Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2014-09-17) Finding Conflicting Objects In Your AD

Posted by Jorge on 2014-09-17


You might have seen it in your own AD or in somebody else’s AD, conflicting/duplicate objects. Those objects are exactly same objects that were created on different RWDCs at nearly the same time. After replication kicks and those conflicting/duplicate objects replicate to other RWDCs, AD replication needs to apply its own conflict resolution mechanism to ensure every object is and remains unique.

So, let’s say you create the object "CN=TestObject,OU=MyOU,DC=DOMAIN,DC=COM" on 2 different RWDCs at (nearly) the same time. After AD replication has converged you will see the following objects:

  1. "CN=TestObjectACNF:4862d44c-76ab-41b7-bac8-8682900e661b,OU=MyOU,DC=DOMAIN,DC=COM"
  2. "CN=TestObject,OU=MyOU,DC=DOMAIN,DC=COM"

-

[1] is the first created object and [2] was the last created object. The last object created is always the one that does not have ACNF:<objectGUID> in its CN/RDN. AD puts ACNF:<objectGUID> in the CN/RDN telling us it is a CONflict object and making sure it is unique in the container where also the other object is in.

-

The following PowerShell script helps you finding these objects in your AD forest. Based upon the information of the objects you need to determine yourself which of the two objects should be removed and which one can remain in AD.

