Set up OpenVPN Appliance LDAP Authentication

When setting up an OpenVPN appliance, you have the ability to use LDAP as your preferred authentication method. In this particular scenario, I was tasked with limiting it down to a user security group in LDAP, so the Advanced section was required in this case. The following show

s a working sample. A couple of the things I had to overcome:

The CN wasn’t what I had expected on the vpnuser account. You can find the full DN using a tool by SysInternals called Active Directory Explorer

I had copied the path directly from Active Directory Explorer but did not initially realize it appends additional information to the end of the path which causes an error. The length of my entry exceeded the length of the visible box unfortunately so I couldn’t initially see the appended text.

There are no additional permissions required for the user account. Domain users without machine login will work fine.

The following indicates: User must be a member of the group “vpn users”, located in the OU structure Main Office> Security & Distribution on the int.myoffice.com domain.

memberOf=CN=vpn users, OU=Security & Distribution Groups, OU=mainoffice,DC=int,DC=myoffice,DC=com

Why buying a car with cash makes cents

Buying a car can be one of the easiest things you will do. Why? Because dealerships LOVE walking you through the ultra easy process of obtaining a new car loan. They have their own financing departments and everything. It makes the process seamless and quick. Plus they can help you find a car that suits your payment preferences. Did I mention they have no problem buying your old car from you? So…. why should I buy a car with cash if they make it so easy for me? Not to mention, I don’t have $30,000 to drop on a new car.

Why paying cash makes sense

  1. Paying in cash helps you avoid paying interest
  2. Emotional and financial strain in the event of a job loss or inability to pay
  3. It’s a little easier when buying and selling privately
  4. Cool factor. Let’s be real: handing over a $28,000 check can make you feel like a king
  5. The “I worked for it” factor

Why paying cash for your car is a dumb idea

  1. If the interest rate is 5% but you choose to invest the money you would have dropped on a new car in stocks yielding 8-12%, well, which one is higher? If the money can work harder for you in hand than it can by purchasing outright, then you shouldn’t buy a car with cash.
  2. You opt to pay with cash that isn’t yours. Borrowing from family for a car can strain relationships. It is better to avoid this.

Cars are typically not a good investment. In fact, calling them an investment at all seems a little inappropriate. But there are times when it makes sense to buy a car with cash and times where it makes more sense to make the monthly payment.

Why I bought a house at age 22

Most 22 year olds are seeking the next bar or nearest entertainment venue. Some are going to college or having children. Others are relaxing in mom’s basement. So what made me decide to buy my first home at the young age of 22?

I’m a bit of an old soul in that I’ve mentally grown up a bit faster than others. In some cases (mainly dating), I was told I was right about accurate. But in every other aspect, not so much. It has always been important to me to pay my bills on time. A credit card has always been a way to build credit and serves no other purpose. It is not “extra money”. So that should give you a small taste of why I am the way I am. But financial responsibility isn’t the reason I bought a house.

I keep skirting around it because there is so much back story, but the main reason is: My past.

Americans believe that you should get a job, go to school, and later in life buy a home. Right after my 22nd birthday, I was a full time college student working 2 jobs and cash flowing college. My ex had just left the picture about 1-2 months prior. I had wanted to buy a year earlier, but that didn’t fit in with our “life plan” because I wanted roommates. Once the relationship ended, I purchased. Yep, two jobs and full time college, I bought a house in the midst of it. 2 weeks in the market and I found the perfect dilapidated home that I would spend a few years repairing while figuring out my life’s goals, dreams, and direction. But again, why did I buy a home at 22?? I keep skirting around it because there is so much back story, but the main reason is: My past. My parents (separated), both owned about 5 properties each. My father started later than my mother. He bought all 5 off of a $30,000/ year salary. The fact he did it as a single parent really resonated with me. As children though, we listen to, and observe, our parents and we vow to “never do x,y, or z because my parents showed me how awful it is”. And believe me, after installing soffit and fascia, painting numerous baseboards, and performing a host of other odds and ends after awful, disgusting tenants left some of their apartments, I vowed that was something I would NEVER do. I hated it. Granted, I wasn’t being paid so maybe that’s why it didn’t give me warm fuzzies. 🙂

So, yes, my past and my parents actions caused me to buy a house. I then rented bedrooms to various people and I cannot tell you how valuable it has been to both repair the home I live in and have different personalities living with me. I learned laws, I’ve learned how to manage tenants effectively and what some people will put up with and what they won’t. I’ve learned what low rents can bring into your home and how high rents cause you to get too many people trying to move in. I’ve also learned that I cannot do another renovation with my own hands. It’s far too taxing while I’m trying to grow in my 20’s as a professional. I will be buying another property. Instead of picking up the hammer myself though, I will be finding contractors and a property management company to help aid my next ventures. As I learn about real estate, I get excited. I find out new things and I build knowledge. I really enjoy it.

