Technical posts about IT

Posts in category Security

AD Security: Pass the Hash Attack

Jun13
2013 Leave a Comment Written by Sean Metcalf

A very dangerous attack that is effective in gaining full admin access to a network is called “Pass the Hash”. Commonly, a user logs into a system with their username and password. Pass the Hash (aka PtH) works by taking the password’s hash and passing it to a system as is, without even knowing the password (or needing).

The attack works by taking control of a workstation or server and installing software that waits for an admin to logon. Once an admin logs on, the hash can be extracted from LSASS (the Local Security SubSystem) and used to logon to a higher level system until eventually the attacker can gain access to a Domain Controller with Domain Admin rights. At that point, it’s “Game Over” for the Active Directory environment since the attacker has full rights to the domain (and eventually the forest).

Pass the Hash Mitigation Techniques:

  • Implement policy and technical measures to ensure Domain Admins only logon to writable Domain Controllers and dedicated Admin Servers (that only Domain Admin level personnel administer).
  • Implement policy and technical measures to ensure Domain Admins never logon to workstations.
  • Implement policy and technical measures to ensure Server Admins only logon to servers under their control.
  • Understand that Domains in an Active Directory forest are NOT security boundaries. It is possible to escalate from Domain Admin rights in one domain to Enterprise Admin (Domain Admin in every domain in the forest). Use separate forests to protect accounts, not by separating domains in the forest.
  • Leverage the Windows Firewall to limit communication between systems on a network to minimize the chance of a hash being captured on a workstation and used on a server (or DC).

References:

 

Google+FacebookEmailPrintShare
Posted in Favorite, Microsoft Products, Tech, Technical Reference - Tagged ,

Machine Account (AD Computer Object) Password Updates

Aug08
2012 Leave a Comment Written by Sean Metcalf

There seems to be quite a bit of confusion when it comes to domain-joined computers and how/when they update their AD computer object (machine account) passwords.

Here are a few key points on this process:

  • The default domain policy setting configures domain-joined Windows 2000 (& up) computers to update their passwords every 30 days (default).
  • Computer password update policy is configured in the Default Domain Policy setting “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\”.  If the setting is “not defined”, the default of 30 days is set.
  • The computer password policy is more of a “guideline” than a rule – the computer updates the password when it thinks it needs to, but the domain doesn’t block computer accounts with passwords older than the policy setting.
  • The computer’s Netlogon service handles the machine account password updates. The workstation scavenger thread runs every 15 minutes by default and checks to see if a password update if required.
  • The computer stores the machine account password in the registry location: HKLM\SECURITY\Policy\Secrets\$machine.ACC
  • The computer (and AD) stores the current password and the previous one.
  • The computer changes the password locally (in the registry) and then sends the password update to a Domain Controller.
  • Managed Service Accounts introduced with Windows Server 2008 R2 are treated as computer accounts and update with the same frequency.
  • In a VDI environment, it may be necessary to configure the computer to not automatically update the computer password in AD (since the VDI infrastructure will manage these passwords). See Microsoft KB 327825 below for information.

When using the computer password last set attribute to identify inactive computers, I highly recommend you filter on the OS version (target workstations or servers, not both at the same time). Additionally, filter on the primary group ID to ensure that Domain Controllers are never affected – using PrimaryGroupID = 515 will guarantee a DC will never be selected.

Interesting Note: While you can’t disable a Domain Controller’s computer account through the GUI, specifically Active Directory Users & Computers, it is possible to disable a DC programatically, i.e. via PowerShell, so be careful.

Example PowerShell code to find inactive computers (workstations) in the domain:

1
2
3
4
5
6
7
Import-Module activedirectory
[int]$ComputerPasswordAgeDays = 90
IF ((test-path "c:\temp") -eq $False) { md "c:\temp" }
$ExportFile = "c:\temp\InactiveWorkstations.csv"
$ComputerStaleDate = (Get-Date).AddDays(-$ComputerPasswordAgeDays)
$InactiveWorkstations = Get-ADComputer -filter { (passwordLastSet -le $ComputerStaleDate) -and (OperatingSystem -notlike "*Server*") -and (OperatingSystem -like "*Windows*") } -properties Name, DistinguishedName, OperatingSystem,OperatingSystemServicePack, passwordLastSet,LastLogonDate,Description
$InactiveWorkstations | export-csv $ExportFile

References:

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Tech, Technical Reference

Active Directory Security Group Resources

Jul05
2012 Leave a Comment Written by Sean Metcalf

Laura Robinson (Microsoft) has 2 posts which are excellent resources when working on your Active Directory delegation model. These posts focus on the concept of an “Admin-Free Active Directory” meaning that there are no accounts in the powerful AD groups: Enterprise Admins, Domain Admins, Administrators, & Schema Admins.

The posts also list all of the groups that, by default, have the rights to log onto Domain Controllers. These groups need to be tightly controlled and monitored.
These groups are listed here:

  • Enterprise Admins (admin on all DCs in the forest)
  • Domain Admins
  • Administrators
  • Server Admins
  • Backup Operators
  • Account Operators
  • Print Operators
  • Remote Desktop Users

The last three groups on this list may surprise you. If so, you may want to audit membership in these groups since accounts in any of these groups have log on locally rights to the Domain Controllers in the domain.

Laura’s Blog Posts:
Part 1- Understanding Privileged Groups in ADPart 2- Protected Accounts and Groups in Active Directory

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Tech - Tagged , , , ,

RODC Trick: Remove a User’s Password from a RODC without forcing the user to change her password

Feb11
2012 Leave a Comment Written by Sean Metcalf

TechNet (RODC FAQ) states:

How can you clear a password that is cached on an RODC?

There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches. In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it—or the new password is prepopulated on the RODC—and if the PRP has not been changed.

In the event that an RODC is compromised, you should reset the passwords for all accounts that have cached passwords and then rebuild the RODC.

I disagree.
There is a way to do this. It may not be the officially “supported method”, but there definitely is a way to remove a user’s password from a RODC.

