tag:blogger.com,1999:blog-28602964227009903142024-03-13T18:05:27.461+01:00Directory AdminPowerShell / Azure / Active Directory /
Windows Server / Security and more ...Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.comBlogger183125tag:blogger.com,1999:blog-2860296422700990314.post-55744606350706128442022-11-03T18:31:00.001+01:002022-11-03T18:32:23.165+01:00Deploy PAM & LAPS<p>Hi Guss, ens<span style="-webkit-text-size-adjust: auto; font-size: 17px;">ure you have LAPS and PAM deployed. If you have the same local Admin Account & password on all clients, it makes lateral movement a breeze.</span></p><p class="p2" style="-webkit-text-size-adjust: auto; font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 20.3px;"><span class="s1"></span><br /></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1">PAM:</span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1"><a href="https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services">https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services</a></span></p><p class="p2" style="-webkit-text-size-adjust: auto; font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 20.3px;"><span class="s1"></span><br /></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1">LAPS:</span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1"><a href="https://www.microsoft.com/en-us/download/details.aspx?id=46899">https://www.microsoft.com/en-us/download/details.aspx?id=46899</a></span></p>Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-9430753021674442102022-10-10T22:12:00.004+02:002022-10-19T22:36:03.004+02:00MS updated key concepts in Windows LAPS <p>Microsoft changed the key concept for LAPS. </p><p>New Policies, LAPS for Windows, LAPS in Azure AD etc.</p><p>Check out the following Link:</p><p><a href="https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts">https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts</a></p>Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-14861637088694211822021-07-19T06:11:00.000+02:002021-07-29T09:10:27.219+02:00Workaround for Windows 10 SeriousSAM vulnerability <p class="p1" style="-webkit-text-size-adjust: auto; font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px; text-size-adjust: auto;"><span class="s1">This vulnerability can let attackers gain admin rights on vulnerable systems and execute arbitrary code with SYSTEM privileges. Affected Systems are all OS released </span>since October 2018, starting with Windows 10 1809 and Windows Server 2019.</p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px; text-size-adjust: auto;"><span class="s1"><br /></span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px; text-size-adjust: auto;"><span class="s1">Restrict access to the contents of %windir%\system32\config:</span></p><ol class="ol1" style="-webkit-text-size-adjust: auto; text-size-adjust: auto;"><li class="li1" style="font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1">Open Command Prompt or PowerShell as an administrator.</span></li><li class="li1" style="font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1">Run this command:</span></li><ul class="ul1" style="list-style-type: disc;"><li class="li1" style="font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s2" face="Menlo-Regular" style="font-size: 12px;"></span><span class="s1">Command Prompt: <b>icacls %windir%\system32\config\*.* /inheritance:e</b></span></li><li class="li1" style="font-size: 17px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s2" face="Menlo-Regular" style="font-size: 12px;"></span><span class="s1"> Windows PowerShell: </span><span class="s3" style="font-weight: bold;">icacls $env:windir\system32\config\*.* /inheritance:en</span></li></ul></ol><div><span style="font-size: 17px;"><b><br /></b></span></div><div><span style="font-size: 17px;">And deleting Volume Shadow Copies!</span></div><div><span style="font-size: 17px;"><br /></span></div><div><span style="font-size: 17px;"><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934</a></span></div><div><span style="font-size: 17px;"><br /></span></div>Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-35804933998115333952021-03-01T11:43:00.015+01:002021-03-30T11:52:29.514+02:00Troubleshooting time sync issues on a AD domain computer<p>Most time there should be warning events in the System event log, with a source called Time-Service. </p><p><br /></p><p>To verify network connection and ntp settings you can use <b>w32tm</b>.</p><p>show source server:</p><p>w32tm /query /source</p><p><br /></p><p>verify network connectivity to an NTP server:</p><p>w32tm /stripchart /computer:ntp01.mydomain.zz</p><p><br /></p><p>show configuration:</p><p>w32tm /query /configuration</p><p>(NT5DS using domain hierarchy)</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGMrJU3LOhz9bx1ra7GekYPyp72DIuk75U03G4tLNT34z4nkuv_QTTThoXw39rh5affexbAGV7qZHch-HaGCCAtbBOEDnCnCDcn9kODKMda820zV20gQqWTH0UsYf3pnGwGFviHxkqSFS-/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="254" data-original-width="430" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGMrJU3LOhz9bx1ra7GekYPyp72DIuk75U03G4tLNT34z4nkuv_QTTThoXw39rh5affexbAGV7qZHch-HaGCCAtbBOEDnCnCDcn9kODKMda820zV20gQqWTH0UsYf3pnGwGFviHxkqSFS-/s16000/image.png" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p>force client to use domain hierarchy:</p><p>w32tm /config /syncfromflags:domhier /update</p>Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-34919163245430702692020-12-01T15:43:00.009+01:002021-02-03T10:05:02.453+01:00Get Zerlologons CVE-2020-1472 using PowerShell<p><span style="font-family: inherit;"><span style="font-size: small;">Find attached a script to get all systems that using zerologon (event 5829) described in CVE-2020-1472. I want to upload this script to my technet gallery, but MS changed it all so I cant acces it...