Want a free, 90-page intro to PowerShell?
Here you go - Chapter 1 of the PowerShell Cookbook:
http://cdn.oreilly.com/oreilly/booksamplers/9781449320683_sampler.pdf
Monday, March 26, 2018
Monday, March 19, 2018
Can Certificate Transparency affect your Active Directory CA?
Certificate Transparency
So first of all what is Certificate Transparency (CT)? With CT, all HTTPS certificates are logged into public log servers, and clients refuse to honour certificates that are not present in at least a subset of trusted logs. These logs provide a record of certificates that are issued and would help identify certificates that aren’t issued. Google pushing this topic and we all know how it influence the IT Business. It will enforce CT in Google Chrome on end of April of 2018 for certificates issued after the first April of 2018.
I just want to make it clear it only affects HTTPS certificates. For other purposes like SMIME, Smartcard Logon, Code Signing and so on are not affected. If you think of you even don’t see those certificates in Chrome. So let‘s get back to the topic. So the common scenarios would be an internal (private) CA and the second if you are chain certificates to public Root.
Internal CA
If you have a internal/private CA within your Environment, that does not chain up to a public root, CT will not affect your CA. Google Chrome uses Windows native CAPI to determine trusted chains and know what is internal.
CA with Certificates chain to public Root
If a CA chains up to a public root and you issue HTTPS certificates, CT may affect your CA. In this case you should contact your Services Provider.
So first of all what is Certificate Transparency (CT)? With CT, all HTTPS certificates are logged into public log servers, and clients refuse to honour certificates that are not present in at least a subset of trusted logs. These logs provide a record of certificates that are issued and would help identify certificates that aren’t issued. Google pushing this topic and we all know how it influence the IT Business. It will enforce CT in Google Chrome on end of April of 2018 for certificates issued after the first April of 2018.
I just want to make it clear it only affects HTTPS certificates. For other purposes like SMIME, Smartcard Logon, Code Signing and so on are not affected. If you think of you even don’t see those certificates in Chrome. So let‘s get back to the topic. So the common scenarios would be an internal (private) CA and the second if you are chain certificates to public Root.
Internal CA
If you have a internal/private CA within your Environment, that does not chain up to a public root, CT will not affect your CA. Google Chrome uses Windows native CAPI to determine trusted chains and know what is internal.
CA with Certificates chain to public Root
If a CA chains up to a public root and you issue HTTPS certificates, CT may affect your CA. In this case you should contact your Services Provider.
Labels:
Active Directory,
Certification Authority,
Google
Friday, March 16, 2018
Find and delete unlinked (orphaned) GPOs with PowerShell
Just check out my new post "Find and delete unlinked (orphaned) GPOs with PowerShell" on 4sysops.com!
https://4sysops.com/archives/find-and-delete-unlinked-orphaned-gpos-with-powershell/
https://4sysops.com/archives/find-and-delete-unlinked-orphaned-gpos-with-powershell/
Labels:
4sysops.com,
Group Policy
How a new client find its Domain Controller
In my new post, I want to show you how a new Windows Client locate its Domain Controller. Find attached a picture, I draw some time ago, yea just with paint ^^. I think it´s a nice overview about this process.
So you see in the first step anything happening in a zone called _msdcs. Maybe some of you asking yourself, what is this _msdcs subdomain? I will try to explain it to you a little bit more… An Active Directory forest have a subdomain beneath them called _msdcs. This subdomain is unique and used for the registration of specific Microsoft DNS services records. Why? Microsoft is not the only company who developed Directory Services using LDAP. Therefore, with _msdcs Microsoft can specifically bind a client to its LDAP Servers / Domain Controllers.
So you see in the first step anything happening in a zone called _msdcs. Maybe some of you asking yourself, what is this _msdcs subdomain? I will try to explain it to you a little bit more… An Active Directory forest have a subdomain beneath them called _msdcs. This subdomain is unique and used for the registration of specific Microsoft DNS services records. Why? Microsoft is not the only company who developed Directory Services using LDAP. Therefore, with _msdcs Microsoft can specifically bind a client to its LDAP Servers / Domain Controllers.
Labels:
Active Directory
Tuesday, March 13, 2018
Active Directory PowerShell cmdlet query is timing out
If you expect your PowerShell query to return an exceptionally large results set that might take longer than 2 minutes to retrieve. You can increase the OperationTimeout on your target DC by performing the following steps:
Login to the target DC
Browse to "%Windir%\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config" and edit it
Increase the "OperationTimeout" parameter value based on your needs. The default value is 2 minutes.