Why would you want to do this? Say that an executive travels to a field site and an admin adds her account to the RODC Password Allow group. This means the executive’s password is cached on the RODC at that site upon successful logon. You realize that the RODC has stored the executive’s password (oops!) and you have the same security concerns about the site that led you to only deploy a RODC there. You want to wipe the password from the RODC, but don’t want the executive to have to change her password. What to do?

Check the RODC computer object and see that the executive (Jane Executive in this example) shows up in the list of security principals with their passwords stored on the RODC (msDS-RevealedList).

The LDAP Modify Operation “RODCPurgeAccount” causes the RODC to NULL the cached secrets of a specified security principal (User or Computer).

Here’s a (likely unsupported) way to do it.

Open LDP on a writable DC and connect to the RODC on port 389 (LDAP) or 636 (LDAPS). Bind to the server (ensure you have Domain Admin credentials). Select Modify (operation) from the drop down and set the following:

DN: [blank]
Edit Entry Attribute: RODCPurgeAccount
Values: CN=Jane Executive,OU=Executives,DC=metcorp,DC=org [Account DN]
Click Replace
Click Enter
Click Run.

You should see the Modify is Successful.

Check the RODC computer object and see that the executive (Jane Executive in this example) is NOT in the list of security principals with their passwords stored on the RODC.

Security concern: the executive’s password was stored on the RODC during some period of time which means it was committed to the AD database (in memory & on disk). The correct way to ensure the executive’s password is not available is to have her change it (when WAS the last time she changed her password?) since this will invalidate any cached passwords floating around the network.

Google+FacebookEmailPrintShare
Posted in Deployment, Favorite, Microsoft Products, Tech - Tagged , , , , ,

Powershell Code: Working with a Computer’s Local SAM Accounts & Groups

Nov30
2011 Leave a Comment Written by Sean Metcalf

We know by now how easy it is to work with Active Directory leveraging the many AD commandlets. However, what about when it becomes necessary to get information about a local account or group on a specific computer.

Get a list of administrators on a specific computer:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$Computer = "COMPUTERNAME"
TRY
{ ## OPEN TRY
$ADSIComputer = [ADSI]("WinNT://" + $Computer + ",Computer")
$AdminGroup = $ADSIComputer.PSbase.Children.Find("Administrators")
$AdminGroupMembers= $AdminGroup.PSbase.Invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $Null, $_, $Null)}
} ## CLOSE TRY
CATCH { Write-Warning "Unable to get Administrators Group Membership on $Computer `r " }

Write-Output "$Computer Administrators: `r "
Write-Output "========================= `r "
Write-Output " `r "
ForEach ($Member in $AdminGroupMembers)
{ ## OPEN ForEach Member in AdminGroupMembers
$Member
} ## CLOSE ForEach Member in AdminGroupMembers
Write-Output " `r "


Check for Domain Admins in the local Administrators group on a specific computer:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$Computer = "COMPUTERNAME"
$AdminGroup = [ADSI]"WinNT://$Computer/Administrators,group"
TRY { $AdminGroupMembers = @($AdminGroup.psbase.Invoke("Members")) }
CATCH { ## OPEN Catch
Write-Warning "Could not connect to $Computer. It may be offline. `r "
} ## CLOSE Catch
IF ($AdminGroupMembers)
{ ## OPEN IF AdminGroupMembers contains data
$AdminGroupMembers | ForEach-Object `
{ [array]$AdminGroupMemberList += $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) }
ForEach ($Member in $AdminGroupMemberList)
{ ## OPEN ForEach Member in MemberNames
IF ($Member -like "*Domain Admins*")
{ Write-Output "Domain Admins has Administrative rights to $Computer }
} ## CLOSE ForEach Member in MemberNames


Get the name of the default local administrator account

1
2
3
4
 $Computer = "COMPUTERNAME"
$LocalAdminInfo = Get-WmiObject –Query ‘Select * from Win32_UserAccount Where (LocalAccount="True" and SID like "%-500")’ -ComputerName $Computer
$LocalAdmin = $LocalAdminInfo.Name
Write-Output "The local administrator account on $Computer is $LocalAdmin `r "


Set a local admin’s password:

1
2
3
4
5
6
7
$Computer = "COMPUTERNAME"
$LocalAdmin = "Administrator"
$AdminPassword = "NewAdminPassword999!"

$Admin = [adsi]("WinNT://$Computer/$LocalAdmin, user")
Write-Output "Attempting to change password for $computer\$LocalAdmin..." `r
$Admin.psbase.invoke("SetPassword", "$AdminPassword")

Create new user on computer:

1
2
3
4
5
6
7
8
9
10
$Computer = "COMPUTERNAME"
$User = "NewUser"
$Password = "NewPassword999!"

Write-Verbose "Creating $User on $Computer `r "
$ADSIUserCreate = $ADSIComputer.Create("User", $User)
$ADSIUserCreate.setpassword($password)
$ADSIUserCreate.SetInfo()
$ADSIUserCreate.description = ""
$ADSIUserCreate.SetInfo()

Add a user to Administrators Group:

1
2
3
4
5
6
7
8
9
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
$Computer = "COMPUTERNAME"
$User = "NewUser"
Write-Verbose "Adding $User to Administrators group on $Computer `r "
IF ($Computer -like "*$DomainDNS") { $Computer = $Computer -replace(".$DomainDNS") }
Write-Verbose "Adding $User to Administrators group on $Computer `r "
$objUser = [ADSI]("WinNT://$Computer/$User")
$objGroup = [ADSI]("WinNT://$Computer/Administrators")
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Tech - Tagged , , , , , ,

Powershell: Updating Domain Controller Directory Services Restore Mode (DSRM) Passwords

Oct27
2011 Leave a Comment Written by Sean Metcalf

Detailed information on updating Directory Services Restore Mode (DSRM) passwords for Windows Server 2008 (R2) Domain Controllers leveraging NTDSUtil synchronize password is posted on the Directory Services Team Blog.

