Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

Archive for the ‘Active Directory Domain Services (ADDS)’ Category

(2014-11-25) Troubleshooting Issues With Lingering Objects And Solving It

Posted by Jorge on 2014-11-25


The following resources can help you troubleshoot issues with lingering objects:

-

Tools:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Backup And Restore, Lingering Objects, Replication | Leave a Comment »

(2014-11-18) Vulnerability in Kerberos Could Allow Elevation of Privilege (Critical)

Posted by Jorge on 2014-11-18


This affects ALL Windows versions! Make sure to patch all your Windows servers and DCs

More info:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Updates | Leave a Comment »

(2014-09-19) Checking The Health Of Your DC After Promotion

Posted by Jorge on 2014-09-19


You have promoted your brand new DC. How do you know it is functioning correctly?

-

There are a few number of things you can do to determine its health. All the tests below were done on a W2K12R2 DC.

-

[1] Check inbound and outbound AD replication

To determine this, execute: REPADMIN /SHOWREPL /REPSTO

Make sure all last attempts are really recent, and at least within the tombstone lifetime of the AD forest

image

Figure 1: Last Attempts For Inbound AD Replication

-

image

Figure 2: Last Attempts For Outbound AD Replication

-

To check the replication latency/convergence also see: (2014-02-16) Testing Active Directory Replication Latency/Convergence Through PowerShell (Update 3)

-

[2] If the DC is a GC, check it has finished the build of the GC partitions and it is advertising itself as such

To determine this, execute: Get-WinEvent -LogName "Directory Service" | ?{$_.Id -eq 1119} | FL

image

Figure 3: The DC Now Advertising As A GC

-

[3] Check the SYSVOL has been initialized and finished initial replication

To determine this, execute: Get-WinEvent -LogName "DFS Replication" | ?{$_.Id -eq 4604} | FL

image

Figure 4: The DC Reporting SYSVOL Has Been Initialized And Performed Initial Replication

-

In addition, check the NETLOGON and SYSVOL shares are in place.

To determine this, execute: NET SHARE

image

Figure 5: The NETLOGON And SYSVOL Published

-

To check the replication latency/convergence also see: (2014-02-17) Testing SYSVOL Replication Latency/Convergence Through PowerShell (Update 3)

-

[4] Check Event Logs

The following event logs will help determine the health of the DC. Check the events with warnings or errors and resolve anything that needs to be resolved

Event Logs:

  • Directory Service
  • DFS Replication
  • File Replication Service
  • DNS Server
  • Application
  • System

[5] Run DCDIAG

To do this, execute: DCDIAG /C /D /V

image

Figure 6: DCDIAG Verbose Output

-

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server…
   * Verifying that the local machine C1FSRWDC1, is a Directory Server.
   Home Server = C1FSRWDC1
   * Connecting to directory service on server C1FSRWDC1.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),…….
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=BRANCH01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=BRANCH02,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=DMZ,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),…….
   The previous call succeeded….
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=R1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=C1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=R1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 4 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
  
   Testing server: DTCNTR01\C1FSRWDC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ……………………. C1FSRWDC1 passed test Connectivity

Doing primary tests
  
   Testing server: DTCNTR01\C1FSRWDC1
      Starting test: Advertising
         The DC C1FSRWDC1 is advertising itself as a DC and having a DS.
         The DC C1FSRWDC1 is advertising as an LDAP server
         The DC C1FSRWDC1 is advertising as having a writeable directory
         The DC C1FSRWDC1 is advertising as a Key Distribution Center
         The DC C1FSRWDC1 is advertising as a time server
         The DS C1FSRWDC1 is advertising as a GC.
         ……………………. C1FSRWDC1 passed test Advertising
      Starting test: CheckSecurityError
         * Dr Auth:  Beginning security errors check!
         Found KDC C1FSRWDC1 for domain CHILD.ADCORP.LAB in site DTCNTR01
         Checking machine account for DC C1FSRWDC1 on DC C1FSRWDC1.
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :LDAP/227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/227b8ded-a71a-44a7-80d3-184f44f49957/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :GC/C1FSRWDC1.CHILD.ADCORP.LAB/ADCORP.LAB
         [C1FSRWDC1] No security related replication errors were found on this
         DC!  To target the connection to a specific source DC use
         /ReplSource:<DC>.
         ……………………. C1FSRWDC1 passed test CheckSecurityError
      Starting test: CutoffServers
         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ……………………. C1FSRWDC1 passed test CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         Skip the test because the server is running DFSR.
         ……………………. C1FSRWDC1 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An error event occurred.  EventID: 0xC00004B2
            Time Generated: 08/07/2014   01:27:17
            Event String:
            The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
            
