Alexander’s Blog

The Windows Rights Management Add-on for Internet Explorer provides a way for users of supported Windows operating systems to view, but not alter, files with restricted permission. These restrictions enable authors to prevent sensitive documents, Web-based information, and e-mail messages from being forwarded, edited, or copied by unauthorized individuals. These restrictions provide protection, not only while the information is in transit, but also after the recipient of the information has received it. Click here to download this free add-on from Microsoft.

This month, the U.S. Food and Drug Administration approved a microchip that can be implanted in humans to provide access to medical records. Privacy regulation advocates were predictably horrified, but the chip does not create the privacy crisis some might imagine.

I was working with Active Directory a couple of days ago and discovered something very interesting. I created a user account using a VB script. I mistyped the domain name in the UPN, which led to this discovery. First of all, here’s what the script looks like:

Set objOU=GetObject(”LDAP://OU=Executives,DC=nwtraders,DC=msft”)
Set objUser=objOU.Create(”User”, “cn=BillG”)
objUser.Put “sAMAccountName”, “BillG”
objUser.SetInfo
objUser.AccountDisabled=FALSE
objUser.ChangePassword “”, “P@ssw0rd”
objUser.Put “userPrincipalName”, “BillG@bogus.com”
objUser.Setinfo

Notice the domain I used in the UPN “BillG@bogus.com“. When I created the account, I was able to logon as that account. The user account Properties showed that the UPN is BillG@bogus.com. It looked like bogus.com was an alternate suffix because the dropdown box listed both the nwtraders.msft domain and the bogus.com domain. However, I verified that bogus.com was NOT listed as an alternate suffix in AD Domains and Trusts.

What’s interesting is that I can logon as the UPN BillG@bogus.com and continue to work fine but as soon as I logon with the UPN BillG@nwtraders.msft once, it deletes the bogus.com entry in the user’s Property (account tab).

I am wondering if there’s a way to take advantage of this “hidden” alternate suffix as far as security is concerned. If you have any thoughts, I’ll love to hear them.

Thanks for visiting my blog. My name is Zubair Alexander and I am a Microsoft MVP for Windows Server - Directory Services and a Microsoft Certified Trainer. I own SeattlePro Enterprises, an IT training and consulting business. Over the past decade, most of SeattlePro’s activities have been associated with various Microsoft projects and as a result I have been working on projects such as training Microsoft engineers, writing exam questions, writing White Papers, tech editing, providing feedback on courseware, doing seminars and webinars, writing for Microsoft TechNet, etc. However, in recent years SeattlePro has expanded its service offerings to other organizations and we are now doing business with numerous private and government organizations across several states.

I originally developed my Web site TechGalaxy.net as a teaching aid for my students where I could post my articles that students used as a reference. Over the years, TechGalaxy.net has developed into a much broader knowledge base of technical resources, serving the IT community across the globe. This blog is an extension to the information provided to the readers on my Web site with a hope that it will generate useful discussions and to share knowledge with the technical communities everywhere. More information on my background can be found in my bio.

I started this blog in November 2004. As of May 2007, I have updated my blog to provide several enhancements, including the ability for you to add comments, easy access to contents in the archive, a categorized listing of entries, and search capability. To contact me via e-mail, click here.