I put together a Powershell script that performs the following:

  1. Discovers all the Windows 2008 & 2008 R2 Domain Controllers in the domain and creates a special DSRM account in AD with a random complex password for each of them (assuming one doesn’t already exist).
  2.  Checks the date of the last password update for each account. Each account that is past the defined threshold is added to an update DC list.
  3. Update the password on each od the DCs in the update DC list.
  4. Use Powershell remoting to synchronize each of the DCs on the update DC list with the associated DC DSRM account in AD.

Note that this script creates one AD account per Domain Controller. This provides a simple solution for dealing with RODCs in the environment. Some may consider this overkill, but it also provides a simple method for tracking per DC DSRM password updates. Powershell Remoting must be enabled on all 2008 DCs for this to work.

The script uses Powershell remoting to run the ntdsutil command to synchronize the local DC DSRM password with the associated DC DSRM account the script created in Active Directory:
ntdsutil “set dsrm password” “sync from domain account <DCDSRMAccount>” q q

While I don’t often include a complete script solution, this seems to fit the bill.

Download the Powershell script: Update-DSRMp.txt

<# 
.SYNOPSIS
 NAME: Update-DSRMp.ps1
 This script creates & updates Active Directory with user accounts with which DCs running Windows 2008 
 synchronize their DSRM passwords.

.DESCRIPTION
 This script creates & updates Active Directory with user accounts with which DCs running Windows 2008 
 synchronize their DSRM passwords.

 This process is performed in the following stages:

 1. Enumerate all DCs in the AD forest. Identify Widnows 2008 DCs.
 2. Ensure there are special AD DSRM accounts for every DC (<DCName>DSRM). If a DC does not have a respective account, create it.
 3. Loop through all AD DSRM accounts and generate a random, complex, unique, 30-character password (default) and if the 
 account has not had the password updated in 90 days (default), update the AD DSRM account password.
 4. After checking the AD DSRM accounts exist and have recent passwords, connect to each DC and have the DC synchronize
 its (local) DSRM password with the respective AD DSRM account password.
 5. Log the DSRM password list to a secure location retaining history of older DSRM password lists. 

 NOTE: This script MUST be run on a Domain Controller.

.PARAMETER MaxPasswordAge
 This parameter sets when the DSRM password must be changed.
 DEFAULT: 60 (days)
 Example: Update-DSRMp.ps1 -MaxPasswordAge 90 

.PARAMETER PasswordLength
 This parameter configures how long the DSRM password should be.
 DEFAULT: 30 (characters)
 Example: Update-DSRMp.ps1 -PasswordLength 20 

.PARAMETER ForceUpdate
 By default the script will only perform a password change on the DSRM account if the 
 account password hasn't been updated within a predetermined threshold. 
 Using ForceUpdate forces an update on all account passwords.
 Example: Update-DSRMp.ps1 -ForceUpdate 

.PARAMETER Verbose
 Use this parameter to have the script provide additional detail regarding processing.
 Example: Update-DSRMp.ps1 -Verbose 

.PARAMETER Debug
 Use this parameter to have the script provide additional debug detail regarding processing.
 Example: Update-DSRMp.ps1 -Debug 

.EXAMPLE
 Update-DSRMp.ps1 -example 

.NOTES
 NAME: Update-DSRMp.ps1
 AUTHOR: Sean Metcalf 
 AUTHOR EMAIL: Sean Metcalf @t Metcorp Consulting [dot} com
 CREATION DATE: 10/04/2010
 LAST MODIFIED DATE: 10/26/2011
 LAST MODIFIED BY: Sean Metcalf
 INTERNAL VERSION: 01.11.10.26.19
 RELEASE VERSION: 2.0.1

#>
# This Powershell script leverages some features only available with Powershell version 2.0.
# As such, there is no guarantee it will work with earlier versions of Powershell.
# Requires -Version 2.0

#####################
# Script Parameters #
##################### 

Param 
 (
 [int]$PasswordLength = 30,
 [int]$MaxPasswordAge = 60,
 [switch]$ForceUpdate,
 [switch]$Verbose,
 [switch]$Debug
 )

############################
# Configure Script Options #
############################
Write-Output "" `r
Write-Output "Reading configured script options..." `r
Write-Output "" `r

Switch ($Verbose) 
 { ## OPEN Switch Verbose
 $True { $VerbosePreference = "Continue" ; Write-Output "Script logging is set to verbose." `r }
 $False { $VerbosePreference = "SilentlyContinue" ; Write-Output "Script logging is set to normal logging." `r }
 } ## OPEN Switch Verbose 

Switch ($Debug) 
 { ## OPEN Switch Debug
 $True { $DebugPreference = "Continue" ; Write-Output "Script Debug logging is enabled." `r }
 $False { $DebugPreference = "SilentlyContinue" ; Write-Output "" `r }
 } ## OPEN Switch Debug 

Write-Verbose "Setting default options for script parameters... `r "
Write-Verbose "Setting Password Length to $PasswordLength characters `r "
Write-Verbose "Setting Max Password Age to $MaxPasswordAge days `r "

$DCDSRMPasswordLength = $PasswordLength 
$DateTime = Get-Date #Get date/time
$DCDSRMPassResetThreshold = $DateTime.AddDays(-$MaxPasswordAge) 

Write-Verbose "Check script parameters and based on setting configure proper script options & inform user... `r"

Switch ($ForceUpdate)
 { ## OPEN Switch ComputerType
 $True {Write-Output "Force Update is set to True. DC AD DSRM account passwords will be reset and their local DSRM accounts will be synchronized." `r} 
 $False {Write-Output "Force Update is set to False. Processing will occur normally." `r }
 } ## CLOSE Switch ComputerType