<br /></span></span></p><p><span style="font-family: inherit;"><span style="font-size: small;">More infos about this topic and how to handle the update process:</span></span></p><p><a href="https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e">https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e</a></p><p>You can change the event to find other objects like trusts etc.</p><p><span style="font-family: inherit;"><span style="font-size: small;"># --------------------------------------------------------------------------------------------------------<br /># Author: Tim Buntrock<br /># Script: Get_ZeroLogons5829.ps1 <br /># Description: Get all machinesamaccountnames that appear in Event 5829, to find systems using zerologon!<br /># --------------------------------------------------------------------------------------------------------<br /><br /><br /># Prepare Variables<br />Param (<br /> [parameter(Mandatory=$false,Position=0)][String]$DCName = "localhost",<br /> [parameter(Mandatory=$false,Position=1)][Int]$Minutes = 15)<br /><br /># Create an Array to hold the values<br />$InsecureNetLogons = @()<br /><br /># Grab the appropriate events<br />$Events = Get-WinEvent -ComputerName $DCName -FilterHashtable @{Logname='System';Id=5829; StartTime=(get-date).AddMinutes("-$Minutes")}<br /><br /># Loop through each event<br />ForEach ($Event in $Events) { <br /> $eventXML = [xml]$Event.ToXml()<br /> $Client = ($eventXML.event.EventData.Data[0]) #get Machinesamaccountname<br /> # Add Them To a Row in our Array<br /> $Row = "" | select Client<br /> $Row.Client =$Client<br /> # Add the row to our Array<br /> $InsecureNetLogons += $Row <br />}<br /><br /># Dump it all out to a CSV and open gridview<br />Write-Host $InsecureNetLogons.Count "records found ... saving unique entries to .\InsecureNetLogons.csv for DC" $ComputerName -ForegroundColor DarkYellow<br />$InsecureNetLogons | Sort-Object -Unique -Property Client| Export-CSV -NoTypeInformation .\InsecureNetLogons.csv<br />$InsecureNetLogons | Sort-Object -Unique -Property Client| Out-GridView</span></span></p>Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-2485509632448252862020-06-25T14:55:00.000+02:002020-06-25T14:55:44.655+02:00Enabling debug logging for the Netlogon service<p class="MsoNormal"><b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Activate debug logging using nltest and set log
size using registry<o:p></o:p></span></b></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Type the
following command, and then press Enter to enable logging:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Nltest
/DBFlag:2080FFFF<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Setting the
maximum log file size for Netlogon logs using Registry<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">The
MaximumLogFileSize registry entry can be used to specify the maximum size. You must
create this entry, because it doesn´t exist.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Value Name:
MaximumLogFileSize <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Value Type:
REG_DWORD <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Value Data:
<max log file size in bytes> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">1073741824 Bytes
is 1 GB<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">This registry
setting specify the disk space for the Netlogon.log and Netlogon.bak file. For
example, a setting of 1 GB can require 2 GB of disk space.</span></p><p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;"><br /></span></p>
<p class="MsoNormal"><b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Using Policy to enable logging and configuring
log size<o:p></o:p></span></b></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">You can use
the following Computer policy to configure the log file size in bytes and debug
level:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Computer
Configuration\Administrative Templates\System\Net Logon\Specify maximum log file
size<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">1073741824 (<o:p></o:p></span>1073741824 is 1 GB)</p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Computer
Configuration\Administrative Templates\System\Net Logon\Specify log file debug
output level<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">545325055 (<o:p></o:p></span>545325055 is equivalent to 0x2080FFFF and enables verbose Netlogon logging!)</p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVr6lPEfM0gHN8SNhLWF_KoDECPnBomXy4ERJb9xDda-3EpSVwGq08SWVbj6opMmLxej_cNKscSsW7Inq8JlkbAUCX3g7burhionwTu_qTGSr7Z02YMPnuLYGSahozm24TdVx9NAKHmCsc/s814/netlogdebug.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="251" data-original-width="814" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVr6lPEfM0gHN8SNhLWF_KoDECPnBomXy4ERJb9xDda-3EpSVwGq08SWVbj6opMmLxej_cNKscSsW7Inq8JlkbAUCX3g7burhionwTu_qTGSr7Z02YMPnuLYGSahozm24TdVx9NAKHmCsc/w500-h155/netlogdebug.png" width="500" /></a></div><p class="MsoNormal"><br /></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;"><br /></span></p><p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;"><br /></span></p><p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;"><br /></span></p><p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;"><br /></span></p><p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;"><br /></span></p><p class="MsoNormal"><br /></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p> </o:p></span></p><br />Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-41539243275160419452020-06-15T21:15:00.001+02:002020-06-15T21:15:23.231+02:00LDAP Binds and LDAPS<p class="MsoNormal"><span lang="EN-US"><font face="arial">Bind