-

# Clear The Screen Clear-Host # Checking Number Of Arguments $numArgs = $args.count $arg0 = $args[0] # Discovering A GC Retrieving Its DNS HostName $dnsHostNameGC = (Get-ADDomainController -Service GlobalCatalog -Discover:$true).HostName[0] $gcHostPort = $dnsHostNameGC + ":3268" $dsContextDC = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer",$dnsHostNameGC) $dc = [System.DirectoryServices.ActiveDirectory.DomainController]::GetDomainController($dsContextDC) # General Execution Of Script If ($numArgs -eq 0) { $listOfConflictingObjects = Get-ADObject -server $gcHostPort -LDAPFilter '(name=*CNF:*)' } If ($numArgs -eq 1) { If ($arg0.ToLower() -eq "computer") { $listOfConflictingObjects = Get-ADComputer -server $gcHostPort -LDAPFilter '(name=*CNF:*)' -Properties pwdLastSet } If ($arg0.ToLower() -eq "user") { $listOfConflictingObjects = Get-ADUser -server $gcHostPort -LDAPFilter '(name=*CNF:*)' -Properties pwdLastSet } } If ($listOfConflictingObjects -ne $null) { $listOfDuplicates = @() $listOfConflictingObjects | %{ $objCNF = $_ $dnCNFobj = $objCNF.DistinguishedName $classCNFobj = $_.ObjectClass $guidCNFobj = $_.ObjectGUID If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $sAMAccountCNFobj = $_.SamAccountName $pwdLastSetCNFobj = $_.pwdLastSet If ($pwdLastSetCNFobj -ne $null){ $pwdLastSetCNFobj = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($pwdLastSetCNFobj))) -Format "yyyy-MM-dd HH:mm:ss" } Else { $pwdLastSetCNFobj = "---" } } $objCNFMetadata = $dc.GetReplicationMetadata($dnCNFobj) $objCNFOrigSrv = $objCNFMetadata | %{($_.objectclass).OriginatingServer} $objCNFOrigTime = $objCNFMetadata | %{($_.objectclass).LastOriginatingChangeTime} $dnORGobj = $dnCNFobj.Substring(0,$dnCNFobj.IndexOf("\")) + $dnCNFobj.Substring($dnCNFobj.IndexOf(",")) If ($numArgs -eq 0) { $objORG = Get-ADObject -server $gcHostPort -Identity $dnORGobj } If ($numArgs -eq 1) { If ($arg0.ToLower() -eq "computer") { $objORG = Get-ADComputer -server $gcHostPort -Identity $dnORGobj -Properties pwdLastSet } If ($arg0.ToLower() -eq "user") { $objORG = Get-ADUser -server $gcHostPort -Identity $dnORGobj -Properties pwdLastSet } } $dnORGobj = $null $classORGobj = $null $guidORGobj = $null $sAMAccountORGobj = $null $pwdLastSetORGobj = $null $objORGMetadata = $null If ($objORG -ne $null) { $dnORGobj = $objORG.DistinguishedName $classORGobj = $objORG.ObjectClass $guidORGobj = $objORG.ObjectGUID If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $sAMAccountORGobj = $objORG.SamAccountName $pwdLastSetORGobj = $objORG.pwdLastSet If ($pwdLastSetORGobj -ne $null){ $pwdLastSetORGobj = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($pwdLastSetORGobj))) -Format "yyyy-MM-dd HH:mm:ss" } Else { $pwdLastSetORGobj = "---" } } $objORGMetadata = $dc.GetReplicationMetadata($dnORGobj) $objORGOrigSrv = $objORGMetadata | %{($_.objectclass).OriginatingServer} $objORGOrigTime = $objORGMetadata | %{($_.objectclass).LastOriginatingChangeTime} } Else { $dnORGobj = "Does Not Exit" $classORGobj = "Does Not Exit" $guidORGobj = "Does Not Exit" If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $sAMAccountORGobj = "Does Not Exit" $pwdLastSetORGobj = "Does Not Exit" } $objORGOrigSrv = "Does Not Exit" $objORGOrigTime = "Does Not Exit" } If ($numArgs -eq 0) { $adObj = "" | Select "> > >DN (CNF)..........","objectClass (CNF)......","objectGUID (CNF).......","Originating DC (CNF)...","Originating Time (CNF).","> > >DN (ORG)..........","objectClass (ORG)......","objectGUID (ORG).......","Originating DC (ORG)...","Originating Time (ORG)." } If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $adObj = "" | Select "> > >DN (CNF)..........","objectClass (CNF)......","objectGUID (CNF).......","Account Name (CNF).....","PWD Last Set (CNF).....","Originating DC (CNF)...","Originating Time (CNF).","> > >DN (ORG)..........","objectClass (ORG)......","objectGUID (ORG).......","Account Name (ORG).....","PWD Last Set (ORG).....","Originating DC (ORG)...","Originating Time (ORG)." } $adObj."> > >DN (CNF).........." = $dnCNFobj $adObj."objectClass (CNF)......" = $classCNFobj $adObj."objectGUID (CNF)......." = $guidCNFobj If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $adObj."Account Name (CNF)....." = $sAMAccountCNFobj $adObj."PWD Last Set (CNF)....." = $pwdLastSetCNFobj } $adObj."Originating DC (CNF)..." = $objCNFOrigSrv $adObj."Originating Time (CNF)." = $objCNFOrigTime $adObj."> > >DN (ORG).........." = $dnORGobj $adObj."objectClass (ORG)......" = $classORGobj $adObj."objectGUID (ORG)......." = $guidORGobj If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $adObj."Account Name (ORG)....." = $sAMAccountORGobj $adObj."PWD Last Set (ORG)....." = $pwdLastSetORGobj } $adObj."Originating DC (ORG)..." = $objORGOrigSrv $adObj."Originating Time (ORG)." = $objORGOrigTime $listOfDuplicates += $adObj } Write-Host "" If ($numArgs -eq 0) { Write-Host "LIST OF DUPLICATE/CONFLICTING OBJECTS IN THE AD FOREST" -Foregroundcolor Cyan } If ($numArgs -eq 1 -And $arg0.ToLower() -eq "computer") { Write-Host "LIST OF DUPLICATE/CONFLICTING COMPUTER OBJECTS IN THE AD FOREST" -Foregroundcolor Cyan } If ($numArgs -eq 1 -And $arg0.ToLower() -eq "user") { Write-Host "LIST OF DUPLICATE/CONFLICTING USER OBJECTS IN THE AD FOREST" -Foregroundcolor Cyan } $listOfDuplicates | FL } Else { Write-Host "NO DUPLICATE/CONFLICTING OBJECTS DETECTED IN THE AD FOREST" -Foregroundcolor Green }