I also find it intriguing how my take on “Rich Dad, Poor Dad” was different than the way others understood it. And that is where I am at today. 🙂 I’m excited for the future and what opportunities it will bring. I hope they are exciting. I’m glad I bought a house at age 22 and that I had parents that lit the fire in my brain at a very young age.

Lockdown Remote Desktop

For a while, I was a brilliant human and exposed my 3389 port to the world (3389 == Default Remote Desktop Port). So what alternatives do you have to securing yourself while enabling remote desktop over the interwebs? There are 6 main ways to accomplish this:

1. VPN

You knew this one was coming, didn’t you? And this is not the most eloquent way to say this, but: if you don’t want STDs or kids, wrap it up. Now convert STDs to attackers on the internet and kids to the lifetime of un-recoverable data in some cases or things published to the world you didn’t initially intend to have published. But wait, how did that relate to a VPN? VPN is the condom, you are… the other part in the condom. Sincerest apologies for the analogy. The future bullet points won’t be so crude.

2. SSH Tunnel

Took me a long time to actually USE this method, but it is SO FREAKING EASY! Set up a server/ firewall/ switch to have port 22 exposed. Download and install Putty. Type in the port of your exposed SSH port. Before clicking anything else, expand Connection>SSH>Tunnels, then type in the source port field 3388. Destination type: where 192.x.x.x is the IP of the device you want to connect to, 3389 is the RDP port. Click Add.

Now go back to Session, make sure you have the ip address or domain you will connect to port 22 on. I’d recommend clicking “save” at this point so you don’t have to type all of that in again. Now click open and connect to your remote device. You DO have to log in!! Once you’ve logged in, just open remote desktop and type where 3388 is the port you chose in “source port” in the previous step. Congratulations, you’ve connected over an SSH tunnel.

3. Firewall

Firewalls are good stuffs. You can use the built in Windows Firewall, your network firewall (like PFSense), or something further out of bounds. Regardless of your choice, if you limit it to only the IPs you need, this is a fairly safe route as well. And while your at it with this one, why not add a custom rdp access port in there?

4. Alternative software

There are software utilities like RDSKnight out there that you could technically use to accomplish this same thing. It has a few more built in tools than just a firewall like Geo blocking, user restrictions, time restrictions, etc. Or maybe Teamviewer/ Screen Connect/ or some other utilities similar in function?

5. Two Step Authentication

Let’s say you do decide to leave yourself exposed. At least try something like Duo.

6. Don’t open it at all.

Admittedly, you don’t have to open it at all. At the end of the day, you do you!

Set time on a VMWare hosted domain controller

When you set up a domain controller in VMWare and join machines to it, you will typically need to set an external NTP server for it to communicate with as it will, over time become 1,2,3,4,5 minutes off. I’ve seen this numerous times. There are a few other methods to resolve this, but this is my preferred. (The immediate install won’t have this problem, it will probably crop up about 5 months down the line).

  1. Make sure you are setting this on the domain controller with the FSMO roles.
    netdom /query fsmo
  2. Stop the time service (you will usually get the best results this way)
    net stop w32time
  3. Set the time sources you will use. This site has an excellent list. https://tf.nist.gov/tf-cgi/servers.cgi
    w32tm /config /syncfromflags:manual /manualpeerlist:time.nist.gov
  4. Set your domain controller as a reliable time source for clients connecting.
    w32tm /config /reliable:yes
  5. Start the time service back up
    net start w32time
  6. Force a time update
    w32tm /query /configuration
  7. Verify your work
    w32tm /query /status

This was used on Windows Server 2019 and should work on 2016 as well. Older versions I haven’t used this exact process on.

Office Deployments

At first, I thought deploying Office 2019 the “new way” was daunting and it seemed like it was going to be a pain to deploy. It really isn’t. Even if you haven’t done it before. Here’s the basic process of it. There are tons of things you can do with it but this grazes the top to get you moving along with a quick deployment.

So the following will guide you through installing Office 365 for use on machines with Terminal Services deployed. You can of course remove the property to enable this if you wish.

Step 1 – Download the tool

Obtain the office deployment tool:


Of course you can Google Office Deployment Tool as well. Microsoft has a thing for moving stuff around more than I’d like them to.

Step 2 – Run and extract the goodies (for the lesser experienced, don’t stop now, the rest is easy!)

Run the tool, extract to a location of your choosing. Once complete, open Powershell and navigate to the folder. IE:

cd C:\Office2019

Step 3 – Configure the config XML file

You’ll notice they’ve included some pre-configured answer/ config files for us to use. Let’s open either the 64 or 32 bit version in a text editor like Notepad. Make sure to add the following “SharedComputerLicensing” property if you are using terminal services (Remote Desktop Deployments).

