User password age and why you cant trust it blindly

There are many ways to check when a user set his password lastly, my two favorites are using either Powershell or the builtin net command that is present in all Current Windows versions.

There are other things that matter when we are discussing passwords. There are a few we need to keep in mind. The most basic are:

  • Checkbox – Password never expires
  • Checkbox – User must change password at next logon
  • Value – Maximum password age
  • Value – When was the password last set

So how is all this stored:

[Read more…]

Avoid setting up a domain trust for a single users needs

I found a question on the Microsoft Technet Forums, how can I allow a users to use a ERP software in another domain without using his credentials.

So this solution does not really give a solution that allows the local user account any rights, but stores the remote domain username/password for the user so the user doesn’t get bugged for those all the time.

Using CMDKEY to add username-password for alternative domain

 

An extra 100ns for free?

So I was reading up on the AD Module filters. I found a thing, Microsoft usually says keep it simple. I found an over complex way of initializing a date variable. So what did the documentation suggest:

Whoa.. Yes you can use .NET but if possible use Powershell cmdlets. Do we have any cmdlet we can use? Get-Date. Get-Date can be initialized with year, month and day.

That looks easier to read so it is better. But are they the same. And they arent. So what is the difference? Let’s convert it to the FileTime structure.

Here we see that we get a 100-nanosecond difference. Im not really sure why. But now we know that if you want the real 12am you cant use Get-Date. As it will add a 100ns extra. Bonus link to MSDN article for DateTime Structure.

Updating AD group membership if the user has a mobilenumber

Background:

So I was at a customers location and well we got talking about scripts. They had the need for a script that populates a group if the user has a cellphone number configured and remove him the number is removed after.
They had already a script that did it. The script did what was needed but I felt there was room for improvement, so I got rid of a try catch where the catch was empty. That is just as bad as ON ERROR RESUME NEXT from the old VBScript days. Anyway I thought later there has got to be a better way of doing this.

The old way:

This is a compressed version written from memory.

The improved way:

So why not just be happy. Well there is still performance improvements and let the DC do the heavy lifting. Lets start using LDAPFilter.

But I only want user from one part of my AD

Okay so now we got new requirements of course but that is really simple. Lets just instruct the Get-ADUser to search only in one part using SearchBase.

So just add the searchbase parameter and path.

Standardize your verbose/debug messages

So my default verbose and debug messages might not really be good looking, so I needed to standardize how I wrote them. I wanted the time, function name and message to be printed and standardized. So I came up with this invoke way.

How do I execute a script block from a variable?

Well first we need to save the standard to a variable and then execute it when needed. Well that is easy in powershell.

That command first will save the script block to be run in the $command variable and then using the invoke operator runs it. If you run the later command again you will notice that the Get-Date is executed now to.

Building it from scratch

But we wanted to add the function name too. So lets look into that. I wrote an article before that talked about good constants in Powershell. These aren’t really constants but Powershell variables that powershell itself populates. Tada if you look in $MyInvocation.MyCommand.Name you will find the current functionname. So lets try that on the commandline:

Well I didn’t get any output.. Well I’m not running in a function am I? So lets  build a function and then throw it in.

Okey so that works. But remember that we will do another invoke later and that will get a new $MyInvocation. So lets add a message instead. That feels just like building a function, add a param and a variablename.

A pot hole

Hey.. why did I not get the correct output? Well you did.. In a way. MyInvocation does provide information about the current invocation, but you are invoking the script block right? So how do we get the MyInvocation from the function. We have to dig a little in powershell scoping. I can access the MyInvocation of the function by calling Get-Variable -Scope 1 MyInvocation -ValueOnly. So what is that scope 1? That tells the cmdlet to walk up 1 level in the invocation stack and get the variable there, in this case the calling function.

Now all at once

[Read more…]

Move all FSMO roles to the local domain controller using Powershell

I upgraded one domain controller in my home active directory and needed to move all the FSMO the new domain controller. So since I’m really lazy and like quick solutions I check what powershell could help me with. And since I know it should live in the ActiveDirectory module I decided to list all move commands in that module.

[Read more…]

Resetting the time configuration

I was wondering why one of my domain controllers was displaying the wrong time. I had previouly configured that just the PDC should go outside the domain. So I ran w32tm /monitor, the response was not really what I hoped

For the domain controller in question I got the following line RefID: (unspecified / unsynchronized) [0x00000000]. RefID should tell where the computer got it’s time from. In this case something was wrong, so I needed to reset the configuration. [Read more…]

Getting the computername in Powershell

Update 2015-07-03:

So I got two comments from Paul Wiegmans. These were mainly that the functions delivered different hostname vs netbios version. And that I had missed a good function. And I’m so used to that since windows limits the Netbios computername to 16 characters, where the last one is a reserved character so I forgot to test for longer versions.

Updated blogpost with all the glory:

Last weekend my company and a couple of customers had an event in the Swedish village of Åre. To cut to the chase we had both speakers from Knowledge factory, TrueSec and Microsoft at the event. And during Bruce Payette‘s presentation I noticed that he used hostname instead of $env:computername as I and other use. So I talked a little with him about it, and decided to write a blog entry about it. So we discussed a couple of options mostly using $env, the .NET method and hostname.exe. I also decided to test the speed of a couple of ways. Lets start with the speeds and go from there.

[Read more…]

Is your execution policy Unrestricted for the entire machine?

Sometimes I see customers that for simplicity set the Powershell Execution Policy to Unrestricted. Well, I often wonder why, the usual reply is because it just doesn’t work otherwise. Well I say its time reconsider. Powershell allows for a much more granular solution using scopes. Did you know that there are 5 different scopes for the Execution policy?

Scope
Process
CurrentUser
LocalMachine
UserPolicy
MachinePolicy

So armed with this knowledge we can allow the current process to run as unrestricted while maintaining a rather secure machine around it. But if there were options to the scope what different execution policies are there? Well there are 7, well kind of.. [Read more…]

Useful WMI(C) commands

Sometimes you need to run WMI queries on older Windows machines or in Preinstallation Environment (WinPE) environments. So with powershell its really easy, Get-WMIObject -Class win32_WhatYouWant. So now you are stuck without Powershell, lets use the old WMIC command instead. WMIC has been available from Windows 2003. [Read more…]