Wednesday, April 18, 2018

How to find all AD Users with a specidfic profilepath or homeDirectory

If you try to search for a specific homeDirectory or profilepath that are assigned to users, you have to filter on this path.

Therefore, let´s assume you have a DFS share named \\\DFSShare\User and in this share you have all homeDirectories. To find all users using this path you could expect that you can use a query like this:
Get-ADUser -Filter "homedirectory -like '\\\DFSShare\User*'" -Properties homedirectory | select samaccountname, homedirectory

If you run this line, the output will be empty, even if some users using this share as homeDirectory.

Why? A network path has backslashes and a backslash „\” is a special character. Therefore, if you filter on those paths, you have to replace every \ with \5c.

For more information check out the following MS article:

If we do that our PowerShell query looks like this:
Get-ADUser -Filter "homedirectory -like '\5c\\5cDFSShare\5cUser*'" -Properties homedirectory | select samaccountname, homedirectory

Now we see all users that have a homeDirectory located in \\\DFSShare\User

Thursday, April 5, 2018

Syncing NPS Settings between two servers

If you want to be redundant, you need a second server running NPS with all the settings you need to handle requests of your Radius Clients. Network devices typically allow you to specify multiple Radius Servers in their configuration using a shell or web interface. If you have two servers, you have to define a "Master Radius Server", so you can use this server to do all configuration changes and these changes have to be imported to a second server. You can sync your NPS configuration, manually via GUI or using a PowerShell script that running in a schedule task. Find attached a picture that show this process.

The following script could be used to sync your NPS configuration between two servers. This path C:\admin\NPS\Backup\ must be available on both servers. Just create them or add it to the sript.

# Get date
$date = get-date -Format yyyy_MM_dd
# Export NPS config
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig_$date.xml
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig.xml
# Destination Server
$NPSDestServer = "SecondRadius"
# Copy config to destination server
Copy-Item -path C:\admin\NPS\Backup\NPSConfig.xml -destination \\$NPSDestServer\C$\admin\NPS\NPSConfig.xml
# Export current config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Export-NPSConfiguration -Path C:\admin\NPS\BackupNPSConfig.xml}
# Import new config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Import-NPSConfiguration -Path C:\admin\NPS\NPSConfig.xml}

Just copy this script to your Master Radius, change $NPSDestServer = "SecondRadius" to match to your second NPS server name and create a schedule task that execute this script.

Monday, March 26, 2018

Monday, March 19, 2018

Can Certificate Transparency affect your Active Directory CA?

Certificate Transparency
So first of all what is Certificate Transparency (CT)? With CT, all HTTPS certificates are logged into public log servers, and clients refuse to honour certificates that are not present in at least a subset of trusted logs. These logs provide a record of certificates that are issued and would help identify certificates that aren’t issued. Google pushing this topic and we all know how it influence the IT Business. It will enforce CT in Google Chrome on end of April of 2018 for certificates issued after the first April of 2018.

I just want to make it clear it only affects HTTPS certificates. For other purposes like SMIME, Smartcard Logon, Code Signing and so on are not affected. If you think of you even don’t see those certificates in Chrome. So let‘s get back to the topic. So the common scenarios would be an internal (private) CA and the second if you are chain certificates to public Root.

Internal CA
If you have a internal/private CA within your Environment, that does not chain up to a public root, CT will not affect your CA.  Google Chrome uses Windows native CAPI to determine trusted chains and know what is internal.

CA with Certificates chain to public Root
If a CA chains up to a public root and you issue HTTPS certificates, CT may affect your CA. In this case you should contact your Services Provider.

Friday, March 16, 2018

Find and delete unlinked (orphaned) GPOs with PowerShell

Just check out my new post "Find and delete unlinked (orphaned) GPOs with PowerShell" on!

How a new client find its Domain Controller

In my new post, I want to show you how a new Windows Client locate its Domain Controller. Find attached a picture, I draw some time ago, yea just with paint ^^. I think it´s a nice overview about this process.

So you see in the first step anything happening in a zone called _msdcs. Maybe some of you asking yourself, what is this _msdcs subdomain? I will try to explain it to you a little bit more… An Active Directory forest have a subdomain beneath them called _msdcs. This subdomain is unique and used for the registration of specific Microsoft DNS services records. Why? Microsoft is not the only company who developed Directory Services using LDAP. Therefore, with _msdcs Microsoft can specifically bind a client to its LDAP Servers / Domain Controllers.

Tuesday, March 13, 2018

Active Directory PowerShell cmdlet query is timing out

If you expect your PowerShell query to return an exceptionally large results set that might take longer than 2 minutes to retrieve. You can increase the OperationTimeout on your target DC by performing the following steps:

Login to the target DC

Browse to "%Windir%\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config" and edit it
Increase the "OperationTimeout" parameter value based on your needs. The default value is 2 minutes.

After that restart ADWS using the following PowerShell commands
Stop-Service ADWS
Start-Service ADWS