Be sure to modify things like the product id as needed. Here is a link with a list of IDs:


Here’s a list of IDs that could be used in case Microsoft moves their page….. (the first 3 are the Office 365 Editions):

  • O365ProPlusRetail
  • O365BusinessRetail
  • O365SmallBusPremRetail
  • Excel2019Volume
  • HomeBusinessRetail
  • HomeBusiness2019Retail
  • HomeStudentRetail
  • HomeStudent2019Retail
  • O365HomePremRetail
  • ProfessionalRetail
  • Professional2019Retail
  • ProjectPro2019Retail
  • ProjectPro2019Volume
  • ProjectStdXVolume
  • ProjectStd2019Retail
  • ProjectStd2019Volume
  • ProPlus2019Volume
  • Standard2019Volume
  • VisioPro2019Retail
  • VisioPro2019Volume
<Product ID="O365ProPlusRetail">
<Language ID="en-us" />
<Display Level="None" AcceptEULA="TRUE" />
<Property Name="SharedComputerLicensing" Value="1" />
 <Updates Enabled="TRUE" Channel="Monthly" />

Google is your friend when you don’t know one of these properties. 🙂

Step 4 – Run it!!

Run it, deploy it, download it, whatever you want! Both commands are shown below. Download is good for network deployment. Run is great for a local install.

.\setup.exe /configure configFileName.xml OR .\setup.exe /download configFileName.xml

Grow with Google – My take on it

I took some time to do the IT course “Grow with Google – IT Support Specialist Certificate”. It wasn’t as much to learn things as to prove to myself that I knew a thing or two about IT. The course as I expected was easy in many areas, but it did start proving difficult because it covers such a broad range of areas. There were also topics discussed like CIDR format which I was intrigued by only to find I already knew exactly what it was, I just didn’t realize it had a special name. I learned terminology and some of the background inter-workings of things that I didn’t previously know so it was definitely nice to have some supplemental training on topics I’ve already been exposed to.

I’d recommend it for most people, especially those that have some beginning knowledge in IT already. Some of the first courses that took me next to no time to complete like the system administration stuff, I felt would be hard for someone that had never been involved with Linux or Windows. However, I went straight to the labs and skipped over material, so I can’t make an official opinion of it.

CTRL of user accounts in Linux – Quick tips

Disable an account

sudo vipw

Modify the appropriate user you wish to disable from /bin/bash to /bin/disabled


***This option will NOT prevent login over SSH***

Modify account password or lockout account


passwd -l <<username>>

The -u argument instead of -l will set the account as unlocked.

Modify Password:

passwd <<username>>

Curious for more details on who has attempted logon?

faillog -a


Keep in mind, aside from locking a user out, it is equally important to make sure you properly lock down your firewall to expose ports like 22 only to specific IPs. Don’t leave yourself exposed to the world.

The importance of redundancy

Today I had an experience that is not too far off from experiences I’ve seen and experienced in the past, though, not directly caused by me. As a typical (non-ma’ pa’) business setup, it is perfectly normal to have 2 or more domain controllers with DNS on a Windows based network. You ALWAYS want to point your DNS settings in DHCP to your domain controllers (Note the s in that last word). The experience was of maintenance on a server that caused a partial network ‘outage’ as it wasn’t able to find a second DNS server when maintenance was started on the Domain Controller 2. The problem came when, out of our 4 domain controllers, the one I happened to be doing maintenance on was the only one in use by the network…… (and mind you this is a 2008 domain controller, not our Server 2016 domain controller, yes that is an 8 year old server).

This is why redundancy is SO important. You should ALWAYS specify 2 DNS servers if you are in charge of a network. And you should be very conscious of what servers could be decommissioned in the future as well. You should feel a nasty feeling in your gut until you have a second one in there. You should always have more than 1 uplink to your VMWare hosts preferably on a secondary network card. Hardware failure isn’t super common these days, but it does happen. If your company is larger, you want to be sure you have HA (high availability) running on your core network equipment. You want to pay for a second internet provider.

Whether it is a network, a virtual machine, or something else that is business critical, PLEASE make sure you have redundancy built in to prevent issues like this. And if you are the one performing maintenance, you do always want to go over a mental checklist of what a server is performing for the business. If you are also controlling the network, you should NEVER have holes as giant as specifying only 1 DNS server in your network.

Please note, I was not responsible for the network in this particular scenario.

System image vs post install scripts

When it comes to a system image vs running scripts to set up a new computer and the necessary software, I find there is a healthy balance. On one hand it makes much more sense to create an image so out of the box its ready to go, but on the flip side, you have to update the drivers, the software, etc. In my experience, it makes sense to have a balance of both. Install items that update frequently via script so you aren’t plagued with updating your image 5 times a month or manually updating the software on deployment, or just install it via script. Usually installers these days pull the latest version anyhow and its not like the older days where it would be a static version that you downloaded. Take Ninite for example. I’d prefer running it once to having Chrome, Firefox, and whatever other small apps the company required be out of date 2 weeks after I created the image. Granted, the licensing can be a bit spendy for some companies. Some might argue…. why not just run Ninite again to update them. True… easy enough, but why? I like things “fresh”. “Clean”. Call me the tree hugger version of the IT squad I guess. Regardless, there’s never a one-option solution in IT. And that is one of the things that makes it so great!