I have a system that uses Active Directory to authenticate users. Now I must use the security settings from AD to warn a user that his password will expire in a few days. The period before a password will be expired when the notification is presented to users is defined as described in this article.
I want to read the value set in "Interactive logon: Prompt user to change password before expiration"
from AD using javax.naming.directory.InitialDirContext. I hope this value is remembered in AD but I have no idea how to find it. I was looking in a set of AD attributes but noone seems to match this information. Is it possible to retrieve this value from AD?
This is more complicated as this setting is not directly held in Active Directory. This is a part of Group Policy (considering it's configured in a policy and not on a local computer), which is held on a network share and linked in Active Directory.
For a simple example, you can get into it like this:
Read your intended OU and check for gPLink attribute. The value is something like a list of Group Policy objects linked to the selected OU in a priority descending order. Each of the values is something like: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=internal,DC=local;0]. The first part is a GP location, the last part seems to be a flag (2 meaning that the policy is enforced).
Read the policy object(s) and check for gPCFileSysPath attribute. This is the location where the policy settings are stored. It would be something like \\internal.local\sysvol\internal.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}.
Inspect the file store from point 2. and look for MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf file. It's a regular inf/ini file, investigate [Registry Values] section to find a line that reads: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14. This 14 is a policy setting (to prompt for password change 14 days before expiry).
Now, the things get complicated to get the actual resultant set of policies. Policies get inherited from parents, meaning that in point 1. you should be checking the intended OU and all its parent OUs together with a domain node itself, evaluate all the gPLinks in appropriate order, possibly also taking into consideration their WMI filter, whether they do apply or not, in order to find out what value is in effect.
If your application happens to run on Windows that can be put under the same group policy it might be easier to just read the information from registry, as this will be already applied by the system.
In any case, I would consider to just use some default expiration warning period, given the amount of complexity to get the value from AD (provided that it is defined in group policy at all and not just defaults on computers locally).
Related
I've built a model for a storage facility using the material handling library. It is essentially a facility where users can storage their belongings underground and have the system automatically store it into a shelving rack(s). Later they can to retrieve it as needed and the system would transport the associated belonging to a "pick up" room automatically.
I've modelled the racks as a StorageSystem with Storage racks. For typical operations, I use the Retrieve block to extract and Store block to insert the belonging into the shelves. However, its possible that another unrelated item is in the way that must first be moved to another free location before the requested item can be extracted. In other words, the blocking item needs to be moved from one part of storage to another part of storage.
The cells in the blocked out section have been deactivated. I tried to do a back to back Retrieve and Store blocks where the destination and pick up location are the same (i.e. the xyz of the material agent).
Is there a better way to model this in one continuous operation? I'm finding that the item can be "misplaced" (its not in the network anymore) during the transition between blocks and then the item floats around trying to find the transporter. The transporter is path guided and can only be on the access zone corridor. I think the item floats around because it cannot find a path to the transporter. But the transporter path is in the access zone corridor beside the storage cell. I don't understand why it cannot find the path.
I can't seem to post pictures due to the reputation being below 10. But the relevant pics are in my earlier question here:
Link
I want to build an app which shows places around user using Google Places based on user interests. As mentioned here:
Place IDs are exempt from the caching restrictions stated in Section
10.5.d of the Google Maps APIs Terms of Service. You can therefore store place ID values indefinitely.
So, can I save place_id in cloud database and perform any analytics operation over it? For example; if I gather place_ids added in each user's favorite places table and from analytics; I can know which place_id are the most ones added to favorites? or can I show something like 'Trending Places' in app from gathered place_ids in responses?
Will it violate the terms and conditions? I read the whole page of terms but couldn't find the answer.
can anyone help me out? Thanks.
Yes you can 100% store the place_id indefinitely and reuse it.
See Referencing a Place with a Place ID.
Please note one thing that
A single place ID refers to only one place, but a place can have
multiple place IDs
These terms and conditions are kind of self explanatory. Except your requirement which will be clarified after the below link is read carefully. As per your requirement , inorder to prevent calling services next time with same query which user had done with an intention of saving network calls is acceptable.