operations are used to authenticate clients to the Domain Controller, to
establish an authorization identity that will be used for subsequent operations
processed on that connection, and to specify the LDAP protocol version that the
client will use.<o:p></o:p></font></span></p>
<p class="MsoNormal"><span lang="EN-US"><font face="arial">This LDAP
authentication process supports three types:<o:p></o:p></font></span></p>
<p class="MsoNormal" style="text-align: left;"></p><ol><li>Simple
bind</li><li>Simple
Authentication and Security Layer (SASL) bind</li><li>Sicily
bind</li></ol><p></p>
<p class="MsoNormal" style="text-align: left;"><span lang="EN-US"><font face="arial"><br /></font></span></p>
<h2><span lang="EN-US"><font face="arial" size="3">Simple Bind<o:p></o:p></font></span></h2>
<p class="MsoNormal"><span lang="EN-US"><font face="arial">With a LDAP
Simple Bind, the credentials of a user, that are used to bind the LDAP client
to the Domain Controller are unencrypted. <o:p></o:p></font></span></p>
<h2><span lang="EN-US"><font face="arial" size="3">SASL<o:p></o:p></font></span></h2>
<p class="MsoNormal"><span lang="EN-US"><font face="arial">SASL is the
term for a framework of mechanisms that allow for secured authentication to
take place over an unencrypted or encrypted communications channel. In this
case Kerberos V5 is used for authentication. Most Microsoft Consoles using SASL
to authenticate.<o:p></o:p></font></span></p>
<h2><span lang="EN-US"><font face="arial" size="3">Sicily authentication<o:p></o:p></font></span></h2>
<p class="MsoNormal"><span lang="EN-US"><font face="arial">Active
Directory also supports this authentication approach during LDAP binds and is
intended for compatibility with legacy systems and will result in NTLM being
used as underlying authentication protocol.<o:p></o:p></font></span></p>
<p class="MsoNormal"><br /></p><p class="MsoNormal">So let´s clarify what´s LDAPS about... </p>
<h2><span lang="EN-US"><font face="arial" size="3">LDAPS<o:p></o:p></font></span></h2>
<p class="MsoNormal"><span lang="EN-US"><font face="arial">It's a mechanism
that uses TLS to secure communication between LDAP clients and Domain Controllers
to avoid insecure simple bind or securing auth for clients that are not supporting SASL. <o:p></o:p></font></span></p>
<p class="MsoNormal"><span lang="EN-US"><font face="arial">The
following scenarios are possible:<o:p></o:p></font></span></p>
<p class="MsoNormal"><span lang="EN-US"><font face="arial"><u>LDAPS
over port 636 (DC) or port 3269 (GC)</u> where the connection is immediately
secured by the certificate. SSL/TLS is negotiated before any LDAP traffic happens.<o:p></o:p></font></span></p>
<p class="MsoNormal"><span lang="EN-US"><font face="arial"><u>LDAP
using StartTLS over port 389 (DC) or 3268 (GC)</u> where the StartTLS operation
is used to establish secure communications. It requires the LDAP client to
support StartTLS operation.<o:p></o:p></font></span></p><br />Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-23102597177093279802020-06-09T18:00:00.008+02:002020-06-25T14:52:22.716+02:00Create a keytab file to use SSO for KeyCloak or another tool<div class="MsoNormal">
<span style="font-family: times; font-size: x-small;"><font face="arial" size="2">You can use this post to create a KeyTab file for your application to use SSO.</font></span></div>
<div class="MsoNormal"><span lang=""><span style="font-family: times; font-size: x-small;"><font face="arial" size="2"><br /></font></span></span></div><div class="MsoNormal">
<span lang=""><span style="font-family: times; font-size: x-small;"><font face="arial" size="2">Find attached the details for the sample setup.<o:p></o:p></font></span></span></div>
<div class="MsoNormal">
<span lang=""><span style="font-family: times; font-size: x-small;"><font face="arial" size="2">Domain:
test.zz<o:p></o:p></font></span></span></div>
<div class="MsoNormal">
<span lang=""><span style="font-family: times; font-size: x-small;"><font face="arial" size="2">user:
srviceuser1<o:p></o:p></font></span></span></div>
<div class="MsoNormal">
<span lang=""><span style="font-family: times; font-size: x-small;"><font face="arial" size="2">pw:
HDPw8912hs17!/hsd7<o:p></o:p></font></span></span></div>
<div class="MsoNormal">
<span lang=""><span style="font-family: times; font-size: x-small;"><font face="arial" size="2">url:
auth-test.service.test.zz<o:p></o:p></font></span></span></div>
<div class="MsoNormal">
<span style="font-family: times; font-size: x-small;"><font face="arial" size="2"><span lang="">Required
enycryption: </span>AES256</font></span></div>
<div class="MsoNormal"><span style="font-family: times; font-size: x-small;"><font face="arial" size="2"><br /></font></span></div><div class="MsoNormal">
<span style="font-family: times; font-size: x-small;"><font face="arial" size="2">Command:</font></span></div>
<div class="MsoNormal">
<span lang=""><span style="font-family: times; font-size: x-small;"><i><font face="arial" size="2">ktpass -out
c:\auth-test.keytab -princ HTTP/auth-test.test.zz@TEST.ZZ -mapuser
srviceuser1 -pass HDPw8912hs17!/hsd7 -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto
AES256-SHA1</font></i></span></span></div>
<div class="MsoNormal">
<span lang=""><span style="font-family: times; font-size: x-small;"><font face="arial" size="2">If another
type of encryption is needed you should have a look at the following article:<o:p></o:p></font></span></span></div>
<div class="MsoNormal">
<span style="font-family: times; font-size: x-small;"><font face="arial" size="2"><a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass"><span lang="">https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass</span></a><span lang=""><o:p></o:p></span></font></span></div>
