Finding password cheaters

So In my last blog I talked about the possibility of faking a password change, by setting the last time the password was changed.

So lets find out if somebody has been tampered with. To do this we check the last time somebody updated the pwdlastset attribute and compare to the last time somebody updated the ntPwdHistory attribute. If you change passwords the AD will update both. Also I added an allowance for 10 if you needed to check or uncheck the password must be changed checkbox. The AD does store loads of data that most people never see or have to see, One such attribute is the last time an attribute was updated.

Script to check for faked password changes

The script

[Read more…]

Active Directory Schema versions

The Active Directory Schema is a living platform that receives changes with every new Windows version. You check what each schema version does by looking at the ldf files in “Support\ADPrep” folder on the installation media.

This is done during the Adprep, before you promote a new Windows Server to a Domain Controller.

Schema Version Introduced with
13 Windows 2000
30 Windows 2003
31 Windows 2003R2
44 Windows 2008
47 Windows 2008R2
56 Windows 2012
69 Windows 2012R2
87 Windows 2016 (Technical preview)

Getting all possible classes / attributes for a AD Object

So in the World of the AD everything is build by classes. Classes are stored in the Schema part of the AD.

So what does this mean?

The fast basics

  • Each AD object has a objectClass which matches to a class in the schema.
  • Each class has a parent (subClassof)
  • One class has itself as its parent (top)
  • Each class has available attributes which might or must be set on an AD object.
  • An AD object can use all attributes of its class and all above it.

There are 4 attributes defined for each class which says which attributes it carries:

  • MayContain
  • MustContain
  • systemMayContain
  • systemMustContain

Lets get all classes that is assigned to a AD Object

[Read more…]