No caching or storage: You will not pre-fetch, cache, index, or store any Content to be used outside the Service, except that you may store limited amounts of Content solely for the purpose of improving the performance of your Maps API Implementation due to network latency (and not for the purpose of preventing Google from accurately tracking usage), and only if such storage
1) is temporary (and in no event more than 30 calendar days)
2) is secure 3)
does not manipulate or aggregate any part of the Content or Service 4) and
does not modify attribution in any way. Go through this Section 10.5 Intellectual Property Restrictions. Subsection (B)
You'll need to contact Google to get a 100% answer.
That being said, from my experience it looks like the clause you included is intended exactly for the kind of thing you want to do.
Again, I want to reiterate that contacting Google directly is something you should do if you still have concerns.
You can store place ID values indefinitely.
Just What part of
You can therefore store place ID Values indefinitely.
Don't you understand?
Indefinitely requires a server.
I want to count the number of logons and logoffs on users of their computers. I take the information for logons/logoffs from the Windows event logs (from Win32_NTLogEvent WMI class). For example with following query:
select * from Win32_NtLogEvent
where EventCode = 4648 and TimeGenerated > '20120224000000.000000-***'
But when the computer has been restarted or started it counts 3 logons, when the user has clicked logoff or lock (from start menu) and then logon it counts 1 logon. The user authenticates via Windows Active Directory. Does it influence on the number of logons? Can I count only the number of logons using explicit credentials on users?
I found EventCode: 4608 and 4609 for starting up and shutting down of Windows but I need also the number of logons when the user has logoffed or locked the computer.
I found this solution here:
strComputer = "."
Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTLogEvent WHERE LogFile = 'Security' AND " & _
"EventCode = 528 AND User = 'fabrikam\\kmyer'")
Wscript.Echo colEvents.Count
Simply replace the values with the ones you want.
Now this isn't a Java but VB code... However it apparently uses the WMI interface that you could use from your Java program. Or you could do something ugly and invoke a batch script from Java (or scheduled task) and read its output, or use a binding.
This is of course assuming that you want to check this on the user's computer, as your question hinted. If you want to count logons at a more global level and from different machines, then you need to query the Active Directory (or other mechanism the networked infrastructure is using); the linked thread offers solutions for this as well.
Update:
You can have a look at Eric Fitzgerald's blog post on Tracking User Logon Activity Using Logon Events, where you have the corresponding codes (as well as complete formulas for accurate time tracking).
Apparently you want event codes 4624 (LOGON) and 4634 (LOGOFF), plus other ones listed there if you plan on using Fitzgerald's formulas to calculate the exact activity time.
A better approach would be to use a system service.
The HandlerEx callback function, defined by RegisterServiceCtrlHandlerEx, can be configured to receive session change notifications including logon, logoff, lock and unlock events.
I'm not entirely certain whether the logoff events received by HandlerEx are reliable or if they exhibit the same problems as the event log. As a backup, SetConsoleCtrlHandler allows you to define a callback function to receive logoff notifications. These notifications are reliable.
The remote desktop services API functions, such as WTSEnumerateSessions, may also be useful, allowing you to list the currently logged-on users at any given time, or get additional information about a given session. Only a subset of these functions are available on workstations, but they're the ones you need.
I am not sure what shall i put as Title for this Question, But I am here looking for help.
I work in a company which makes desktop based application on CORE JAVA Platform.
We provide an ACTIVATION CODE to activate our software.
The concept of activation is -
User enters the Activation code --> software hits our server and download all the required files --> activation completed.
Once in a day, our software hits our server to check if the activation code has been expired.
Problem-
We have a new client which doesn't have a regular internet connection. Somehow they agreed to provide internet connection for one time-
User enters the Activation code --> software hits our server and download all the required files --> activation completed.
but after that no internet connection. I can stop the software to check with server about expiry Date of activation code.
But the problem with me is-
1) How do I check whether the Activation code has actually expired? ( Activation code is valid for 1 year only)
2) If after expiry If user enters a new Activation code, how do I check this is a valid activation code with 1 year validity?