<div class="MsoNormal"><span style="font-family: times;"><span style="font-size: x-small;"><font face="arial" size="2"><br /></font></span></span></div><div class="MsoNormal">
<span style="font-family: times;"><span style="font-size: x-small;"><font face="arial" size="2">You can verify if the spn is applied to the account using the following command.</font></span></span></div>
<div class="MsoNormal">
<span style="font-family: times;"><span style="font-family: times; font-size: x-small;"><i><font face="arial" size="2">setspn -L srviceuser1</font></i></span></span></div>
<div class="MsoNormal"><span style="font-family: times;"><span style="font-size: x-small;"><font face="arial" size="2"><br /></font></span></span></div><div class="MsoNormal">
<span style="font-family: times;"><span style="font-size: x-small;"><font face="arial" size="2">The last thing we have to do is to enable the support of AES256 encryption on the account serviceuser1. Open Active Directory Users & Computers, select properties of serviceuser1, go to the account tab and select
the following checkbox in Account options: </font></span></span><span style="font-family: arial; font-size: small;">“This
account supports Kerberos AES 256 bit encryption”</span></div>
<div class="MsoNormal">
<span lang=""><span style="font-family: times; font-size: x-small;"><br /></span></span></div>
<br />Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-39013577696585463882020-06-08T21:21:00.001+02:002020-06-15T21:25:06.520+02:00Azure Security link collectionHi guys,<div><br /></div><div>find attached a link collection, with useful information regarding Azure Security.<br /><div><div><ul style="text-align: left;"><li>Azure Security Documentation <a href="https://docs.microsoft.com/en-us/azure/security/ " target="_blank">https://docs.microsoft.com/en-us/azure/security/ </a></li><li>Azure Security Announcements <a href="https://azure.microsoft.com/en-us/blog/topics/security/" target="_blank">https://azure.microsoft.com/en-us/blog/topics/security/</a> </li><li>Azure Security Experts Series <a href="https://www.youtube.com/playlist?list=PLLasX02E8BPA0ZNzg-BsHio7yTciN-UVu " target="_blank">https://www.youtube.com/playlist?list=PLLasX02E8BPA0ZNzg-BsHio7yTciN-UVu </a></li><li>Azure Blog RSS Feed <a href="https://azure.microsoft.com/blog/feed/ " target="_blank">https://azure.microsoft.com/blog/feed/ </a></li><li>Azure Reference Architectures <a href="https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/ " target="_blank">https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/ </a></li><li>PDF: Azure Security Center Security Alerts Playbook <a href="https://gallery.technet.microsoft.com/Azure-Security-Center-f621a046 " target="_blank">https://gallery.technet.microsoft.com/Azure-Security-Center-f621a046 </a></li><li>PDF: Azure Security Center Playbook: Hunting Threats <a href="https://gallery.technet.microsoft.com/Azure-Security-Center-549aa7a4" target="_blank">https://gallery.technet.microsoft.com/Azure-Security-Center-549aa7a4</a> </li><li>PDF: Azure Security Response <a href="https://gallery.technet.microsoft.com/Azure-Security-Response-in-dd18c678 " target="_blank">https://gallery.technet.microsoft.com/Azure-Security-Response-in-dd18c678 </a></li><li>Performance and Productivity: Your Guide to Managing Cloud Sprawl <a href="https://azure.microsoft.com/en-us/resources/your-guide-to-managing-cloud-sprawl/" target="_blank">https://azure.microsoft.com/en-us/resources/your-guide-to-managing-cloud-sprawl/</a> </li><li>Microsoft Azure infographics <a href="https://azure.microsoft.com/en-us/resources/infographics/" target="_blank">https://azure.microsoft.com/en-us/resources/infographics/</a></li></ul><div>HF</div></div></div></div><div>Tim</div>Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-76789905722422808932020-06-01T12:18:00.001+02:002020-06-10T12:19:41.995+02:00Microsoft Security Compliance Toolkit<div>For someone who hasn‘t any sec baseline tools for Windows and Microsoft products, you should check it out. Microsoft Security Compliance Toolkit is a collection of tools and templates released by Microsoft to give security admins access to recommended security configuration baselines for Windows OS and some Microsoft products. You can manage both domain and local policies!</div><div><br /></div><div>You can download the tool here:</div><div><a href="https://www.microsoft.com/en-us/download/details.aspx?id=55319" target="_blank">https://www.microsoft.com/en-us/download/details.aspx?id=55319</a></div>Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-39823069739808343992020-04-01T15:02:00.004+02:002020-04-01T15:02:47.614+02:00Test connection speed between NetApp ONTAP 9.3+ and Windows ClientToday I wanna show you, how to perform a speed test between a Windows Client and your NetApp filer.<br />
<br />
Logon to your NetApp filer using SSH.<br />
<br />
<i>Set priv to advanced:</i><br />
netapp::> set -privilege advanced<br />
<br />
Warning: These advanced commands are potentially dangerous; use them only when<br />
directed to do so by NetApp personnel.<br />
Do you want to continue? {y|n}: y<br />
netapp::> y<br />
<br />
<br />
<i>Start iperf server:</i><br />
netapp::*> network test-link start-server<br />
<br />
<br />
<i>Install and run iperf on Windows:</i><br />
- Logon into the Windows client<br />
- Download iperf3 and extract it<br />
https://iperf.fr/en/iperf-download.php#windows<br />
- browse to iperf3.exe and run<br />
iperf -c serveripaddress<br />
<br />
<br />
<i>Example execution and output:</i><br />
iperf3.exe -c 10.1.1.10<br />