Write-Output "" `r 

###############################
# Set Environmental Variables #
###############################
# COMMON
write-output "Setting environmental variables..." `r
$CurrentComputerName = $env:ComputerName
$Computer = $env:ComputerName
$CurrentUserName = $env:UserName
$CurrentOS = $Env:os
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name #Get AD Domain (lightweight & fast method)
$ADDomain = $DomainDNS 
[Reflection.Assembly]::LoadWithPartialName(“System.Web”)
$TimeVal = get-date -uformat "%Y-%m-%d-%H-%M" 
$LogDir = "C:\temp\Logs\" #Standard location for script logs
$DateTime = Get-Date #Get date/time
$Separator = "#" #Create separation line
$Sepline = $Separator * 75 #Create separation line
[ref]$a = $null # Used for IP Address Validation
IF (!(Test-Path $LogDir)) {new-item -type Directory -path $LogDir} 

# Commonly Used
$HostName = "$Computer.$DomainDNS"

# Script Specific
[int] $2008R2DCCount = 0
[int] $2008DCCount = 0
[int] $2003R2DcCount = 0
[int] $2003DcCount = 0
[int] $2000DcCount = 0
[int] $DomainRODCsCount = 0

# Script Logging
$LogFileName = "UpdateDSRMp-$TimeVal.log"
$ReportName = "DSRMPasswords-$TimeVal.txt" 
$ReportNameCSV = "DSRMPasswordsp-$TimeVal.csv" 
$LogFile = $LogDir + $LogFileName
$ReportFile = $LogDir + $ReportName
$ReportFileCSV = $LogDir + $ReportNameCSV

#Set OU Path Variables
$DSRMOULevel1 = "Accounts"
$DSRMOULevel2 = "Service"
$DSRMOUName = "DCDSRM"
$DSRMOURoot = "OU=$DSRMOULevel2,OU=$DSRMOULevel1"
$DSRMBaseOU = "OU=$DSRMOUName," + $DSRMOURoot

$DSRMAccountOU = $DSRMBaseOU 
$DSRMAccountLDAP = "LDAP://$DSRMAccountOU"
$DSRMAccountADSI = [adsi]"$DSRMAccountLDAP,$ADDomainDistinguishedName"
$DSRMAccountLDAPPath = $DSRMAccountADSI.Path
$DSRMAccountPath1 = "'" + $DSRMAccountPath + "'"

################################################
# Import Active Directory Powershell Elements #
################################################
write-output "Configuring Powershell environment..." `r
Write-Verbose "Importing Active Directory Powershell module `r"
import-module ActiveDirectory

##################
# Start Logging #
##################
# Log all configuration changes shown on the screen during run-time in a transcript file. This
# inforamtion can be used for troubleshooting if necessary
Write-Verbose "Start Logging `r"
write-output "" `r
Start-Transcript $LogFile -force
write-output "" `r

## Process Start Time
$ProcessStartTime = Get-Date
write-output "" `r
write-output "Script initialized by $CurrentUserName and started processing at $ProcessStartTime" `r
write-output "" `r

#############################################
# Get Active Directory Forest & Domain Info #
#############################################

# Get Forest Info
write-output "Gathering Active Directory Forest Information..."
Write-Verbose "Performing Get-ADForest powershell command `r"
$ADForest = Get-ADForest

$ADForestApplicationPartitions = $ADForest.ApplicationPartitions
$ADForestCrossForestReferences = $ADForest.CrossForestReferences
$ADForestDomainNamingMaster = $ADForest.DomainNamingMaster
$ADForestDomains = $ADForest.Domains
$ADForestForestMode = $ADForest.ForestMode
$ADForestGlobalCatalogs = $ADForest.GlobalCatalogs
$ADForestName = $ADForest.Name
$ADForestPartitionsContainer = $ADForest.PartitionsContainer
$ADForestRootDomain = $ADForest.RootDomain
$ADForestSchemaMaster = $ADForest.SchemaMaster
$ADForestSites = $ADForest.Sites
$ADForestSPNSuffixes = $ADForest.SPNSuffixes
$ADForestUPNSuffixes = $ADForest.UPNSuffixes

# Get Domain Info
write-output "Gathering Active Directory Domain Information..." `r
Write-Verbose "Performing Get-ADDomain powershell command `r"
$ADInfo = Get-ADDomain

$ADDomainAllowedDNSSuffixes = $ADInfo.ADDomainAllowedDNSSuffixes
$ADDomainChildDomains = $ADInfo.ChildDomains
$ADDomainUsersContainer = $ADInfo.UsersContainer
$ADDomainDeletedObjectsContainer = $ADInfo.DeletedObjectsContainer
$ADDomainDistinguishedName = $ADInfo.DistinguishedName
$ADDomainDNSRoot = $ADInfo.DNSRoot
$ADDomainDomainControllersContainer = $ADInfo.DomainControllersContainer
$ADDomainDomainMode = $ADInfo.DomainMode
$ADDomainDomainSID = $ADInfo.DomainSID
$ADDomainForeignSecurityPrincipalsContainer = $ADInfo.ForeignSecurityPrincipalsContainer
$ADDomainForest = $ADInfo.Forest
$ADDomainInfrastructureMaster = $ADInfo.InfrastructureMaster
$ADDomainLastLogonReplicationInterval = $ADInfo.LastLogonReplicationInterval
$ADDomainLinkedGroupPolicyObjects = $ADInfo.LinkedGroupPolicyObjects
$ADDomainLostAndFoundContainer = $ADInfo.LostAndFoundContainer
$ADDomainName = $ADInfo.Name
$ADDomainNetBIOSName = $ADInfo.NetBIOSName
$ADDomainObjectClass = $ADInfo.ObjectClass
$ADDomainObjectGUID = $ADInfo.ObjectGUID
$ADDomainParentDomain = $ADInfo.ParentDomain
$ADDomainPDCEmulator = $ADInfo.PDCEmulator
$ADDomainQuotasContainer = $ADInfo.QuotasContainer
$ADDomainReadOnlyReplicaDirectoryServers = $ADInfo.ReadOnlyReplicaDirectoryServers
$ADDomainReplicaDirectoryServers = $ADInfo.ReplicaDirectoryServers
$ADDomainRIDMaster = $ADInfo.RIDMaster
$ADDomainSubordinateReferences = $ADInfo.SubordinateReferences
$ADDomainSystemsContainer = $ADInfo.SystemsContainer
$ADDomainUsersContainer = $ADInfo.UsersContainer