After that restart ADWS using the following PowerShell commands
Stop-Service ADWS
Start-Service ADWS
Login to the target DC
Browse to "%Windir%\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config" and edit it
Increase the "OperationTimeout" parameter value based on your needs. The default value is 2 minutes.
After that restart ADWS using the following PowerShell commands
Stop-Service ADWS
Start-Service ADWS
Labels:
Active Directory,
Powershell
Monday, March 12, 2018
Windows 10’s File Explorer is getting tabs support
Now in the latest Windows 10 Build 17618 (RS5) Microsoft added tabs support into File Explorer. It was a highly-requested feature from community.
Apart from File Explorer, other built-in traditional programs like Command Prompt, PowerShell and Notepad are also supported. MS also enabled this feature for Mail, Calendar, OneNote, and MSN News App. So a user can switch between these Apps just like switching between tabs
in Internet browsers.
Apart from File Explorer, other built-in traditional programs like Command Prompt, PowerShell and Notepad are also supported. MS also enabled this feature for Mail, Calendar, OneNote, and MSN News App. So a user can switch between these Apps just like switching between tabs
in Internet browsers.
Labels:
Windows 10
Friday, March 2, 2018
List all or specified SPNs that are assigned to an AD object
Find a specified SPN using PowerShell with ADSI:
$SPNName = Read-Host "Enter SPN"
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=*$SPNName*)"
$results = $search.Findall()
foreach($result in $results)
{
$UserEntry = $result.GetDirectoryEntry()
Write-host "Object Name = " $UserEntry.name -backgroundcolor "green" -foregroundcolor "black"
Write-host "DN = " $UserEntry.distinguishedName
Write-host "Object Cat. = " $UserEntry.objectCategory
Write-host "servicePrincipalNames"
$i=
foreach($SPN in $UserEntry.servicePrincipalName)
{
Write-host "SPN(" $i ") = " $SPN $i+=1
}
Write-host ""
}
Find all SPNs using PowerShell with ADSI:
$SPNName = "*"
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=$SPNName)"
$results = $search.Findall()
foreach($result in $results)
{
$UserEntry = $result.GetDirectoryEntry()
Write-host "Object Name = " $UserEntry.name -backgroundcolor "green" -foregroundcolor "black"
Write-host "DN = " $UserEntry.distinguishedName
Write-host "Object Cat. = " $UserEntry.objectCategory
Write-host "servicePrincipalNames"
$i=
foreach($SPN in $UserEntry.servicePrincipalName)
{
Write-host "SPN(" $i ") = " $SPN $i+=1
}
Write-host ""
}
Using a LDAP Query, just replace spnname:
(&(objectCategory=person)(ServicePrincipalName=*spnname*))
To search all you can use this query:
(&(objectCategory=person)(ServicePrincipalName=*))
$SPNName = Read-Host "Enter SPN"
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=*$SPNName*)"
$results = $search.Findall()
foreach($result in $results)
{
$UserEntry = $result.GetDirectoryEntry()
Write-host "Object Name = " $UserEntry.name -backgroundcolor "green" -foregroundcolor "black"
Write-host "DN = " $UserEntry.distinguishedName
Write-host "Object Cat. = " $UserEntry.objectCategory
Write-host "servicePrincipalNames"
$i=
foreach($SPN in $UserEntry.servicePrincipalName)
{
Write-host "SPN(" $i ") = " $SPN $i+=1
}
Write-host ""
}
Find all SPNs using PowerShell with ADSI:
$SPNName = "*"
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=$SPNName)"
$results = $search.Findall()
foreach($result in $results)
{
$UserEntry = $result.GetDirectoryEntry()
Write-host "Object Name = " $UserEntry.name -backgroundcolor "green" -foregroundcolor "black"
Write-host "DN = " $UserEntry.distinguishedName
Write-host "Object Cat. = " $UserEntry.objectCategory
Write-host "servicePrincipalNames"
$i=
foreach($SPN in $UserEntry.servicePrincipalName)
{
Write-host "SPN(" $i ") = " $SPN $i+=1
}
Write-host ""
}
Using a LDAP Query, just replace spnname:
(&(objectCategory=person)(ServicePrincipalName=*spnname*))
To search all you can use this query:
(&(objectCategory=person)(ServicePrincipalName=*))
Labels:
Active Directory,
LDAP,
Powershell
Subscribe to:
Posts (Atom)