-

The following is an example result when executing the script as: .\Retrieve-List-Of-Conflicting-Objects.ps1

image

Figure 1: Detecting Conflicting/Duplicate Objects In The AD Forest

-

The following is an example result when executing the script as: .\Retrieve-List-Of-Conflicting-Objects.ps1 computer

image

Figure 2: Detecting Conflicting/Duplicate Computer Objects In The AD Forest

-

The following is an example result when executing the script as: .\Retrieve-List-Of-Conflicting-Objects.ps1 user

image

Figure 3: Detecting Conflicting/Duplicate User Objects In The AD Forest

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Conflicting Objects, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-16) Azure Active Directory Sync Services Has Reached General Availability

Posted by Jorge on 2014-09-16


Azure Active Directory Sync has reached general availability!

-

Features currently supported in this release:

  • Active Directory and Exchange multi-forest environments can be extended now to the cloud
  • Control over which attributes are synchronized based on desired cloud services.
  • Selection of accounts to be synchronized through domains, OUs, etc.
  • Ability to set up the connection to AD with minimal Windows Server AD privileges.
  • Setup synchronization rules by mapping attributes and controlling how the values flow to the cloud.
  • Preview AAD Premium password change and reset to AD on-premises.

-

Read all about it through the following links:

-

Use the following link to actually download it:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »

(2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

Posted by Jorge on 2014-09-15


PowerShell Code to check if the SACL of each OU in the AD domain is in canonical order or not.

Also see this blog post.

-

# Clear The Screen Clear-Host # Get The UI Config $uiConfig = (Get-Host).UI.RawUI $uiConfig.ForegroundColor = "Yellow" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs In AD Domain $listOfOUsToProcess = Get-ADOrganizationalUnit -Filter * | %{$_.DistinguishedName} # Process Each OU $OUsWithSACLInCanonicalOrder = @() $OUsWithSACLNOTInCanonicalOrder = @() $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) $aclOU = Get-Acl $ouDrivePath -Audit If ($aclOU.AreAuditRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO Have The SACL In Canonical Order" $ouObj."List Of OUs That DO Have The SACL In Canonical Order" = $ou $OUsWithSACLInCanonicalOrder += $ouObj } If (!$aclOU.AreAuditRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO NOT Have The SACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The SACL In Canonical Order" = $ou $OUsWithSACLNOTInCanonicalOrder += $ouObj } } $uiConfig.ForegroundColor = "Red" If ($OUsWithSACLNOTInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The SACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The SACL In Canonical Order" = "+++ NONE +++" $OUsWithSACLNOTInCanonicalOrder += $ouObj } $OUsWithSACLNOTInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Green" If ($OUsWithSACLInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO Have The SACL In Canonical Order" $ouObj."List Of OUs That DO Have The SACL In Canonical Order" = "+++ NONE +++" $OUsWithSACLInCanonicalOrder += $ouObj } $OUsWithSACLInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Yellow"

-

SNAGHTML322d8c92

Figure 1: Checking The Canonical Order Of The SACL On All OUs In The AD Domain Through PowerShell

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL

Posted by Jorge on 2014-09-13


PowerShell Code to check if the DACL of each OU in the AD domain is in canonical order or not.

Also see this blog post.