# Display gathered Active Directory Forest & Domain Information 
Write-Verbose "Displaying data gathered from Get-ADForest and Get-ADDomain `r"

write-output "Displaying gathered Active Directory Information..." `r
write-output ""`r
write-output $SepLine `r
write-output "Active Directory Forest Name : $ADForestName" `r
IF (!$ADForestDomains) {write-output "Active Directory Forest Domains : [No Child Domains Found]" `r} 
ELSE {write-output "Active Directory Forest Domains : $ADForestDomains" `r}
write-output "Active Directory Forest Mode : $ADForestForestMode" `r
write-output "------------------------------------------------------" `r
write-output "Active Directory Domain Name : $ADDomainName" `r 
write-output "Active Directory Domain Mode : $ADDomainDomainMode" `r 
write-output "------------------------------------------------------" `r
write-output "FSMO: AD Domain Naming Master : $ADForestDomainNamingMaster" `r 
write-output "FSMO: AD Domain Schema Master : $ADForestSchemaMaster" `r 
write-output "FSMO: AD Domain PDC Master : $ADDomainPDCEmulator" `r 
write-output "FSMO: AD Domain RID Master : $ADDomainRIDMaster" `r 
write-output "FSMO: AD Domain Infrastructure Master : $ADDomainInfrastructureMaster" `r 
write-output $Sepline `r
write-output ""`r

$DomainDNS = $ADDomainDNSRoot

####################################
# Get Active Directory Information #
#################################### 

### DOMAIN DC DISCOVERY ###
# Discover Domain Controllers in AD
[array]$DomainControllers = $ADDomainReadOnlyReplicaDirectoryServers 
[array]$DomainControllers += $ADDomainReplicaDirectoryServers
$DomainControllers = $DomainControllers -Replace(".$DomainDNS","")

$DomainControllers = $DomainControllers | Get-Unique
$DomainControllers = $DomainControllers | Sort-Object

$DomainControllersCount = $DomainControllers.Count

Write-Output "Processing the following $DomainControllersCount Domain Controllers in $DOmainDNS ... `r " 

# Get DC Operating System Versions
Write-Verbose "Discovering all 2008 R2 DCs in the domain $DomainDNS ... `r "
[array] $2008R2Dcs = Get-ADDomainController -Filter { OperatingSystem -like "Windows Server 2008 R2*" }

ForEach ($DC in $2008R2Dcs)
 { ## OPEN ForEach DC in 2008Dcs
 [array] $Domain2008R2DCs += $DC.Name
 } ## CLOSE ForEach DC in 2008Dcs

$2008R2DCCount = $Domain2008R2DCs.Count
$Domain2008R2DCs = $Domain2008R2DCs | sort
Write-Verbose "Found $2008R2DCCount DCs in $DomainDNS." `r

Write-Verbose "Discovering all 2008 DCs in the domain $DomainDNS ... `r "
[array] $2008Dcs = Get-ADDomainController -Filter { (OperatingSystem -like "Windows Server 2008*") -and (OperatingSystem -notlike "Windows Server 2008 R2*") }

ForEach ($DC in $2008Dcs)
 { ## OPEN ForEach DC in 2008Dcs
 [array] $Domain2008DCs += $DC.Name
 } ## CLOSE ForEach DC in 2008Dcs

$2008DCCount = $Domain2008DCs.Count
$Domain2008DCs = $Domain2008DCs | sort
Write-Verbose "Found $2008DCCount 2008 DCs in $DomainDNS. `r "

Write-Verbose "Discovering all 2003 R2 DCs in the domain $DomainDNS ... `r "
[array] $2003R2DCsInSiteArray = Get-ADDomainController -Filter { (OperatingSystem -like "Windows Server 2003 R2*") }
ForEach ($DC in $2003R2DCsInSiteArray)
 { ## OPEN ForEach DC in 2003DCsInSiteArray
 [array] $Domain2003R2DCs += $DC.Name
 } ## CLOSE ForEach DC in 2003DCsInSiteArray

$2003R2DcCount = $Domain2003R2DCs.Count
$Domain2003R2DCs = $Domain2003R2DCs | sort
Write-Verbose "Found $2003DcCount 2003 DCs in $DomainDNS. `r "

Write-Verbose "Discovering all 2003 DCs in the domain $DomainDNS ... `r "
[array] $2003DCsInSiteArray = Get-ADDomainController -Filter { (OperatingSystem -like "Windows Server 2003*") -and (OperatingSystem -notlike "Windows Server 2003 R2*") }
ForEach ($DC in $2003DCsInSiteArray)
 { ## OPEN ForEach DC in 2003DCsInSiteArray
 [array] $Domain2003DCs += $DC.Name
 } ## CLOSE ForEach DC in 2003DCsInSiteArray

$2003DcCount = $Domain2003DCs.Count
$Domain2003DCs = $Domain2003DCs | sort
Write-Verbose "Found $2003DcCount 2003 DCs in $DomainDNS. `r "

Write-Verbose "Discovering all 2000 DCs in the domain $DomainDNS ... `r "
[array] $2000DCsInSiteArray = Get-ADDomainController -Filter { OperatingSystem -like "Windows 2000 Server*"}
ForEach ($DC in $2000DCsInSiteArray)
 { ## OPEN ForEach DC in 2000DCsInSiteArray
 [array] $Domain2000DCs += $DC.Name
 } ## CLOSE ForEach DC in 2000DCsInSiteArray

$2000DcCount = $Domain2000DCs.Count
$Domain2000DCs = $Domain2000DCs | sort
Write-Verbose "Found $2000DcCount 2000 DCs in $DomainDNS. `r "

write-output "Out of the $DomainControllersCount DCs in $DomainDNS: `r "
Write-Output "$DomainRODCsCount are RODCs & $DomainWritableDCsCount are writable DCs `r "
write-output "$2008R2DCCount are running Windows Server 2008 R2 `r "
write-output "$2008DCCount are running Windows Server 2008 `r "
write-output "$2003R2DcCount are running Windows Server 2003 R2 `r "
write-output "$2003DcCount are running Windows Server 2003 `r "
write-output "$2000DcCount are running Windows 2000 Server `r "