Connecting to host 10.4.248.156, port 5201<br />
[ 4] local 10.2.1.2 port 61373 connected to 10.1.1.10 port 5201<br />
[ ID] Interval Transfer Bandwidth<br />
[ 4] 0.00-1.00 sec 91.2 MBytes 762 Mbits/sec<br />
[ 4] 1.00-2.00 sec 88.1 MBytes 742 Mbits/sec<br />
[ 4] 2.00-3.00 sec 99.6 MBytes 835 Mbits/sec<br />
[ 4] 3.00-4.00 sec 95.6 MBytes 802 Mbits/sec<br />
[ 4] 4.00-5.00 sec 95.1 MBytes 798 Mbits/sec<br />
[ 4] 5.00-6.00 sec 94.1 MBytes 790 Mbits/sec<br />
[ 4] 6.00-7.00 sec 92.9 MBytes 779 Mbits/sec<br />
[ 4] 7.00-8.00 sec 93.2 MBytes 782 Mbits/sec<br />
[ 4] 8.00-9.00 sec 94.8 MBytes 795 Mbits/sec<br />
[ 4] 9.00-10.00 sec 91.2 MBytes 765 Mbits/sec<br />
- - - - - - - - - - - - - - - - - - - - - - - - -<br />
[ ID] Interval Transfer Bandwidth<br />
[ 4] 0.00-10.00 sec 936 MBytes 785 Mbits/sec sender<br />
[ 4] 0.00-10.00 sec 936 MBytes 785 Mbits/sec receiver<br />
<br />
iperf Done.<br />
<br />
<br />
<i>Stop iperf server on NetApp:</i><br />
netapp::*> network test-link stop-server<br />
<br />Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-14010860822481155642020-03-11T22:31:00.000+01:002020-04-01T08:47:57.725+02:00Hunting insecure LDAP Binds<br />
Look at
your DC Event log for Event ID 2886 and 2887 in your Directory Service log.<br />
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">If Event ID
2886 is logged, it indicates that LDAP signing is not being enforced by your
DC!<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The second
Event ID 2887 occurs every 24 hours and will report how many unsigned / clear
text binds has occurred to your DC.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">How do we
get the systems that performing such binds?<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">We need to
set our logging, so we can get a new Event with the ID 2889 logged. With that
event we can see the IPs and accounts that are binding insecurely.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Set Simple
LDAP Bind Logging:<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Set-ItemProperty
-Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP
Interface Events' -Value "2"<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-no-proof: yes;"><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Grafik_x0020_1" o:spid="_x0000_i1026" type="#_x0000_t75"
style='width:453.75pt;height:248.25pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/TIM~1.BUN/AppData/Local/Temp/msohtmlclip1/01/clip_image001.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Later use
this PS command to disable Simple LDAP Bind Logging:<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Set-ItemProperty
-Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP
Interface Events' -Value "0"<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">After
enabling, we can see the event in our Directory Services log.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-no-proof: yes;"><!--[if gte vml 1]><v:shape id="Grafik_x0020_2" o:spid="_x0000_i1025"
type="#_x0000_t75" style='width:453.75pt;height:114pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/TIM~1.BUN/AppData/Local/Temp/msohtmlclip1/01/clip_image003.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">To get an
overview about that events you can use the following script:<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><a href="https://github.com/russelltomkins/Active-Directory/blob/master/Query-InsecureLDAPBinds.ps1">Query-InsecureLDAPBinds.ps1</a></span><span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p></o:p></span><br />
<br />
Just change the last part to only get unique entries:<br />
$InsecureLDAPBinds | Sort-Object -Unique -Property User,Ipaddress| Export-CSV -NoTypeInformation .\InsecureLDAPBinds.csv<br />
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The script
exports a CSV from the specified domain controller containing all unsigned and
Clear-text LDAP binds made to the DC by extracting Event 2889 from the
"Directory Services" event log.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Example
execution to get all insecure binds happening in the last 24 hours for DC01:<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">.\Query-InsecureLDAPBinds.ps1
-computername DC01 -Hours 24<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The output
.CSV will include IP Addresses, Ports, Username and the binding type. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">"IPAddress","Port","User","BindType"<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">"10.120.0.88","60966","TIM\ldapuser","Simple"<o:p></o:p></span></div>
<div class="MsoNormal">
"10.120.1.110","65445","TIM\ldapuser2","Simple"<o:p></o:p></div>
<br />Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-87877735411026648352020-02-20T07:56:00.003+01:002020-02-20T07:56:33.914+01:00PowerShell Get LDAP limits / Default Query Policy<div>
Hi guys,</div>
<div>
to get the LDAP limits, defined in the Default Query Policy just run the PowerShell snippet. Before you do so replace DC=DOMAIN,DC=ZZ with your domain!</div>
<div>
<br /></div>
<div>
Get-ADObject -Filter 'ObjectClass -eq "querypolicy"' -SearchBase 'CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=ZZ' -Properties lDAPAdminLimits | foreach {$_.lDAPAdminLimits}</div>
Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com1tag:blogger.com,1999:blog-2860296422700990314.post-76943996777453844892020-02-17T10:30:00.000+01:002020-02-17T10:30:57.129+01:00Configure ADWS debug LogTo configure ADWS debug logging, you have to add some lines to the <appSettings> section:<br />
First you have to set the log level:<br />
<br />
<add key="DebugLevel" Value="<Loglevel>" /><br />
<br />
<Loglevel> could be one of following values:<br />
