Archive

Archive for the ‘Active Directory’ Category

Export AD Users Password Expiration Report to CSV with PowerShell from Domain controller

July 29, 2015 2 comments

This Post describes of exporting all active directory users password expiry date in CSV format using windows PowerShell.

Step 1 : Copy below PowerShell command to a notepad and save with the name ADusersexpiryreport.ps1

Import-Module ActiveDirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties “SamAccountName”,”mail”,”pwdLastSet”,”msDS-UserPasswordExpiryTimeComputed” |
Select-Object -Property “SamAccountName”,”mail”,@{Name=”Password Last Set”;`
Expression={[datetime]::FromFileTime($_.”pwdLastSet”)}}, @{Name=”Password Expiry Date”;`
Expression={[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}} |
Export-CSV “C:\\PasswordExpirationReport.csv” -NoTypeInformation -Encoding UTF8

Step 2 : Login to Domain controller and open windows PowerShell as an administrator.

Step 3 : Run the script and the result will be saved in ‘C’ drive

Categories: Active Directory

How to disable SMB/NETBIOS NULL Session on domain controllers

July 29, 2015 Leave a comment

Applies to : Windows 2008, windows 2008 r2 and Windows 2012/R2

By default null sessions (unauthenticated ) are enabled on windows 2000 and 2003 servers . As a result anyone can use these NULL connections to enumerate potentially sensitive information from the servers. Null session vulnerability is disabled on fresh Windows 2008 and earlier versions

This post explain the steps for disabling SMB/NETBIOS NULL Session on domain controllers using group policy.

Step 1 : Apply below group policy settings to Default Domain Controller policy object or to the GPO object that is applied to your domain controllers.

Edit GPO- Go to Computer configuration\Policies\Windows settings\Security Settings\Local Policies\SecurityOptions

Enable:
Network access: Restrict Anonymous access to Named Pipes and Shares
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Shares that can be accessed anonymously
Disable:
Network access: Let Everyone permissions apply to anonymous users
Network access: Allow anonymous SID/Name translation

Step 2 : Update the registry key values to restrict null session as below:

HKEY\SYSTEM\CurrentControlSet\Control\Lsa:
RestrictAnonymous = 1
Restrict AnonymousSAM = 1
EveryoneIncludesAnonymous = 0

Categories: Active Directory Tags:

Step by Step FRS to DFSR Migration guide in three steps

August 5, 2014 2 comments

Overview

The File Replication Service (FRS) is used for replicating the contents of the SYSVOL share between Windows domain controllers.. Windows 2000 Server and Windows Server 2003 use File Replication Service (FRS) to replicate SYSVOL, whereas Windows Server 2008 uses the newer DFS Replication service when in domains that use the Windows Server 2008 domain functional level or higher, and FRS for domains that run older domain functional levels.

Let’s quickly review the perquisites and step by step migration in three steps

Prerequisites

  • Healthy Active directory services.
  • Active directory replication between domain controller must be operational.
  • The functional level of the domain to Windows Server 2008 or higher.
  •  It is preferred to do the migration on PDC Emulator as it is the authority on SYSVOL

Mainly , there are 4 Stable States of SYSVOL migration to DFSR

sTATES

let’s start the migration of SYSVOL replication from FRS to DFRS in three steps

Step I ( Migrating to the ‘PREPARED’ state )

Note:

The start state is already applied while applying the prepared state. .

Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Prepared state.

1

Waiting for all domain controllers to reach the Prepared state, which you can verify by running the dfsrmig /GetMigrationState command

2

Verifying that migration to the Prepared state succeeded.

3

Step II  (Migrating to the ‘REDIRECTED’ state )

 

Verifying that migration has reached the Prepared state on all domain controllers and that the domain is prepared to migrate to the Redirected state.

Running the dfsrmig /SetGlobalState 2 command on the PDC emulator to start the migration to the Redirected state.

4A
Waiting for all domain controllers to reach the Redirected state, which you can verify by running the dfsrmig /GetMigrationState command.

4

Verifying that migration to the Redirected state succeeded.

 

Step III (Migrating to the ‘‘ELIMINATED’ state ).