-

# Clear The Screen Clear-Host # Get The UI Config $uiConfig = (Get-Host).UI.RawUI $uiConfig.ForegroundColor = "Yellow" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs In AD Domain $listOfOUsToProcess = Get-ADOrganizationalUnit -Filter * | %{$_.DistinguishedName} # Process Each OU $OUsWithDACLInCanonicalOrder = @() $OUsWithDACLNOTInCanonicalOrder = @() $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) $aclOU = Get-Acl $ouDrivePath If ($aclOU.AreAccessRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO Have The DACL In Canonical Order" $ouObj."List Of OUs That DO Have The DACL In Canonical Order" = $ou $OUsWithDACLInCanonicalOrder += $ouObj } If (!$aclOU.AreAccessRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = $ou $OUsWithDACLNOTInCanonicalOrder += $ouObj } } $uiConfig.ForegroundColor = "Red" If ($OUsWithDACLNOTInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = "+++ NONE +++" $OUsWithDACLNOTInCanonicalOrder += $ouObj } $OUsWithDACLNOTInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Green" If ($OUsWithDACLInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = "+++ NONE +++" $OUsWithDACLInCanonicalOrder += $ouObj } $OUsWithDACLInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Yellow"

-

SNAGHTML322b396a

Figure 1: Checking The Canonical Order Of The DACL On All OUs In The AD Domain Through PowerShell

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object

Posted by Jorge on 2014-09-11


PowerShell Code to remove all auditing entries from one or multiple OUs for some security principal.

Example security principal: ADCORP\MyDelegationAdminGroup

-

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entries..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.Audit | ?{$_.IdentityReference -eq $securityPrincipalAccount} | %{ $auditRule = $_ $aclOU.RemoveAuditRule($auditRule) } $aclOU | Set-Acl $ouDrivePath }

-

image

Figure 1: SACL Before Removal

-

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

-

image

Figure 3: SACL After Removal

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object

Posted by Jorge on 2014-09-09


PowerShell Code to remove an auditing entry from one or multiple OUs for some security principal when executing some extended right (control access right) on some object.

Example object class: user

Example extended right: Reset Password

Example security principal: ADCORP\MyDelegationAdminGroup

-

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase ($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Create Hash Table With The displayName And rightsGUID Of Each Extended Right (a.k.a. Control Access Right) $mappingTable_displayName_rightsGUID = @{} Get-ADObject -SearchBase $("CN=Extended-Rights," + $rootdse.ConfigurationNamingContext) ` -LDAPFilter "(&(objectClass=controlAccessRight)(rightsguid=*))" ` -Properties displayName,rightsGuid | %{ $mappingTable_displayName_rightsGUID[$_.displayName]=[System.GUID]$_.rightsGuid } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedCAR = "Reset Password" $schemaIDGUIDScopedCAR = $mappingTable_displayName_rightsGUID[$scopedCAR] $inheritanceScope = "Descendents" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedCAR,$inheritanceScope,$schemaIDGUIDScopedObject $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped CAR...........: $scopedCAR" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.RemoveAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

-

image

Figure 1: SACL Before Removal

-

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

-

image

Figure 3: SACL After Removal

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object

Posted by Jorge on 2014-09-07


PowerShell Code to remove a specific auditing entry from one or multiple OUs for some security principal on some object.

Example object class: user

Example permission: Read Property

Example attribute: employeeID

Example security principal: ADCORP\MyDelegationAdminGroup

-

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedAttribute = "employeeID" $schemaIDGUIDScopedAttribute = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedAttribute] $inheritanceScope = "Descendents" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ReadProperty" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedAttribute,$inheritanceScope,$schemaIDGUIDScopedObject $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Attribute.....: $scopedAttribute" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.RemoveAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

-

image

Figure 1: SACL Before Removal

-

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

-

image

Figure 3: SACL After Removal

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-06) A Hotfix Rollup Package (Build 4.1.3599.0) Is Available for Forefront Identity Manager 2010 R2

Posted by Jorge on 2014-09-06


Microsoft released a new hotfix for FIM 2010 R2 with build 4.1.3599.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ2980295

Download link

-

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM service and portals

Issue 1

This hotfix updates the FIM Password Reset and Password Registration Portal with additional UI changes that apply to customers who are customizing these portals in compliance with Section 508 of the U.S. Federal Rehabilitation Act.

