Friday, July 13, 2018

PowerShell: Get Files on your SYSVOL that are greater than 1 MB


you can use the following script, to get files on your SYSVOL that are greater than 1 MB and save the output to CSV and XLSX. ADM Files will be excluded.

Download my script on SPICEWORKS

Have a nice day.


Tuesday, July 10, 2018

lastLogon vs lastLogonTimestamp vs lastLogonDate - explained

Today I want to write about this "last Logon attributes"... This could be a little bit confusing if you check it on the internet. So with my post I will try to explain it easily.

The lastLogon is only updated on the Domain Controller where login has actually happened and it wouldn´t be replicated. It´s being updated each time after each interactive logon. 
An interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services, in which case the logon is further qualified as remote interactive.

Summary: lastLogon is only updated on the DC  where an interactive login has actually happened. So it wouldn´t be replicated.

The lastLogonTimestamp is replicated to all Domain Controllers in your AD Forest. It´s being updated after certain interval, default value is 14 days - a random percentage of 5 to save on a replication traffic. The attribute to define this value is named "ms-DS-Logon-Time-Sync-Interval" and could be found in the Properties default naming context. If this value isn´t set its using the default value 14.
The update could be triggered by Interactive, Network, Batch and Service logons.
A Network logon occurs when you access remote file shares or printers. Also, most logons to IIS are classified as network logons.
Service logon is used for services and accounts that log on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.
Batch logon is used for scheduled tasks. When the Task Scheduler service starts a scheduled task, it first creates a new logon session for the task, so that it can run in the security context of the account that was specified when the task was created

Summary: lastLogonTimestamp is replicated on all DCs every 14 days - random of 5%, with an interactive logon, network and simple bind logons. This value should be used to find stale accounts.

It’s a locally calculated value of the LastLogontimestamp attribute used by PowerShell. It gives us the ability to query the LastLogontimestamp with a common date format!

How to get stale accounts?
So if you want to identify stale accounts on the domain I would recommend to use Powershell using LastLogonDate. You get Interactive, Network, and Service logons and you have a human friendly date format. Find attached two queries to find user or computer accounts where lastLogonDate is older than 90 days.

$90daysAgo = (Get-Date).AddDays(-90)
Get-ADUser -Property Name,lastLogonDate -Filter {lastLogonDate -lt $90daysAgo} | Select Name,lastLogonDate | Sort-Object -Property Name

$90daysAgo = (Get-Date).AddDays(-90)
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $90daysAgo} | Select Name,lastLogonDate | Sort-Object -Property Name

Thursday, June 28, 2018

Task Scheduler - Repeat a task on a custom interval that is not selectable

In Windows Server 2008 and above you can set task to repeat on whatever you want. The corresponding drop down menu just present 5,10,15,30 minutes and 1 hour, but you can type in any number of hours or minutes you want to use.

There are some limitations you should know.

You can enter 2 hours, but not 2.5 hours. If you want to run a task every 2.5 hours, you have to enter the amount of minutes. Therefore, this would be 2.5 x 60 = 150 minutes.

Wednesday, June 20, 2018

PowerShell Get and copy LAPS generated Admin password to clipboard

My new script just get the Administrator password generated by LAPS and save it to clipboard.
You just have to enter the computer name.
The password will be shown in your PS Console and copied to your clipboard.

Monday, June 18, 2018

Sunday, May 27, 2018

"CredSSP encryption oracle remediation” error when connect via RDP


Updates which switches a flag to protect against the CredSSP attack.

Operating system, RollUp, Update
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1, KB4103718 (Monthly Rollup) KB4103712 (Security-only update)
Windows Server 2012, KB4103730 (Monthly Rollup), KB4103726 (Security-only update)
Windows 8.1 / Windows Sever 2012 R2, KB4103725 (Monthly Rollup), KB4103715 (Security-only update)
Windows 10 Version 1607 / Windows Server 2016, KB4103723
Windows 10 Version 1703, KB4103731
Windows 10 1709, KB4103727


To resolve this issue, the May updates including this patch have to be installed on all Servers and Clients!


If you can´t do this you can apply the following workaround.
Note: After you change the following setting, an unsecure connection is allowed that will expose the remote server to attacks.

Updated clients cannot communicate with non-updated servers
If you installed the May Updates on your DC you can apply a GPO to set these settings.
GPO Path
Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

or apply the following Regkey
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002

Non-updated clients cannot communicate with patched servers
GPO Path
Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

or apply the following Regkey
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002

Monday, May 14, 2018

How to find largest files using Powershell

If your hard drive is running out of space, you need to know which files causing this issue!
To establish this we will use Get-ChildItem.
Use the following command to get the top three files.
Get-ChildItem -r| sort -descending -property length | select -first 3 name, Length

The Length will be displayed in Bytes, if you have large files it´s better to display it in Mega Bytes, so let´s calculate the responding property length into MB.
Get-ChildItem -r|sort -descending -property length | select -first 3 name, @{Name="Megabytes";Expression={[Math]::round($_.length / 1MB, 2)}}

Now we get all files, where are these files located? Just select DirectoryName as well, to get it.
Get-ChildItem -r|sort -descending -property length | select -first 3 name, DirectoryName, @{Name="Megabytes";Expression={[Math]::round($_.length / 1MB, 2)}}