None, Error, Warn or Info.<br />
<br />
Than you must configure the debug file path:<br />
<br />
<add key=”DebugLogFile” value=”<Logpath>” /><br />
<br />
To log Error and Warnings you should add these two lines:<br />
<br />
<add key="DebugLevel" Value="Warn" /><br />
<br />
<add key="DebugLogFile" value="C:\AdwsDebug.log" /><br />
<br />
After that you have to restart ADWS:<br />
Restart-Service –name ADWSTimhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-8466304495571390682020-02-11T13:57:00.000+01:002020-02-11T13:57:07.033+01:00Restore files from previous versions including all file informationIn the following post we will use Robocopy to restore files from previous version including all file information like attributes, timestamps, NTFS ACLs etc<br />
<br />
The most admins just move the files from previous versions and lose the original file information.<br />
<br />
If files were encrypted our deleted you can use the following method to restore your files, including all information, if shadow copies was configured!<br />
<br />
First we need to get the path of the previous version:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7byzg6q00V9-qzasOGyhgNDVj2CSAbythdNlffNMYSQnYwaKE2zlErhj8Jvtac899kFE4eWQLHgn7eehJtL-dal2x9MxXz8w75EguAP8cI70dPGk2lpSyU2_ZnGWL_T1iDi0CCTzSjKsy/s1600/robo.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="365" data-original-width="559" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7byzg6q00V9-qzasOGyhgNDVj2CSAbythdNlffNMYSQnYwaKE2zlErhj8Jvtac899kFE4eWQLHgn7eehJtL-dal2x9MxXz8w75EguAP8cI70dPGk2lpSyU2_ZnGWL_T1iDi0CCTzSjKsy/s400/robo.jpg" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Than we could run the following command to restore our files:<br />
<i>robocopy "\\fileserver\c$\data001\@GMT-2019.11.28-11.06.38\testtree" "\\fileserver\c$\data001\testtree" /E /COPYALL /DCOPY:T</i><br />
<br />
Explanation of the switches used in robocopy:<br />
Copy directory recursively (/E)<br />
<br />
Copy all file information (/COPYALL, equivalent to /COPY:DATSOU, D=Data, A=Attributes, T=Timestamps, S=Security=NTFS ACLs, O=Owner info, U=Auditing info)<br />
<br />
Preserve original directories Timestamps (/DCOPY:T).<br />
<br />Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-58831178788081294192020-02-07T14:38:00.001+01:002020-02-07T14:38:50.916+01:00GET AZURE AD USER SYNCHRONIZATION TIME<span style="font-family: inherit;">First you have to connect to MSOnline using your credentials:</span><br />
<div style="box-sizing: border-box;">
<span style="font-family: inherit;"><br /></span></div>
<div style="box-sizing: border-box;">
<span style="font-family: inherit;">$credential = Get-Credential<br />
Import-Module MSOnline<br />
Connect-MsolService -Credential $credential</span></div>
<div style="box-sizing: border-box;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Than you can get the attribute called LastDirSyncTime using the following command:<br /><br />
</span></div>
<div style="box-sizing: border-box;">
<span style="font-family: inherit;">Get-MSOlUser -UserPrincipalName "tim.buntrock@domain.com" | Select-Object LastDirSyncTime</span></div>
<div style="box-sizing: border-box; font-family: "Segoe UI", "Helvetica Neue", "Apple Color Emoji", "Segoe UI Emoji", Helvetica, Arial, sans-serif; font-size: 14px;">
<br /></div>
<div style="box-sizing: border-box; font-family: "Segoe UI", "Helvetica Neue", "Apple Color Emoji", "Segoe UI Emoji", Helvetica, Arial, sans-serif; font-size: 14px;">
<br /></div>
Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-45148277481823336642019-12-17T14:06:00.000+01:002019-12-17T14:06:02.119+01:00PowerShell Get Domain Controller OS and hardware infosYou can use the following Script to recieve the following information:<br />
<br />
ComputerName<br />
OperatingSystem<br />
Memory in GB<br />
CPU<br />
<br />
<br />
$DCs = Get-ADDomainController -Filter *<br />
<br />
foreach ($DC in $DCs) {<br />
if (-not (Test-Connection -ComputerName $DC -Quiet -Count 1)) {<br />
Write-Verbose -Message "The DC [$DC] is offline."<br />
} else {<br />
$os = Get-CimInstance -ComputerName $DC -ClassName Win32_OperatingSystem<br />
$mem = [math]::Round((Get-WmiObject -Class Win32_ComputerSystem -computer $DC).TotalPhysicalMemory/1GB)<br />
$cpu = Get-CimInstance -ComputerName $DC -ClassName Win32_Processor<br />
[pscustomobject]@{<br />
ComputerName = $DC<br />
OperatingSystem = $os.Caption<br />
Memory = $mem<br />
CPU = $cpu.Name<br />
}<br />
}<br />
}Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-88698653935256608612019-11-28T10:46:00.001+01:002019-11-28T10:53:02.357+01:00Adding the Attribute Editor tab for Active Directory objectsFor some objects and maybe for some systems using a specific language, the attributes tab won’t appear, even when you have the “Advanced” view selected. This was maybe caused by a faulty forest update or misconfiguration. To fix this issue we must update the DisplaySpecifiers in our AD Configuration.<br />
<br />
The following example will show you how to update it for AD User objects.<br />
<br />
Open ADSIEdit<br />
<br />
Click “Connect to” under the actions menu<br />
<br />
Leave the defaults except select the well known naming context “Configuration”<br />
<br />
Expand the Configuration Branch and select CN=DisplaySpecifiers container<br />
<br />
Expand your language code CN=407 (for de-DE) other languages codes could be found at: https://support.microsoft.com/en-us/help/324097/list-of-language-packs-and-their-codes-for-windows-2000-domain-control<br />
<br />
Click on CN=user-Display<br />
<br />
Double click AdminPropertyPages and add the following value: 11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}<br />