Symptoms include the following:

  • On the "Your current Password" page, the Password text box is labeled incorrectly.
  • On the "Register your Answers" page, none of the text boxes are labeled correctly.
  • The following image has no alt tag:
    • <img src="images/wait_animationa.gif" />
  • When a validation error is encountered for the form fields on the "Your Current Password" and "Register Your Answers" pages, there is a message that’s displayed to the user. However, there is no indication to Assistive Technology that this message has appeared, no shift of focus, and the graphic that indicates an error to visual users is inaccessible. Therefore, it’s not apparent that this is an error message because it is displayed only as flat text.
  • The customized logo and text in the title is inaccessible to Assistive Technology.

-

Changes after the fix is applied:

  • Assistant Technology now fully reads all pages in the SSPR portal, and the user is informed if an error occurs.
  • The banners in Password Reset and Registration portals now have a tooltip.

-

Issue 2

When you configure a UocDropDownList control in a Resource Control Display Configuration with string values, the list of values in the control are not displayed in alphabetical order.

This fix adds the Sorted property to the UocDropDownList control. When the Sorted property is set to True, the items are sorted in alphabetical order.

Example:

<my:Control my:Name="EmployeeType" my:TypeName="UocDropDownList" my:Caption="{Binding Source=schema, Path=EmployeeType.DisplayName}" my:Description="{Binding Source=schema, Path=EmployeeType.Description}" my:RightsLevel="{Binding Source=rights, Path=EmployeeType}">
<my:Properties>
<my:Property my:Name="Sorted" my:Value="True"/>
<my:Property my:Name="Required" my:Value="{Binding Source=schema, Path=EmployeeType.Required}"/>
<my:Property my:Name="ValuePath" my:Value="Value"/>
<my:Property my:Name="CaptionPath" my:Value="Caption"/>
<my:Property my:Name="HintPath" my:Value="Hint"/>
<my:Property my:Name="ItemSource" my:Value="{Binding Source=schema, Path=EmployeeType.LocalizedAllowedValues}"/>
<my:Property my:Name="SelectedValue" my:Value="{Binding Source=object, Path=EmployeeType, Mode=TwoWay}"/>
</my:Properties>
</my:Control>

-

Issue 3

In the FIM Identity Management Portal that has the language pack installed, the display names of approval objects are not completely translated.

Be aware that the string translation for objects that are created by the FIM Service in the FIM Service database is performed according to the FIM Service account locale that was in effect when the object was created, and it is not affected by client browser locale. To change the language that’s used for string translation to a setting other than English, log on to each computer where the FIM Service is installed as the FIM Service account, and then set the locale for this account through Control Panel.

-

BHOLD

Issue 1

Users who are in inherited supervisor roles for operational units (OUs) may not have supervisor roles in subordinate OUs.

-

Issue 2

Roles that are directly assigned to a user are also listed under the inherited roles node.

-

Issue 3

When multiple attribute-based authorization (ABA) rules that are specified in BHOLD Core assign permissions to a user, and the user’s attributes change and are synched in from BHOLD FIM Provisioning Access Management Connector, the user may not receive all of his or her permissions.

-

Issue 4

In the BHOLD Analytics module, the impact operation is not available after a ruleset that includes a filter with a restrictive type is set. After this fix is applied, pressing the Impact button displays the impact of the rules.

-

Issue 5

The following error message may be logged in the Application log on a computer where BHOLD Core is installed:

Error when executing ‘EXEC ProcessQueueCommand30RoleBiased’ \n\n Reason System.Data.OleDb.OleDbException: Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 0, current count = 1.
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()
at BHOLD.B1ServiceLibrary.Queue.ConnectorQueueDal.RetrieveQueueEntries(Int32 applicationId) in d:\Builds\52\5\Sources\imp\src\Access Management\Core\B1ServiceBC\Queue\ConnectorQueueDal.cs:line 122′

-

Issue 6

When the FIM Integration module is being used, and the BHOLD self-service features are incorporated into the FIM portal, some column headings may appear to be truncated.