Write-Output "Building list of Windows 2008 DCs for updating `r "
$Domain2008DCsName = $Domain2008DCs + $Domain2008R2DCs 

# Set DSRM Account Path
$DSRMAccountPATH = $DSRMBaseOU +","+ $ADDomainDistinguishedName
Write-Verbose "DSRM Account path set to $DSRMAccountPATH `r "

######################
# Build Report Data #
######################

$ADReportData = 
@"

=========================================

ACTIVE DIRECTORY DSRM List
-------------------------------------
Report Generated on $DateTime by $CurrentUserName

Active Directory Forest: $ADForestName
Active Directory Domains: $ADForestDomains
Forest Functional Mode: $ADSchemaVersion

"@

################
# Check OU Path #
################
Write-Host "Checking to see if the target OU structure $DSRMAccountPATH exists..." `r
$ParentOUPath = $DSRMOURoot +","+ $ADDomainDistinguishedName
$DSRMBase1 = "OU=$DSRMOULevel1," + $ADDomainDistinguishedName

$DSRMOUCheck = test-path "AD:$DSRMAccountPATH"

IF ($DSRMOUCheck -eq $False)
 { ## OPEN IF DSRM OU doesn't exist
 Write-Host "OU structure $DSRMAccountPATH does not exist." `r
 Write-Host "Creating the OU structure for $DSRMAccountPATH ..." `r 
 New-ADOrganizationalUnit -Name $DSRMOULevel1 -Path $ADDomainDistinguishedName -ErrorAction SilentlyContinue
 New-ADOrganizationalUnit -Name $DSRMOULevel2 -Path $DSRMBase1 -ErrorAction SilentlyContinue
 New-ADOrganizationalUnit -Name $DSRMOUNAME -Path $ParentOUPath -ErrorAction SilentlyContinue
 } ## CLOSE IF DSRM OU doesn't exist
 ELSE
 { ## OPEN IF DSRM OU exists
 Write-Host "OU structure $DSRMAccountPATH does exist. Continuing..." `r
 } ## OPEN IF DSRM OU exists

$DSRMAccounts = Get-ADUser -Filter * -SearchBase $DSRMAccountPATH -Properties sAMAccountName,lastlogontimestamp -ErrorAction SilentlyContinue

#######################################
# Update AD DSRM Accounts & Passwords #
#######################################

$DSRMDescription = "This is a DC Service Account that is Disabled and is still being used. DO NOT DELETE. DO NOT MODIFY. POC: AD Team"
$DSRMUpdateRequired = $FALSE 
[array]$DCDSRMUpdateList = @()

write-host "Identifying Missing AD DSRM Accounts..." `r
ForEach ($DC in $Domain2008DCsName)
 { ## OPEN ForEACH - Read DC from $DomainControllers
 # Set the AD DSRM User Account naming template 
 $DSRMName = $DC + $DSRMOUName
 # IF there is not an AD DSRM account, create it
 TRY
 { ## OPEN TRY Check for Existing DSRM Account
 $DSRMAccountCheck = Get-ADUser $DSRMName -Properties PasswordLastSet -ErrorAction SilentlyContinue
 } ## CLOSE TRY Check for Existing DSRM Account

 CATCH
 { ## OPEN CATCH there is no Existing DSRM Account
 Write-Verbose "The account $DSRMName was not found in $DomainDNS `r "
 } ## CLOSE CATCH there is no Existing DSRM Account

 IF (!$DSRMAccountCheck)
 { ## OPEN IF - If there is not an existing account, create it 
 # Generate a random password $DCDSRMPasswordLength characters in length
 write-host "Generating $DCDSRMPasswordLength Character Random Password for AD DSRM Account..." `r
 $DSRMPass = [System.Web.Security.Membership]::GeneratePassword($DCDSRMPasswordLength,2)
 $DSRMPassword = ConvertTo-SecureString -AsPlainText $DSRMPass -Force
 # Create the AD DSRM User Accounts 
 write-host "There is no existing account for $DC ..." `r
 write-host "Creating new AD DSRM Account called $DSRMName for $DC ..." `r
 New-ADUser –name "$DSRMName" -SamAccountName "$DSRMName" -Path "$DSRMAccountPath" -DisplayName "$DSRMName" `
 -Description "$DSRMDescription" -Title "AD DC Service Account. DO NOT MODIFY." -Enabled $False -AccountPassword $DSRMPassword `
 -CannotChangePassword $True -PasswordNeverExpires $False
 ## -ChangePasswordAtLogon $False 
 $DSRMUpdateRequired = $TRUE
 write-host "Logging account information for $DC ..." `r
 $ADReportData += 
@"
 DC: $DC, Username: $DSRMName, Password: $DSRMPass

"@
 } ## CLOSE IF - If there is not an existing account, create it 
 ELSE 
 { ## OPEN ELSE IF the account already exists
 write-host "Account $DSRMName for $DC already exists. Checking Password Age to determine if update is required (ForceUpdate over-rides password age check)..." `r 
 # IF the account already exists & the password is older than $MaxPasswordAge days or ForceUpdate is Enabled, update the password 
 $DSRMPasswordLastSet = $DSRMAccountCheck.PasswordLastSet
 IF ( ($DSRMPasswordLastSet -le $DCDSRMPassResetThreshold) -or ($ForceUpdate -eq $True) ) 
 { ## OPEN IF - Only change the account password if it is older than $MaxPasswordAge days 
 # For accounts with passwords older than $MaxPasswordAge days, update the password
 # Generate a random password $DCDSRMPasswordLength characters in length
 write-host "Generating $DCDSRMPasswordLength Character Random Password for AD DSRM Account..." `r
 $DSRMPass = [System.Web.Security.Membership]::GeneratePassword($DCDSRMPasswordLength,2)
 $DSRMPassword = ConvertTo-SecureString -AsPlainText $DSRMPass -Force
 write-host "Password for account $DSRMName for $DC last changed on $DSRMPasswordLastSet which is older than $MaxPasswordAge days. Updating Password now..." `r
 Set-ADAccountPassword -Identity $DSRMName -Reset -NewPassword $DSRMPassword
 $DCDSRMUpdateList += $DC
 $DSRMUpdateRequired = $TRUE
 write-host "Logging account information for $DC ..." `r
 $ADReportData += 
@"
 DC: $DC, Username: $DSRMName, Password: $DSRMPass