<br />
<br />
If you want to see the attribute flag on other objects you have to add 12,{c7436f12-a27f-4cab-aaca-2bd27ed1b773} to the AdminPropertyPages, like CN=organizationalUnit-Display or CN=computer-Display.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmnRgohKdTGXw6qtvQo8v0gHMMQi3wmTUfvpVIgzVGgAFGL8pbw_Vda7O6Ikxy11gQvp39DZ6NWNwNzpcDMk51Z6reatYtXfMS56c0CFGtn_Ga0M83OhZ-oAbENYgK_LWpFB2HLl2_EkHM/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="564" data-original-width="945" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmnRgohKdTGXw6qtvQo8v0gHMMQi3wmTUfvpVIgzVGgAFGL8pbw_Vda7O6Ikxy11gQvp39DZ6NWNwNzpcDMk51Z6reatYtXfMS56c0CFGtn_Ga0M83OhZ-oAbENYgK_LWpFB2HLl2_EkHM/s400/1.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div>
<br /></div>
<br />
<br />
<br />Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-6896098164742800162019-11-12T21:22:00.000+01:002019-11-12T21:23:56.962+01:00Get all DFS Folder targets of a DFS pathFind attached the script to get the DFS folder targets. The targets will be saved to c:\temp\DFSFolderTargets.csv. Just change the variable $DFSPath = "\\Domainfqdn\Folder\*" to your DFS path.<br />
<br />
$DFSPath = "\\Domainfqdn\Folder\*"<br />
$DFSPath<br />
$DFSNFolders = Get-DfsnFolder $DFSPath<br />
foreach($DFSNFolder in $DFSNFolders )<br />
{<br />
$DFSTarget = Get-DfsnFolderTarget $DFSNFolder.Path | Select Path,TargetPath<br />
$DFSTarget | Export-Csv "c:\temp\DFSFolderTargets.csv" -NoTypeInformation -Append<br />
}Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-86437927945456777642019-11-11T17:09:00.000+01:002019-11-12T10:43:34.277+01:00Convert certificates like pfx,cer or p7b to pem using opensslpfx to pem<br />
openssl pkcs12 -in cert.pfx -out cert.pem -nodes<br />
<br />
cer to pem<br />
openssl x509 -inform der -in cert.cer -out cert.pem<br />
<br />
p7b to pem<br />
openssl pkcs7 -in cert.p7b -inform DER -print_certs -out cert.pemTimhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-56987587593600521452019-10-30T11:48:00.000+01:002019-10-30T11:49:38.432+01:00Hunting bad LDAP queries on your DCThis is a quick guide to find bad LDAP queries running against your Domain Controller.<br />
<br />
To get the needed events on your DC, set the following registry settings using PowerShell:<br />
<br />
<i>Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Diagnostics' -Name '15 Field Engineering' -Value "5"</i><br />
<i>Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Expensive Search Results Threshold' -Value "0"</i><br />
<i>Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Inefficient Search Results Threshold' -Value "0"</i><br />
<i>Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Search Time Threshold (msecs)' -Value "120"</i><br />
<br />
Your DC is now logging event 1644, with information about the LDAP queries.<br />
<br />
If you are using this cmds any LDAP Query that´s taking over 120ms(Search Time Threshold (msecs)) will be logged.<br />
<br />
The Log Level is set to 5 ('15 Field Engineering' -Value "5") that means it logs all events, including debug strings and configuration changes. Also a complete log of the service is recorded.<br />
<br />
Expensive LDAP search reults, are the searches those visit large number of entries. The default threshold for expensive search is 10000. We can set it using Expensive Search Results Threshold reg key, in this case we set it to 0 to get all queries.<br />
<br />
Inefficient Search Results Threshold, are the searches those return less than 10% of visited entries. The default visited entries threshold limit for inefficient query is 1000 which means if a query visit less than 1000 entries then it will not be consider inefficient query even though if it return no entry. So we set it to 0 to get all queries.<br />
<br />
So now you can open the Event Viewer, go to Directory Services log and depending of the number of "bad" LDAP queries, you will see a lot of 1644 events. In this events you will get information like User,Filter,Client and the attribute that preventing Optimization. So with this values you can identify the source and fix it.<br />
<br />
<br />
Find attached an example event:<br />
<br />
<span style="font-size: x-small;">Internal event: A client issued a search operation with the following options. </span><br />
<span style="font-size: x-small;">Client:</span><br />
<span style="font-size: x-small;">10.10.10.10:54601 </span><br />
<span style="font-size: x-small;">Starting node:</span><br />
<span style="font-size: x-small;">dc=domain,dc=int</span><br />
<span style="font-size: x-small;">Filter:</span><br />
<span style="font-size: x-small;">( | (uid=Jon.Doe) (sAMAccountName=Jon.Doe) ) </span><br />
<span style="font-size: x-small;">Search scope:</span><br />
<span style="font-size: x-small;">subtree </span><br />
<span style="font-size: x-small;">Attribute selection:</span><br />
<span style="font-size: x-small;">uid,sAMAccountName </span><br />
<span style="font-size: x-small;">Server controls:</span><br />
<span style="font-size: x-small;">Visited entries:</span><br />
<span style="font-size: x-small;">359807 </span><br />
<span style="font-size: x-small;">Returned entries:</span><br />
<span style="font-size: x-small;">1 </span><br />
<span style="font-size: x-small;">Used indexes:</span><br />
<span style="font-size: x-small;">DNT_index:662818:N; </span><br />
<span style="font-size: x-small;">Pages referenced:</span><br />
<span style="font-size: x-small;">2945008 </span><br />
<span style="font-size: x-small;">Pages read from disk:</span><br />
<span style="font-size: x-small;">0 </span><br />
<span style="font-size: x-small;">Pages preread from disk:</span><br />
<span style="font-size: x-small;">0 </span><br />
