- Minimum Password Length = 7 Characters

- Password must meet complexity requirements = Enabled

- Store Passwords using reversible encryption = Disabled

+ Computer Configuration > Policy > Windows Settings > Security Settings > Account Policies > Account Lockout Policy

- Account lockout threshold = 0 invalid logon attempts

+ Computer Configuration > Policy > Windows Settings > Security Settings > Account Policies > Kerberos Policy

- Enforce user logon restrictions = Enabled

- Maximum lifetime for service ticket = 600 minutes

- Maximum lifetime for user ticket = 10 hours

- Maximum lifetime for user ticket renewal = 7 days

- Maximum tolerance for computer clock synchronization = 5 minutes

+ Computer Configuration > Policy > Windows Settings > Security Settings > Local Policies > Security Options

- Network access: Allow anonymous SID/Name translation = Disabled

- Network security: Do not store LAN Manager hash value on next password change = Enabled

- Network Security: Force Logoff when logon hours expire = Disabled

+ Computer Configuration > Policy > Windows Settings > Security Settings > Public Key Policies > Encrypting File System

- Administrator Issued File Recovery Certificate

+ Computer Configuration > Policy > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

- Allow users to select new root certification authorities (CAs) to trust = Enable

- Client computers can trust the following certificate stores = Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

- To perform certificate-based authentication of users and computers, CAs must meet the criteria = Registered in Active Directory only

Default Domain Policy Differences: Windows Server 2003 / Windows Server 2008

Default Domain Policies added to Windows Server 2008

+ Computer Configuration > Policy > Windows Settings > Security Settings > Local Policies > Security Options

- Network access: Allow anonymous SID/Name translation = Disabled

- Network security: Do not store LAN Manager hash value on next password change = Enabled

+ Computer Configuration > Policy > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

- Allow users to select new root certification authorities (CAs) to trust = Enable

- Client computers can trust the following certificate stores = Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

- To perform certificate-based authentication of users and computers, CAs must meet the criteria = Registered in Active Directory only

Removed from Windows Server 2008

+ User Settings > Windows Settings > Security Settings > Public Key Policies > Autoenrollment Settings

- Autoenrollment Settings: Enroll Certificates Automatically

** NOTE: All re-productions / digital copies of this content must be approved in writing by an authorized representative of BIT Tangents.**

Part 1 – Lemon Law Over / Issue Logs

Part 2 – Contacting the Dealer / Manufacturer – UPDATED!

I apologize for taking so long to get this article posted to the internet. It has taken since January 23, 2009 till to June 2009 to come to a final resolution with BMW of North America. I am writing this article as a guide on how you can approach your dealership to assist you PRIOR to claiming a lemon on a vehicle to get a peaceful resolution.

Two IMPORTANT things to know:

1. Your dealership is NOT liable for any portion of vehicle failing when you purchase or lease a BRAND NEW vehicle. – This means that barging into your dealership demanding for a new vehicle won’t work. In fact, according to lemon law, your dispute is between the car manufacturer and yourself. – Be kind to your local dealer; they DON’T have to help you.

2. BMW is only obligated to follow the State and Federal lemon laws. Additional damages are typically not granted to anyone pursuing the lemon law. Claiming you will sue the dealership for thousands of dollars for lost time will get you no where but out the door. Stay calm and collected and the dealership will assist you.

Success! A FAIR resolution.

First, a special THANK YOU, goes out to Dan Jansen of International Autos for being patient with my relentless calls on the delivery of my new vehicle. Without Dan’s assistance and understanding, I would not have been able to receive my substitution of collateral. Thank you again!

1. Keeping Records

As shown in my earlier post, I had to keep all of the paperwork for the repairs on my vehicle. While having an issue occur 5 times, is annoying, you have to remember BMW is great at providing a replacement vehicle while you vehicle is in the shop. Keep the records so that you can prove your case to the BMW of North America. It’s about the BMW doing the right thing; not that you’ve been inconvenienced.

2. Contacting the Sales Manager at Local Dealership.

The first step is contacting the Sales Manager at the local dealership. Tell them you have been having problems with your vehicle and are interested in performing a substitution of collateral. A substitution of collateral is basically a vehicle exchange. In a substitution of collateral, BMW of North America will buy back your current vehicle and trade it out for a different vehicle on the lot. This also works for leased vehicles (such as in my case). The difference in cost of the vehicles will be charged charged to you. However, I was charged the DEALERSHIP COST difference versus the MSRP cost difference. This saved me over $3,500.00 by having the dealership extend their costs to me.

The Sales Manager will be required to contact the service manager; but keeping the sales manager as your point person will help tremendously.

3. Service Manager Sign-off

The service manger is required to review your service records to see if the reoccurring issue has to do with the same problem. The KEY component is to remain focused on the actual LEMON Law verbiage with the service manager. While the service manager may say I replaced different components each time the law states: “The dealer failed four times to fix the same defect;”. The “defects” by law are generic; not physical components. (EG Car will not maintain idle on start)
The service manager will sign off on the substitution of collateral and it will be passed back to the Sales Manager.

4. Regional BMW Representative Sign-off

In order for BMW of North America to accept the substitution of collateral, the regional BMW Representative is required to sign off on the contract. In most cases if the Sales Manager and the Service Manager sign-off on the collateral, the sign-off from the Regional BMW Representative just becomes a formality.

Once the Regional BMW Representative Signs-off the substitution of collateral paperwork is complete and the physical delivery of the vehicle can be performed.

5. (Optional) Upgrades

In 2009, BMW released a 335 with a “M Sport Package” that I opted to purchase. I purchased this upgrade at dealership cost with Paddle Shifters and a few other extras to completely trick out the vehicle.