-

Issue 7

In BHOLD Attestation, the notification template editor toolbar buttons are not displayed correctly.

-

Issue 8

When you apply this hotfix, BHOLD Attestation notification email messages contain a URL that requires one fewer click by the end-user in order to navigate to the page to perform the attestation.

-

Issue 9

This hotfix adds a UserUpdate function to the BHOLD Core scripting web service.

-

FIM Synchronization Service

Issue 1

Starting with build 4.1.3508.0, audit log files on Export run profile steps do not include reference attribute values.

-

Certificate management

Issue 1

Assume that a certificate is enrolled by using certificate template CT1 in profile template PT1, and then CT1 is replaced by another certificate template. If CT1 is removed, the certificate is revoked, and no new certificate is created from PT1. Additionally, later renewals of the certificate fail and a cryptic error message is returned.
With the profile template model, you cannot avoid this issue. Removal of the certificate template was done for a reason, and the system cannot arbitrarily determine whether the user can still enroll for the certificate by using that template.
The system now returns a user-friendly message, telling you to enroll instead of renew. This change makes sure that the certificate templates that are currently available in the profile template are used. Additionally, this action is logged on the FIM Certificate Manager server’s log file with all the necessary information.

-

Feature 1

Existing users in the FIM Certificate Management database, who have associated profiles and certificates, cannot be migrated to a different Active Directory user.

This new functionality is exposed through the clmutil.exe command prompt utility.

CLMUtil takes as input the original user’s UUID and the current user’s UUID. Records in the following tables are updated to the new UUID: profiles, certificates, and smart cards. Additionally, the UserNameCache table is updated if this is necessary, attaching the user name to the new UUID.

Command syntax:

ClmUtil -migrateuser -oldUserId "oldUserUuid" -newUserId "newUserUuid"

Description:

Migrate a user’s profile, certificate and smart cards records – from a user who has an old uuid to new uuid.

Example:

ClmUtil -migrateuser -oldUserId 11111111-2222-3333-4444-d602b49480b0 -newUserId 11111111-2222-3333-4444-2c68e64bba93

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates, Updates, Updates, Updates | Leave a Comment »

(2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object

Posted by Jorge on 2014-09-05


PowerShell Code to remove a specific auditing entry from one or multiple OUs for some security principal on some object.

Example object class: user

Example permission: Create Child

Example security principal: ADCORP\MyDelegationAdminGroup

-

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $inheritanceScope = "All" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"CreateChild" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedObject,$inheritanceScope $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.RemoveAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

-

image

Figure 1: SACL Before Removal

-

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

-

image

Figure 3: SACL After Removal

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object

Posted by Jorge on 2014-09-03


PowerShell Code to add an auditing entry to one or multiple OUs for some security principal when executing some extended right (control access right) on some object.

Example object class: user

Example extended right: Reset Password

Example security principal: ADCORP\MyDelegationAdminGroup

-

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase ($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Create Hash Table With The displayName And rightsGUID Of Each Extended Right (a.k.a. Control Access Right) $mappingTable_displayName_rightsGUID = @{} Get-ADObject -SearchBase $("CN=Extended-Rights," + $rootdse.ConfigurationNamingContext) ` -LDAPFilter "(&(objectClass=controlAccessRight)(rightsguid=*))" ` -Properties displayName,rightsGuid | %{ $mappingTable_displayName_rightsGUID[$_.displayName]=[System.GUID]$_.rightsGuid } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedCAR = "Reset Password" $schemaIDGUIDScopedCAR = $mappingTable_displayName_rightsGUID[$scopedCAR] $inheritanceScope = "Descendents" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedCAR,$inheritanceScope,$schemaIDGUIDScopedObject $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " ADDING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped CAR...........: $scopedCAR" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.AddAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

-

image

Figure 1: Configuring The SACL Through PowerShell

-

image

Figure 2: The Auditing Entry That Was Added

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

 
%d bloggers like this: