Windows Domain to Amazon EC2 Single Sign-On Access Solutions

David Chappell, the Principal of Chappell & Associates, US, has writtena whitepaper proposing several solutions for Single Sign-on (SSO) accessto applications deployed on Amazon EC2 from a Windows domain. InfoQexplored these solutions to understand what the benefits and tradeoffseach one presented.

The paper is: "Connecting to the Cloud: Providing Single Sign-On toAmazon EC2 Applications from an On-Premises Windows Domain." Excerpt:"Users hate having multiple passwords. Help desks hate multiple passwordstoo, since users forget them. Even IT operations people hate them,because managing and synchronizing multiple passwords is expensive andproblematic. Providing single sign-on (SSO) lets users log in just once,then access many applications without needing to enter more passwords.It can also make organizations more secure by reducing the number ofpasswords that must be maintained. And for vendors of Software as aService (SaaS), SSO can make their applications more attractive by lettingusers access them with less effort...

With the emergence of cloud platforms, new SSO challenges have appeared.For example, Amazon Web Services (AWS) provides the Amazon ElasticCompute Cloud (Amazon EC2). This technology lets a customer create AmazonMachine Images (AMIs) containing an operating system, applications, andmore. The customer can then launch instances of those AMIs (virtualmachines) to run applications on the Amazon cloud. Similarly, Microsoftprovides Windows Azure, which lets customers run Windows applications onMicrosoft's cloud. When an application running on a cloud platform needsto be accessed by a user in an on-premises Windows domain, giving thatuser single sign-on makes sense. Fortunately, there are several waysto do this..."

More Here

Courtesy:http://realworldxml.blogspot.com/2010/01/windows-domain-to-amazon-ec2-single.html

h1 Monitor service status on Windows domain controller without being a Domain Admin

If you write your own server monitoring scripts you may well be running them as an account that’s a member of the local administrators group on all your servers. This allows you to use WMI and any other command line utilities to query all kinds of things about the remote systems. However Domain Controllers don’t have a local Adminstrators group, so are slightly more tricky to work with, despite being some of the most critical servers you own.

WMI won’t allow you to query service status. Where you could use something like this as a member of the local Administrators group:

Set wmiColl = GetObject("WinMgmts:\\" & serverName & "\root\cimv2").ExecQuery("Select * FROM Win32_Service WHERE Name LIKE'" & Trim(serviceName) & "'")

It won’t work on a domain controller unless you’re a Domain Admin.

Likewise, you might want to use the (still very handy) utility XNET.exe that came with older versions of KiXtart:

xnet.exe list \\server\service

it too requires admin rights.

Help is at hand though, the sc command does not require admin rights to query service status:

sc \\server query service


does work.

For any services that it fails on, e.g. NTDS on a Windows Server 2008 R2 domain controller, I used SubInACL to grant the account running the command Read access to the service:

subinacl /service NTDS /grant="domain\account"=R

More Here

Courtesy:http://rcmtech.wordpress.com/2010/12/23/monitor-service-status-on-windows-domain-controller-without-being-a-domain-admin/