"@
 } ## CLOSE IF - Only change the account password if it is older than 60 days 
 write-host "Password for account $DSRMName for $DC last changed on $DSRMPasswordLastSet which is less than $MaxPasswordAge days. Continuing..." `r 
 } ## CLOSE ELSE IF the account already exists

 } ## CLOSE ForEACH - Read DC from $DomainControllers

##################################################
# Connect to each DC to Update the DSRM Password #
##################################################
 write-host "Connecting to each DC to update DSRM passwords..." `r
 write-host ""

# This method only works if Powershell remoting is enabled...
#
# This component will connect to every DC in the $DCs list one by one and get #
# information from each DC. This is the block that does most of the work. #

 IF ($DSRMUpdateRequired -eq $TRUE) 
 { ## OPEN IF - Only have DCs pull DSRM password update if something has changed 
 write-host "Connecting to each DC to initiate synchronization of DSRM passwords..." `r
 write-host #SepLine

 IF ($ForceUpdate -Eq "True") { $DCDSRMUpdateList = $Domain2008DCsName }

 ForEach ($DC in $DCDSRMUpdateList) 
 { ## OPEN ForEach Loop every DC with a recent password update to update DSRMp

 TRY
 { $WinRMServiceCheck = Get-Service -name "WinRM" -ComputerName $DC }
 CATCH
 { Write-Output "WinRM service does not exist on $DC." `r}

 IF ($WinRMServiceCheck.Status -eq "Running")
 { ## OPEN IF - Check if WinRM service is running, if so, continue

 $ADDSRM = $ADDomainName +"\"+$DC + $DSRMOUName 
 $DCHostName = "$DC.$DomainDNS"

 #########################################
 # Update the DC's DSRM Password from AD #
 ######################################### 
 write-host "Connecting via Powershell to Remote Server: $DCHostName ..." `r
 $RemoteCommand = 'invoke-command -computer ' + $DC + ' -scriptblock { NTDSUTIL "SET DSRM PASSWORD" "SYNC FROM DOMAIN ACCOUNT ' + $ADDSRM + '" Q Q } ' 

 # Invoke-expression $RemoteCommand1 
 $NTDSResult = Invoke-expression $RemoteCommand
 write-host "Remote command sent..." `r
 write-host "" `r
 IF ($NTDSResult)
 { ## OPEN IF Command did run
 IF ($NTDSResult[2] -eq "Password has been synchronized successfully.")
 { ## OPEN IF - Command was successful
 Write-host "The DSRM Password for $DCHostName has been synchronized successfully." `r 
 } ## CLOSE IF - Command was successful
 ELSE { Write-host "An error occured and the DSRM Password has not been updated on $DCHostName." `r }
 } ## CLOSE IF Command did run
 write-host "" `r
 write-host "" `r 
 ###################################
 # Close Remote Powershell Session #
 ################################### 

 } ## CLOSE IF - Check if WinRM service is running, if so, continue
 ELSE 
 { ## OPEN ELSE - If WinRM service is not running
 Write-WARNING "$DC does not have the WinRM service enabled and running. Powershell Remoting is not possible. Run 'Enable-PSRemoting -Force' on the server." 
 } ## CLOSE ELSE - If WinRM service is not running 
 } ## CLOSE ForEach Loop every DC to update DSRMp
} ## CLOSE IF - Only have DCs pull DSRM password update if something has changed 

######################################
# Write the Data to the Report File #
######################################
write-host "Writing DSRM Report..." `r
$ADReportData | out-file $ReportFile

#################
# Stop Logging #
#################

#Stop logging the configuration changes in a transript file
Stop-Transcript

Write-output "Review the logfile $LogFile for script operation information." `r

 

 

Google+FacebookEmailPrintShare
Posted in Deployment, Favorite, Microsoft Products, Powershell Code, Tech - Tagged , , , , , , , , , , ,

PowerShell Implicit Remoting over the Internet

Oct13
2011 Leave a Comment Written by Sean Metcalf

Mike Pfeiffer has a great post on implicit remoting of Exchange modules across the Internet via ISA/TMG publishing.

From the start of his post:

This post is inspired by a question asked during my presentation at the last Arizona PowerShell User Group (AZPOSH) meeting. After I demonstrated Exchange management via PowerShell implicit remoting, one of our members said, “Ok, so how do I do that over the internet?”. Due to time constraints, I didn’t go into it the process in great detail, so I’ve decided to do that here, in this post. To demonstrate this configuration, I’ll use a basic topology with a single Exchange 2010 server running the core roles (hub, cas, mailbox). I will be publishing the PowerShell virtual directory to the internet via HTTPS using Forefront Threat Management Gateway (TMG), as shown in the diagram below.

The key to this is configuring /powershell/ publishing via TMG…

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Tech - Tagged , , , ,

Powershell Code: Determine LastLogonTimeStamp Replication Time

Sep16
2011 Leave a Comment Written by Sean Metcalf

It seems that I have been asked to provide a lot of user (& computer) logon information over the past few months. In order to provide this information, I (as others have) leveraged the LastLogonTimeStamp attribute to determine when a user (or computer) logged on last. Assuming you have a Windows 2003 forest mode Active Directory environment, this attribute is available for use. Prior to Windows 2003, the LastLogon attribute which is updated on the local authenticating DC could be queried to get this information with the caveat that it is not replicated. This means that one would have to query the LastLogon attribute for a user(s) on every Domain Controller in the domain to determine the actual last logon date & time.

