Active Directory accounts – Security Auditing (The very basics – part 1)

Dear reader,

 

How many times have you been confronted with bad passwords, and accounts set to never expire?

How many times you were asked to audit and Active Directory of a client ora new organization you just joined?

How about users that “forgot” they changed their own password?

 

Well fear no more, this post is for you!

Open your PowerShell and let’s get started.

 

Scenario 1 – “I can’t login! My password isn’t working!”

 

For this scenario be prepared to quick draw your PowerShell Fu and type the following command:

Get-ADUser -identity username -properties PasswordLastSet, PasswordExpired

 

This will quickly tell you if the password is expired or if it was recently changed and forgotten!

 

Scenario 2 – (Angry Boss/Security guy) Why is this user account password not expiring? How many of these exist?

 

This is usually B A D!

But worry not. hopefully you are proactively workign on this (if your not, get on it) and you have at hand the latest list, obtained with:

Get-ADUser -Filter * -Properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | Sort-Object Name | Select-Object Name, PasswordLastSet, PasswordExpired, PasswordNeverExpires | Export-Csv -Path <LocalPath><filename>.csv

 

And you are done. With this list, you can identify all users with passwords not expiring and with the added bonus of understanding if the current passwords are expired or not.

(Pro Tip: Why the PasswordExpired and PasswordLastSet? Well, as soon as you start updating the PasswordNeverExpires to False, users will start being asked to change their passwords, and that can cause a lot of havoc. Those two fields will help with the correction plan for all those accounts.)

 

And there you have it. You can start owning your Active Directory.

Find Zombie computers in Active Directory

I’ve been trying out some things with Powershell and wanted to share this.

Active Directory is a great thing, but more often than we like to admit, it tends to become … messy.

So as a small cleanup exercise, here’s how you’d find “zombie” computers in Active  Directory using PowerShell:

Get-ADComputer -filter * -properties * | Where-Object {$_.whenChanged -lt $((Get-Date).AddDays(-180))} | Select-Object CN, whenChanged

 

There you go. After this you’ll have a very nice list of computers that have not contacted Active Directory domain in 180 days or more.

 

Happy cleaning!

Shortcut to Mail is broken in Control Panel

Hello everyone,
Some time ago I had a problem with a user’s Outlook profile not opening. So as usual, I went straight to Control Panel to troubleshoot the e-mail profile, but to my surprise the shortcut to Mail 32 Bits was not functioning.
After searching around for a while, I found a workaround that didn’t require to rebuild the user’s profile.
And the workaround is:
Create a  shortcut for “C:Program Files (x86)Microsoft OfficeOffice14MLCFG32.CPL”
Or
 
Go to Start -> Run and type Control MLCFG32.CPL or Control MLCFG64.CPL – if 32 or 64 bits.
And that is it, the Mail console we all know is available again.
Just a couple of notes on this.
1. If you use the shortcut version of the workaround, the path might vary depending on your Office version and installation path.
2. This is a workaround. It will not solve the issue with the user profile, but might give you some more time to plan.
Happy troubleshooting.

Get ID from user and group in Linux

Hi everyone,

Sometimes it handy to deal with id’s instead of actual names. It makes your commands shorter.
So if you ever need to get the id’s of one user or a group in Linux, here’s the commands to run:

– id -u USERNAME – will give you the USERNAME ID;
– id -a USERNAME – will give, not only the ID of the user, but also all the groups the user is part of;
– id -g USERNAME – will give the ID of the user’s primary group;
– id -G USERNAME – will give you the ID of all groups the user is a member of;

If you just want to know the id of a group, the just run:

cat /etc/group | grep GROUPNAME

The third item of the colon(:) separated string is the group ID.

And there you have it.
Now you can find out every user and group ID’s.

Enjoy.

Unmount busy drives

For anyone that has CIFS Shares mounted in a Linux machine, sooner or later you will get the an error saying that you cannot unmount a drive because it is busy.
So how do we find out what process is keeping that drive busy?
Simple. Just type on the console or X terminal:

lsof +D /path/to/mountpoint

This command returns the command and process ID of any tasks currently accessing the mount point, and you kill the process.

Mounting CIFS Share with specific user and group in Linux

Working with Linux in a Microsoft environment is not always easy.
Even a simple share can be tricky. Luckily, there’s always a solution with Linux.

In the scenario where a Windows Share is needed, running “mount” with CIFS is no surprise, however, if the Linux mount point has to be made available for a specific user, then, it’s necessary to pass the option for the local user and group of the mount point being created.

Ex.: (as root or sudo) mount -t cifs -v //IP_or_DNS_name/Share_Name /mnt/Local_Folder -o user=ShareAuthUser,pass=ShareAuthUserPW,domain=ShareAuthUserDomainOrLocalMaShareMachine,uid=LinuxUID,gid=LinuxGID

Using the above command will mount under /mnt/Local_Folder the CIFS share, but will do it making the Linux user an group owner of that mount point.

This is very usefull when you need to backup Linux files or databases (that only a service user can access) but the backup server is Windows based. So one makes a backup to a folder, that happens to be a CIFS share and the Windows machine can backup that folder.

Hope it helps.

Windows 8 – Change default programs

Hi there.

Have your new Windows installed, but you want to customize the behavior of the OS.

Let’s say you don’t want the Metro style apps to open you pictures.

So just open your metro style start menu or press WIN+W and type default. You should see the “Default Programs” app.

Open it and edit your defaults.

 

In case you are wondering … Yes you could just get here through the control panel. I just find this way faster.

 

Enjoy.

Windows 8 and Windows Server 2012 – Problems with activation

The new versions of Windows are out, and with them come a whole new set of little challenges.

So let’s start from the beginning.

You just installed your new OS and you get a DNS error when trying to activate it.

Well, here’s how you go about it.

 

Open a command line with Administrative privileges and type:

slmgr.vbs /ipk followed by your serial key. Press enter and there you have it. A brand new activated Windows.

Enjoy.

How do I find out what are my drive letters in Windows Core?

So you just installed you Windows Server Core and you want to identify your disk drives. Or maybe you’ve plugged a USB disk to copy some files and you don’t know the drive letter.

Since there is no explorer in Server Core you will have to use diskpart. Diskpart is a utility to manage disk drives and has been available since Windows Vista and replaced the old fdisk. You’ve surely used diskpart in it’s GUI version of Disk Management, so now you just have to get used to it in a command line.

So to find out your disk drive letter in Windows Server Core just type diskpart and then list volume. This will give a list of disks and their drive letters.

 

 

To leave diskpart just type exit. If you want to discover more about diskpart type help.

 

Software installation asks for reboot even after reboot

Sometimes you’re installing a software and you get an error stating that you need to reboot before installing.

So far, so good, but, occasionally you get that error again after the reboot. In that case, follow this procedure:

  1. Open Regedit
  2. Find the key “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager”
  3. Rename the “PendingFileRenameOperations” value to “PendingFileRenameOperations2”
  4. Try again.