If you are NOT interested in upgrading the vehicle, the dealership can provide you either:

a) a new vehicle off of their lot.

b) a new vehicle to be manufactured in Germany.

Since I upgraded the vehicle with a package that was not available yet, I chose “Option B” and it took an extra 60 days to deliver the substitution of collateral.

6. End Result

BMW of North America agreed continue my existing lease with a New 2009 BMW 335i X-Drive. This means that I got a 0 mile vehicle 1 year into my lease and my residual payout for the 2009 BMW 335i X-Drive is at the cost of a 2008 BMW 335XI. A GREAT DEAL, and completely FAIR to me. I still have my 45,000 miles to use in the remaining two years.

If anyone needs more details I’ll be more than happy to assist you.

FEB.1.2010 Update >:(

Thank you for the continued reading and comments on this blog posting. I have made a new 2010 resolution to update this blog article as well blogging more articles.

First Item To Address: Wheel and Tire / Dent and Ding Warranty Transfer

To my GREAT disappointment, the warranty that BMW promoted as part of the 2008 BMW 3 Series didn’t carry over to the 2009. This is a result of BMW now offering their own extended service warranty. I so happened to get a bulge the right rear passenger tire and after it was replaced on my dime, I got a nail in the side wall of the same side tire. Both tires costing me in excess of $600.00. Lesson learned – BUY THE NEW BMW WARRANTY!!!!!

Second Item To Address: The 2009 BMW 335 High Pressure Fuel Pump Issue – Strikes AGAIN

After about 11,000 miles and being out 400 miles of town, the High Pressure Fuel Pump issue strikes again. This time around, however, I was was traveling at a sustained 80 MPH on the interstate when it felt as if my transmission went on the vehicle. After pulling over, stopping the car, and starting it again, the car would function for 50 miles where I would then have to ‘rinse and repeat’ until I made it to the BMW Dealership. Not a pleasant experience.

Third Item To Address: Awesome Readers and Leaving Comments.

I appreciate everyone that has kept this blog #1 for BMW HPFP Issues. Here are my direct responses to my readers:

Kurt:

“The dealers offer nothing regardless. Like most owners, the legal pursuits was the only option. I was cool until I hit 50 DAYS in the shop. Nobody listened.”

Kurt – Sorry to hear of your issues. As frustrating as this can be, try a different dealership. Remember that the dealership is not responsible for a faulty vehicle. It is only responsible to fix the vehicle under the manufacturer warranty. Even then a dealership as a right to turn you away with – we can’t figure it out. Issues like the HPFP are difficult to troubleshoot. There are stories of injectors and injector rings being replaced to fix this issue when the issue is just a HPFP. I hope everything turns out for the best.

Nicole:

“.. i just bought a 2008 bmw 328xi”

Nicole – It is my understanding that the HPFP is only available on the Twin Turbo Engines in the 135, 335, 535, and X6. It sounds like you might be having a different issue.

Dan T:

“ 1. What does bmw do for used purchase under warranty? Usually lemon law is for new.
  2. With no fault codes, shoudl I be concerned? Why would such a costly car just go dead at a stop?
  3. I heard software for turbos needs updated, I have v27.2 and heard v30 improved performance, heard anything? ”

Dan T –

1. The Lemon Law in Wisconsin also allows for vehicle to be used as long as its under the first year of the warranty. There are other protections like Magnuson-Moss Warranty Act that provide protections for used vehicles.

2. Imagine the car cutting out in the middle of an intersection with a semi-truck (or train) coming full-speed in cross traffic. With no fault codes – absolutely should still be concerned for your safety.  The High Pressure Fuel Pump delivers fuel to the engine in the 3000 PSI range. If a turbo spins up and not enough fuel is being delivered, the car will die.

3. Performance may be better, however, BMW will never admit that. BMW rates the 3 series at 300HP which is borderline for high performance in insurance ratings. To keep the insurance ratings low, the vehicle is rated at 300 HP, while the engine is capable of producing well over 380HP with a tuner (Burger Motorsports JuiceBox+ or Dinan Chip). I hear the PnP JuiceBox+ is well worth the money; but very much voids the warranty.

Dave:

“ Purchased a new 2009 335 CI in August which had been running flawlessly until yesterday (6300 mi). The car started up normally, but stalled out when I put it in reverse and fuel pump sensor light came on as well as check engine light. Towed to the dealer and I was given a 335 loaner. Final diagnosis is pending, but I expect the same problem with the HPFP. Disappointing. Maybe the Cayman S next time for me. Appreciate the info… “

Bimmer to a Cayman S – you should be ashamed of yourself   On a serious note, a 335xi with the Burger Motorsports Juicebox+ at the stock setting will SMOKE a Cayman S. You have to remember the 335i is a 3.0 liter Twin Turbo and gets full horsepower and torque at 3000 RPM. The Cayman S is a 3.4I displacing 320HP at 7200RPM. Yes, the problems with the 335 are disappointing, but when my car is working, I wouldn’t trade it for any vehicle on the road (well maybe the new Audi S4).

If you get the 2010 Cayman S, please feel free to provide your feedback on the vehicle – I’d love to hear it.

Thanks again to everyone and safe driving!

While most of this article may seem somewhat trivial, I have found that there are many Users that don’t know how to warm/soft boot and cold/hard boot the handhelds.

Below is a quick reference guide:

How to Change the Battery in a Symbol (Motorola) PPT-8846

How to Warm / Soft Boot a Symbol (Motorola) PPT-8846

How to Cold / Hard Boot a Symbol (Motorola) PPT-8846