1) you can store the registration date and compare it against the system date. of course then users can temper with the date. I used to have some software that always stored the last date it had seen, and if one moved the date to the past, it complained and insta-expired. you could do something like this but of course it's never as safe as talking to a server.
2) create a format for your activation key that contains a new key as well as the previous key. so the first key is, say, A, which is good for talking to a server and checking if A is okay. A new key might look like AB meaning "I replace A, add another year of activation, and am called B, so in a year, we'll need a key like BC". You'll have to think a bit about how to encode this securely, but I'm pretty confident it can work (for example, you can encrypt B with A, then B can only be used on a machine with activation code A).
I need to develop a feature in the system which allows unregistered users to get one-off system access via URL token that is generated/sent by an authenticated user.
For example, a user logs in and wants to share a piece of information so the system generates a URL like http://host/page?token=jkb345k4b5234k54kh5345kb34kb34. Then this URL is sent to an unregistered user who would follow the URL to get some limited access to normally protected data.
First question - are there any standards (RFC? IETF? others?) that would be defining URL generation? The only ones I was able to find are RFC2289 and OpenToken, but none of these are directly related to what I need to do and the latter is only in a second draft state.
There is another design consideration: whether to use one way crypto hash functions and store the payload in a local data store VS using private-public key pairs and encode all necessary payload in the unique string itself.
At the moment I am heavily leaning towards one way hash as it would give me much more freedom (no dependency between payload size and generated string) and less potential problems in the future (e.g. what if I decide to add more payload - how to ensure backwards compatibility). Last but not least, accidental exposure of server-side private key would require massive efforts in key regeneration, update of all live instances, etc. None of these problems are relevant if choosing one-way hash option, but maybe there's something I overlook? RFC2289 prefers one way crypto function whereas OpenToken chooses the key pair option.
And finally, is anybody aware of any Java library for generating these?
Thanks in advance.
Also have a look at http://en.wikipedia.org/wiki/Universally_unique_identifier and RFC4122. Inside the backend you would need to attach the generated uuid to your entity so verification based on the UUID can be done later.
Apart from that most often the token could include some data (e.g. versioning+userdata) and then a secure MD5-hash is used to 'obfuscate/anonymize' it. Later then the data is concatenated by server and the hash-values are compared again.
Regarding java-lib and uuid have a look at UUID-javadoc.
Generate random strings and store them in a database with credentials.
The codes generated need to have two properties: complexity and uniqueness. Complexity ensures that they cannot be guessed and uniqueness ensures that the same code can never be generated twice. Beyond this, the specific method doesn't matter.
Generate token strings with two parts to them. The first part is time-dependent, where the key will increment and change in a predictable way with each millisecond. The second part is completely random. Combined, this will give you a long string that is unique and complex.
When you generate the token, store it in the database with the credentials that are granted when this token is used. It's important that these credentials are not encoded into the string, since this ensures that the strings cannot be hacked.
When the user click on the link with the token, mark that token as used in the database. Even better is to set a timestamp for the use, so that it can be expired, perhaps, 24 hours after the first click. This approach gives you the flexibility to implement this specific part of the requirement as necessary for your project.
I've used this solution before in many different cases for not only one-off system access, but also for ticket admission codes, gift certificate codes, and anything that's one-time use. It doesn't matter so much what you use to generate the token, so much as you can guarantee its complexity and uniqueness.
Here's how I would have done it:
Create a token (you could use a UUID for this) and add it to your database along with creation time and what resource the token should grant access to
Send an email to the user with the url http://www.myserver.com/page?token=
When the user navigates to the url, create a new session with the desired timeout and mark that session as authorized to view whatever the database says the user should be able to see (If the token isn't too old. Check the creation time against current time)
Either delete the token from the database, or mark it as expired
You only need a token when a user shares one piece of information. So, can't you just generate a random token, and associate this with the piece of information (e.g. a database field)? It's a lot simpler than doing any crypto stuff...