Detailed information on the LastLogonTimeStamp attribute (Microsoft DS Team Blog)

According to the information on the blog, the LastLogonTimeStamp attribute was never meant to provide accurate logon information given that the attribute’s contents are behind by about 9-14 days.
NOTE: The default replication setting for this attribute is 14 days with a random replication skew of a percent of 5 days. However, if the replication value is set to 5 or less, no randomization is performed.

Furthermore, according to the blog entry:

The lastLogontimeStamp attribute is not updated with all logon types or at every logon. The good news is that the logon types that admins usually care about will update the attribute and often enough to accomplish its task of identifying inactive accounts.
Interactive and Network logons will update the lastLogontimeStamp.

At least one of my customer’s has changed the default value for ms-DS-Logon-Time-Sync-Interval which determines how frequently the LastLogonTimeStamp is replicated. I wanted to easily identify what the modified value is set to so I can provide information in the user logon script to state how accurate the information is. Obviously with the default being 14, the data in the attribute could be two weeks old.

I did quite a bit of research on the ms-DS-Logon-Time-Sync-Interval (displayname msDS-LogonTimeSyncInterval) and discovered that ms-DS-Logon-Time-Sync-Interval is an attribute of the naming context and has a value of “not set” by default (which enforces the default 14 days). Querying this attribute using the PowerShell commandlet Get-ADObject does not show the attribute listed for the naming context. However, when I manually set the value to a number, it shows up.

Changing the ms-DS-Logon-Time-Sync-Interval value is actually quite simple.

  1. Open ADSI Edit
  2. Right-Click on the domain DN (DC=domain,DC=com) under Default naming context and select Properties.
  3. Under Attribute Editor, scroll down to the msDS-LogonTimeSyncInterval attribute and Click Edit.
  4. Enter a value from 1 to 100,000 (280 years, max set in AD code) and Click OK.
  5. Click OK

NOTE: Entering a value of 0 for ms-DS-Logon-Time-Sync-Interval disables replication of the LastLogonTimeStamp attribute.

Use Repadmin to get the LastLogonTimeStamp value on all DCs for a specific user:

repadmin /showattr * (DN of the target user) /attrs:lastLogontimeStamp > lastLogontimeStamp.txt

I put together the following code to get the value for ms-DS-Logon-Time-Sync-Interval:

Import-Module ActiveDirectory

# Get Domain Info
write-output “Gathering Active Directory Domain Information… `r”
Write-Verbose “Performing Get-ADDomain powershell command `r”
$ADDomainInfo = Get-ADDomain

$ADDomainDistinguishedName = $ADDomainInfo.DistinguishedName

$DirectoryServicesNamingContext = Get-ADObject -Identity “$ADDomainDistinguishedName” -Properties *

$LLTReplicationValue = $DirectoryServicesNamingContext.”msDS-LogonTimeSyncInterval”

IF ($LLTReplicationValue -ge 1)
    { Write-Output “The msDS-LogonTimeSyncInterval attribute value on $DomainDNS was changed from the default value of 14 to $LLTReplicationValue which means the LastLogonTimeStamp attribute will replication about every $LLTReplicationValue days `r ” }
 ELSE
    { Write-Output “The msDS-LogonTimeSyncInterval attribute value on $DomainDNS is configured with the default value of 14 (value is blank) `r ” }

When constructing a Powershell query for inactive users, I also check the PasswordLastSet value. As long as the LastLogonTimeStamp date is older than my threshold (say 365 days) AND the PasswordLastSet date is older than the domain required password, then I can be fairly certain the user is inactive.

Note that using the Powershell AD commandlets, there are additional automatically generated attributes that are most useful. One of these is the LastLogonDate which is the full date and time of the last logon instead of the Integer8 (64bit integer value) representation in the LastLogonTimeStamp attribute. The LastLogonTimeStamp value represents the number of 100-nanosecond intervals that occurred from January 1, 1601 until the time of user logon.  Before the Powershell commandlet, one would have to convert this number to the date/time format with which we are more familiar.

 Addtional information on LastLogon & LastLogonTimeStamp

 

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Tech - Tagged , , ,

Password Strength

Aug16
2011 Leave a Comment Written by Sean Metcalf

Great comic on Password Strength posted by XKCD.

Each character added to the password makes the password exponentially difficult to guess REGARDLESS of mixed case & symbol usage.  This is why a password of “I don’t know what to eat today!” (31 characters) is virtually uncrackable, especially compared to what most people (many of them security people) recommend as a good complex password (example: “N0#P@1n!” or even “$Fh&Ih7#” – 8 characters).

Since Windows and Active Directory allows a large variety of characters in passwords (including spaces), I usually recommend password sentences to customers versus the old recommendation of 3 out of 4 complexity + 8 characters. Password sentences are much easier to remember and since the length is frequently over 15 characters, are well-protected against brute-force password attacks.

XKCD Comic Password strength

Google+FacebookEmailPrintShare
Tagged , , ,

Powershell Code: Create a Random Password

Aug16
2011 Leave a Comment Written by Sean Metcalf

There are plenty of instances where it is necessary to create a long, complex, random passwords automatically. I discovered the following method for doing just this. I use the following code to create random passwords for updating DSRM passwords.

Code snippet follows:

[Reflection.Assembly]::LoadWithPartialName(“System.Web”)

# Generate a random password 30 characters in length
    $RandPassLength = [int] 30
    write-host “Generating $RandPassLength Character Random Password…” `r
  $Pass=` [System.Web.Security.Membership]::GeneratePassword($RandPassLength,2)

If necessary, you can also convert to SecureString:

$Password = ConvertTo-SecureString` -AsPlainText  $Pass -Force

Google+FacebookEmailPrintShare
Posted in Deployment, Microsoft Products, Powershell Code - Tagged , , ,
« Older Entries
Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog do not represent the views of Metcorp Consulting, LLC or its partners. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2012