시작>powershell ISE 실행.

# User 추가
 $a=1
DO
{
  dsadd user "cn=user$a,ou=test,dc=sbbaek,dc=com"
  $a++
  } while ($a -le 1000) 

# Group 추가
 $a=1
DO
{
  dsadd group "cn=group$a,ou=test,dc=sbbaek,dc=com"
  $a++

  } while ($a -le 1000) 


Steve Friedl's Evolution Tech Tips

Deploying a Self-Signed Root Certificate with Group Policy


Several customers are deploying the latest version of the excellent Evolution payroll service-bureau software from iSystems, and the new management interface is web based via SSL. This is a major improvement over the previous version that required interaction with the server via a logged-in user.

But the web certificate used by the vendor is self-signed, which means that Internet Explorer users visiting the management interface are greeted with an untrusted-certificate message:

[Security Warning]

Though it's not difficult to dispense with this message - one can accept the certificate with a few clicks - all users on all workstations must go through this, and we'd prefer to avoid it. Fortunately, we can capture and deploy the certificate with Group Policy throughout the enterprise. It's worked really well.

Note - this Tech Tip is intended to be used generally for any kind of certificate deployment, but we're using the specific example of Version 6 ("Garfield") of Evolution. Our server platform is SBS2003 with XP/SP2 workstations. We've not investigated this process for any browser other than IE.

Disclaimer - We'll also note that we are not even remotely approaching PKI or Group Policy experts, and we have mainly muddled through several of the choices offered on the road to something that appears to work well. We'd certainly welcome input from those who actually know this stuff.

Getting a copy of the certificate into a file

Ultimately we need a copy of the public certificate into a file so that it may be imported into Group Policy, and though some vendors may publish this certificate on a website, it's easy to use the browser itself and export the cert to a file.

[Security Warning - click View Cert]Begin the process by loading IE, visiting the website of interest, and provoking the security warning. It may be necessary to exit all instances of IE if the certificate had previously been accepted, but once visible, click the [View Certificate] button.

[Certificate Details - click Copy to File]There is lots of information about this certificate, and we want the [Details] tab which confirms that the certificate is from who we think it's from. Click the [Copy to File] button:

[]Here we're offered quite a few choices of certificate format, and we have chosen Cryptographic Message Syntax Standard (PKCS #7) for no particularly good reason - we know that it imports correctly into the Group Policy editor. We don't think the certificate path matters.

[Export Wizard - Choose File to Export]Clicking [Next] prompts for a filename, and it should be of the form vendorcert.p7b (the .p7b extension matters). The file should then be somehow moved to the Windows Server with the Group Policy Management.

Deploying the Certificate with Group Policy

With vendorcert.p7b now on the server, we're ready to deploy the certificate.

[]Launch the Group Policy Manager and navigate to a suitable object: we prefer the Default Domain Policy because there is no harm in deploying this certificate throughout the entire enterprise. Right-click on that object and select Edit:

[]In the Group Policy Object Editor, navigate down to: Computer Configuration 
» Windows Settings
» Security Settings
» Public Key Policies
» Trusted Root Certification Authorities 
Then right-click and select Import.

[Select File to Import]In the Certificate Import Wizard, browse to the location of the file; here we're looking for vendorcert.p7b. Click[Next].

[]With the file selected, we're shown the Certificate Store dialog that selects the target location for the cert. We've seen only one choice available with all the rest grayed out. Click Next.

[]In the wizard completion dialog, review the settings: they should all be familiar. Click Finish.

[Finished! Certificate imported]Finished! The certificate has been imported, and it appears in the Group Policy object. The next time a user logs in, these settings will be applied and the certificate will be trusted by Internet Explorer.

Multiple (and unrelated) certificates may be deployed in the same way, so that as other systems enter production with self-signed certs, they may be included in the same Group Policy object.

We should note, however, that this procedure is intended for intionally self-signed certificates that are known to be trusted, and it's not meant to ameliorate browsing sites with broken certs (expired, wrong server name, etc.). Please keep in mind that SSL certificates are a security measure, and bypassing it thoughtlessly may lead to unpleasant surprises.


First published: 2005/07/06



Windows Server 2008 R2에서 기본 적용되어 있는 암호에 조건은 다음과 같습니다.

[그림 1. "암호는 복잡성을 만족해야 함" 속성]

이 화면을 확인 하기 위해서는
"실행 > gpedit.msc >로컬 컴퓨터 정책 > 컴퓨터 구성 > Windows 설정 > 보안 설정 > 계정 정책 > 암호 정책"
이라는 긴 과정을 거쳐서 확인할 수 있습니다.


[그림 2. 로컬 그룹 정책 편집기]

여기서 로컬 보안 설정 탭에 설정된 "사용"을 "사용 안 함"으로 선택하면 위 4가지의 암호 복잡성 조건을 사용하지 않게 됩니다.
일반적인 사용자 OS급(Windows 7같은)에 경우 이런 문제가 발생하지 않고, 이 설정을 편집할 일도 없습니다.
즉, Server급 OS에만 해당된다는 말이 됩니다.

위와 같이 간단한 방법으로 암호 복잡성 조건을 해제 할 수 있지만 간혹 아래와 같이 비활성화된 상태에 암호 복잡성 설정창을 만날 수 있습니다.

[그림 3. 암호는 복잡성을 만족해야 함 속성 변경 불가]

이는 Windows Server에서 Active Directory Service를 사용하게 되면 위 그림과같이 설정을 할 수 없게 됩니다.
필자의 개발용 서버도 위 그림과 같이 설정이 불가능한 상태였습니다.
알아보니 해결 방법은 다음과 같았습니다.

1. 실행 > gpmc.msc
2. 그룹 정책 관리 > 포트리스: ___ > 도메인 > ___ > 그룹 정책 개체 > Default Domain Policy"

[그림 4. gpmc.msc 화면]

3. Default Domain Policy 마우스 우클릭 컨텍스트 메뉴에서 편집

[그림 5. Default Domain Policy 편집]

4. 새로 뜨는 "그룹 정책 관리 편집기"에서 "Default Domain Policy [___] > 컴퓨터 구성 > 정책 > Windows 설정 > 보안 설정 > 계정 정책 > 암호 정책"으로 이동

[그림 6. 그룹 정책 관리 편집기]

5. 암호는 복잡성을 만족해야 함 정책 더블클릭으로 속성창 열어 "사용"에서 "사용 안 함"으로 설정 후 확인

[그림 7. "암호는 복잡성을 만족해야 함 속성" 창]


그리고 나서 맨 마지막으로 "실행 > gpupdate /force"를 입력하면 변경된 정책이 적용 됩니다

[그림 8. gpupdate /force 화면]



C:\Program Files (x86)\OpenSSL-Win64\bin>openssl genrsa -des3 -out nicscaprivatekey.key 2048
C:\Program Files (x86)\OpenSSL-Win64\bin>openssl req -new -x509 -days 3650 -extensions v3_ca -keyout nicscaprivatekey.key -out nicssslca.crt


인증서와 Key 생성 완료 화면(2개의 File 생성)
nicscaprivatekey.key
nicssslca.crt


FortiGate > System > Certificates > Import > Local Certificate


Certificate 선택


Certificate file 및 Key file 선택


신규 SSL Certificate 추가 확인


Deep-Inspection 생성


클라이언트 PC에 인증서 설치


SHA256 확인


FortiGate Policy


클라이언트 어플리케이션 컨트롤 차단 예