Verifying that migration has consistently reached the Redirected state on all domain controllers and that the domain is prepared to migrate to the Eliminated state.
You cannot reverse migration after migration reaches the Eliminated state. Therefore, you should make sure that all domain controllers have migrated to the Redirected state and that the DFS replication service can handle SYSVOL replication correctly before you begin the migration to the Eliminated state.

Running the dfsrmig /SetGlobalState 3 command on the PDC emulator to start the migration to the Eliminated state.

Elimated
Waiting for all domain controllers to reach the Eliminated state, which you can verify by running the dfsrmig /GetMigrationState command.

final 2
Verifying that migration to the Eliminated state succeeded.

Please make sure that FRS service in the domain controllers are stopped and startup is disabled

Done, migration has been completed successfully.

Additional references

Migration Guide : http://www.microsoft.com/en-us/download/details.aspx?id=4843

 

Internet explorer maintenance gpo missing in windows 2008 r2 Domain controllers

June 22, 2014 1 comment

Issue

“Internet Explorer Maintenance” container is missing in the Domain controller GPO. By default its exist in GPO > User Configuration > Policies > Windows Settings.

Scenario

“Internet Explorer Maintenance” will be removed from GPMC when IE upgraded to 10 or higher versions

Resolution

Log in to any member of windows 2008 r2 server where IE version should be lower than 10. Then install GPMC by adding Group policy managment features.Now Internet Explorer Maintenance will be restored and can edit settings

Categories: Active Directory

The encryption type requested is not supported by the KDC

April 6, 2014 Leave a comment

Issue

Getting the error ‘An Authentication Error Has Occurred .The encryption type requested is not supported by the KDC’ when RDP to windows servers

Resolution

Restart the KDC ( ( KERBEROS DISTRIBUTION KEY ) ) services on your domain controllers. The issue occurred after raising the functional level from windows 2003 to Windows R2. Then its resolved after restarting the KDC services on domain controllers.

Categories: Active Directory Tags:

SMB Signing is disabled or enabled ?

March 8, 2014 6 comments

In this post describes, what is the recommendations of SMB protocol  signing behavior in the  domain networks.

What SMB protocol is?

SMB is the resource sharing protocol that is supported by many Windows operating systems. The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.

What is SMB Signing features ?

SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.

Is SMB signing disabled is risk?

Yes, Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data.

Recommended SMB Signing Configuration?

SMB signing configurations can change through group policy. Set the GPO as  following:

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options

Disable Microsoft Network Client: Digitally Sign Communications (Always).

Disable Microsoft Network Server: Digitally Sign Communications (Always).

Enable Microsoft Network Client: Digitally Sign Communications (If Server Agrees).

Enable Microsoft Network Server: Digitally Sign Communications (If Client Agrees).

Additional Information

Overview of Server Message Block signing

http://support.microsoft.com/kb/887429/en-us

The Basics of SMB Signing (covering both SMB1 and SMB2)

http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2.aspx

Microsoft network server: Digitally sign communications (always)

http://technet.microsoft.com/en-us/library/jj852239.aspx

Microsoft network client: Digitally sign communications (always)

http://technet.microsoft.com/en-us/library/jj852186.aspx

Different GPO’s for Domain Controllers OU

October 22, 2013 Leave a comment

In this article describe how to create separate GPO for group or a specific domain controllers . For example, some scenario its intended to exclude some policies for specific or group of domain controllers from default domain controller Group policy. To achieve this goal, we could use the built-in “security filter” in GPMC. Please follow the steps below.

Step 1:Open GPMC and create GPO with set the desired policies

Step 2:Link the GPO to OU “Domain Controllers” OU

Step 3:Click the GPO in left pane, edit security filtering in right pane. Remove “Authenticated Users”, click “Add”, type the desired DC name and click “Check Names”, click “OK”.
NOTE: The Authenticated Users group includes both users and computers. So its need to remove it.

GPO

Then set the high priority for this GPO to overwrite the settings coming from the default domain controllers GPO.
Then the new GPO will be applied to the specific DC only.

The following article explain about Security filtering in GPMC

http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc779291(v=ws.10).aspx

%d bloggers like this: