Finding password cheaters

So In my last blog I talked about the possibility of faking a password change, by setting the last time the password was changed.

So lets find out if somebody has been tampered with. To do this we check the last time somebody updated the pwdlastset attribute and compare to the last time somebody updated the ntPwdHistory attribute. If you change passwords the AD will update both. Also I added an allowance for 10 if you needed to check or uncheck the password must be changed checkbox. The AD does store loads of data that most people never see or have to see, One such attribute is the last time an attribute was updated.

Script to check for faked password changes

The script

[Read more…]

User password age and why you cant trust it blindly

There are many ways to check when a user set his password lastly, my two favorites are using either Powershell or the builtin net command that is present in all Current Windows versions.

There are other things that matter when we are discussing passwords. There are a few we need to keep in mind. The most basic are:

  • Checkbox – Password never expires
  • Checkbox – User must change password at next logon
  • Value – Maximum password age
  • Value – When was the password last set

So how is all this stored:

[Read more…]

Active Directory Schema versions

The Active Directory Schema is a living platform that receives changes with every new Windows version. You check what each schema version does by looking at the ldf files in “Support\ADPrep” folder on the installation media.

This is done during the Adprep, before you promote a new Windows Server to a Domain Controller.

Schema Version Introduced with
13 Windows 2000
30 Windows 2003
31 Windows 2003R2
44 Windows 2008
47 Windows 2008R2
56 Windows 2012
69 Windows 2012R2
87 Windows 2016 (Technical preview)

Reverting the AdminSDHolders changes

So everyone knows what the AdminSDHolders does. Okey lets do a short version of that too.

The AdminSDHolder is what is that then.

Well windows has a few “protected” groups and users. If you are a member of one of these protected groups, Windows will do a few things every 60 minutes by default.

  • Set the AdminCount property of a user to 1
  • Disable inheritance on the user object
  • Set the rights on the user objects to a reduced set

This is an extremely simplified version. For more information please read in the Technet article AdminSDHolder.

Users and groups that by default are managed by the AdminSDHolder

Name Type
Administrator User
Account Operators Group
Administrators Group
Backup Operators Group
Cert Publishers Group
Domain Admins Group
Domain Controllers Group
Enterprise Admins Group
Krbtgt User
Print Operators Group
Read-only Domain Controllers Group
Replicator User
Schema Admins Group
Server Operators Group
[Read more…]

Filter by installdate

I was once asked if you could apply a GPO to computers before a certain date. My first answer was the simple solution, create a group add all computers that exist at that time into the group and then filter on that group.

If possible always do it the simple way, but they asked what would happen if a computer was reinstalled. Since the computer account will be reused it will still be in the group, this was a problem. So at this time we have to decide where to complicate things.

Do we want to complicate the tasksequence and let it remove the computer from the group or do we want to use a WMI filter on the GPO.

WMI filter has limitation they require a working WMI on the client, they also require that the client is running Windows XP or Windows 2003 Server (who has that running anyway right?). Using WMI we can create a simple WMI filter that will allow us to only target computers that are installed or reinstalled after a certain date.

wmifilter - only olders installs

It is a simple as that.

An SQL deadlock while editing a AAD Connect Syncronization rule

I ran into this issue when I was editing a AAD Connect syncronization rule. If you edit a AAD syncronization rule and set the same precedence as an already existing syncronization rule you will get a SQL deadlock warning.

A deadlock occurred in SQL Server while trying to acquire an application lock.,Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet

When I did it I did a copy of the original rule and then disable the original and set the new duplicate to the same precedence as the original, that was a bad idea. So check with another precedence. And let this be a lesson.

Remove old domain from Exchange objects

Most companies have domains in their exchange that they aren’t actively using but keep for legacy reasons. One of my customers wanted to clear out an old domain from all objects since they started to get spam on those addresses. So there are to simple solutions:

  1. Remove the domain from AcceptedDomains
  2. Remove the domain from EmailAddressPolicy / All objects

They choose to go down road 2. They have very few EmailAddressPolicies we opted that they clean out the policies them self and I wrote a script to clean out the objects.

[Read more…]

Replace characters in Exchange [Nordic]

I have in a few smaller companies that the turn of the Automatically update e-mail addresses based on e-mail address policy. Most reasons are really bad reasons. I have heard that we want all email addresses in lowercase or that they think Microsoft shouldn’t translate the Swedish character Ö to OE. So there is a perfectly good solution to do this using the email address policy too.

Enter replacements

you can in the beginning of the row write what characters you want to be replaced. That you want all uppercase A should be lowercase. That you want a Ö to become a regular O. So how do we do this. Using the magic of %r<In><Out>. I have my default one I use, but I needed to update that one since I got a customer request that I thought was good for the future too. My default is now as follows: [Read more…]

Avoid setting up a domain trust for a single users needs

I found a question on the Microsoft Technet Forums, how can I allow a users to use a ERP software in another domain without using his credentials.

So this solution does not really give a solution that allows the local user account any rights, but stores the remote domain username/password for the user so the user doesn’t get bugged for those all the time.

Using CMDKEY to add username-password for alternative domain

 

Updating AD group membership if the user has a mobilenumber

Background:

So I was at a customers location and well we got talking about scripts. They had the need for a script that populates a group if the user has a cellphone number configured and remove him the number is removed after.
They had already a script that did it. The script did what was needed but I felt there was room for improvement, so I got rid of a try catch where the catch was empty. That is just as bad as ON ERROR RESUME NEXT from the old VBScript days. Anyway I thought later there has got to be a better way of doing this.

The old way:

This is a compressed version written from memory.

The improved way:

So why not just be happy. Well there is still performance improvements and let the DC do the heavy lifting. Lets start using LDAPFilter.

But I only want user from one part of my AD

Okay so now we got new requirements of course but that is really simple. Lets just instruct the Get-ADUser to search only in one part using SearchBase.

So just add the searchbase parameter and path.