<span style="font-size: x-small;">Clean pages modified:</span><br />
<span style="font-size: x-small;">0 </span><br />
<span style="font-size: x-small;">Dirty pages modified:</span><br />
<span style="font-size: x-small;">0 </span><br />
<span style="font-size: x-small;">Search time (ms):</span><br />
<span style="font-size: x-small;">4111</span><br />
<span style="font-size: x-small;">Attributes Preventing Optimization:</span><br />
<span style="font-size: x-small;">uid </span><br />
<span style="font-size: x-small;">User:</span><br />
<span style="font-size: x-small;">domain\serviceaccount.1</span><br />
<br />
In this case you can contact the responsible admin for Client 10.10.10.10 and modify the query to use a better filter. For example if you don´t use the uid field in AD, you can remove it from the LDAP query and just search for teh samaccountname.<br />
<br />
If you have enough logs collected, you can revert your changes using the following commands:<br />
<br />
<i>Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Diagnostics' -Name '15 Field Engineering' -Value "0"</i><br />
<i>Remove-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Expensive Search Results Threshold'</i><br />
<i>Remove-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Inefficient Search Results Threshold'</i><br />
<i>Remove-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Search Time Threshold (msecs)'</i><br />
<br />
<br />
<br />
<br />
<br />Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com1tag:blogger.com,1999:blog-2860296422700990314.post-78682301062427617202019-10-24T07:56:00.000+02:002019-10-24T07:56:11.466+02:00PowerShell Get a list of IPs from DNS NamesRequirements:<br />
<br />
You need a file C:\temp\server.csv. This file have all names in it.<br />
<br />
server1<br />
server2<br />
server3<br />
server4<br />
<br />
And the script to get all IPs.<br />
<br />
$names = Get-Content C:\temp\names.csv<br />
foreach ($name in $names )<br />
{<br />
[System.Net.Dns]::GetHostAddresses("$name") | select -ExpandProperty IPAddressToString<br />
}Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com0tag:blogger.com,1999:blog-2860296422700990314.post-58321315597998702192019-07-04T08:47:00.002+02:002019-07-04T08:47:35.495+02:00Get and copy LAPS generated Admin password to clipboardJust a PowerShell script to get and copy LAPS generated Admin password to your clipboard<br />
<br />
<a href="https://gallery.technet.microsoft.com/Get-and-copy-LAPS-0a9bb700" target="_blank">Check it out on TechNet</a>Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com3tag:blogger.com,1999:blog-2860296422700990314.post-28551772166859065352019-05-14T08:53:00.002+02:002019-05-14T08:53:53.156+02:00PowerShell 7 coming soon<span style="font-family: inherit;">In the following post Steve Lee explaining why Powershell 7 and not 6.3.</span><br />
<a href="https://devblogs.microsoft.com/powershell/the-next-release-of-powershell-powershell-7/">https://devblogs.microsoft.com/powershell/the-next-release-of-powershell-powershell-7/</a><br />
<br />
They will remove Core from the name... It makes sense if you check the .net Core Version 3.0, that would be used for PS 7, it should have all the underlying APIs and a high compatibility with Windows PowerShell 5.1. So you don´t have to struggle with compatibility issues, like in previous PS Core versions. Sounds like it would be the perfect mix from Windows PowerShell and PowerShell Core.<br />
<br />
Microsoft said that PowerShell 7 should be available May 2019!Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com11tag:blogger.com,1999:blog-2860296422700990314.post-64915162087023955072019-02-19T09:38:00.002+01:002019-02-19T09:41:15.134+01:00Attribute Editor tab missing in Active Directory Users and Computers search<br />
<div class="MsoNormal">
<b>Problem:</b></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">If you search for a
user account, you doesn´t see the Attribute Editor tab in the properties of the
user account. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">First the „Advanced
Features“ have to be activated in the “Active Directory Users and Computers”
console. Just select <i style="mso-bidi-font-style: normal;">View</i> and click
on <i style="mso-bidi-font-style: normal;">Advanced Features</i>.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">Using a LDAP Query:</span></b><br />
<br />
<ul>
<li>Right-click Saved Queries and click the New-Query option</li>
<li>Type in a name for your saved query, such as "Search SamAccount"</li>
<li>Click the Define Query button</li>
<li>Under the Find drop-down list, select Custom Search</li>
<li>Click the Advanced tab</li>
<li>Type in your query</li>
<li>(objectcategory=person)(samaccountname=*tim.buntrock*)</li>
</ul>
<br />
<span style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">Using the group trick:<o:p></o:p></span></b><br />
<br />
<ul>
<li>Search for a user</li>
<li>Click on the member of tab</li>
<li>Open a group from user</li>
<li>Close the user properties tab</li>
<li>Search for the user in the group member tab and double click him</li>
<li>Now you should see the Attribute Editor tab</li>
</ul>
<br />
<span style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"></span></span></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18.0pt;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">Using Active Directory Administrative Center instead of ADUC<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">If you are using the
AD Administrative Center you can directly access the Attribute Editor after a
search.<o:p></o:p></span></div>
<br />Timhttp://www.blogger.com/profile/16514083143506680541noreply@blogger.com1