            Additional Information:
            Error: 1355 (The specified domain either does not exist or could not be contacted.)
         An error event occurred.  EventID: 0xC00004B2
            Time Generated: 08/07/2014   01:44:39
            Event String:
            The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
            
            Additional Information:
            Error: 1355 (The specified domain either does not exist or could not be contacted.)
         A warning event occurred.  EventID: 0x80001780
            Time Generated: 08/07/2014   01:59:24
            Event String:
            The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.
            
            Additional Information:
            Object Category: msDFSR-LocalSettings
            Object DN: CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
            Error: 2 (The system cannot find the file specified.)
            Domain Controller: C1FSRWDC2.CHILD.ADCORP.LAB
            Polling Cycle: 60
         A warning event occurred.  EventID: 0x80001A94
            Time Generated: 08/07/2014   01:59:24
            Event String:
            The DFS Replication service has detected that no connections are configured for replication group Domain System Volume. No data is being replicated for this replication group.
            
            Additional Information:
            Replication Group ID: 1CED6656-CE5C-43B6-9F18-288417F99AF5
            Member ID: D840EF8E-56EC-47CF-B19D-87CFA2C8BABB
         A warning event occurred.  EventID: 0x80001206
            Time Generated: 08/07/2014   01:59:25
            Event String:
            The DFS Replication service initialized SYSVOL at local path D:\AD\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner C1FSRWDC2.CHILD.ADCORP.LAB. If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
            
            Additional Information:
            Replicated Folder Name: SYSVOL Share
            Replicated Folder ID: E59797D1-0652-4D1F-8ACF-4AB0D2DA8632
            Replication Group Name: Domain System Volume
            Replication Group ID: 1CED6656-CE5C-43B6-9F18-288417F99AF5
            Member ID: D840EF8E-56EC-47CF-B19D-87CFA2C8BABB
            Read-Only: 0
         ……………………. C1FSRWDC1 failed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service’s SYSVOL is ready
         ……………………. C1FSRWDC1 passed test SysVolCheck
      Starting test: FrsSysVol
         * The File Replication Service SYSVOL ready test
         File Replication Service’s SYSVOL is ready
         ……………………. C1FSRWDC1 passed test FrsSysVol
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ……………………. C1FSRWDC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=R1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role Domain Owner = CN=NTDS Settings,CN=R1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role PDC Owner = CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role Rid Owner = CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         ……………………. C1FSRWDC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC C1FSRWDC1 on DC C1FSRWDC1.
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :LDAP/227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/227b8ded-a71a-44a7-80d3-184f44f49957/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :GC/C1FSRWDC1.CHILD.ADCORP.LAB/ADCORP.LAB
         ……………………. C1FSRWDC1 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC’s on DC C1FSRWDC1.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=ADCORP,DC=LAB
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=CHILD,DC=ADCORP,DC=LAB
            (Domain,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=ADCORP,DC=LAB
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=ADCORP,DC=LAB
            (Domain,Version 3)
         ……………………. C1FSRWDC1 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\C1FSRWDC1\netlogon
         Verified share \\C1FSRWDC1\sysvol
         ……………………. C1FSRWDC1 passed test NetLogons
      Starting test: ObjectsReplicated
         C1FSRWDC1 is in domain DC=CHILD,DC=ADCORP,DC=LAB
         Checking for CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB in domain DC=CHILD,DC=ADCORP,DC=LAB on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB in domain CN=Configuration,DC=ADCORP,DC=LAB on 1 servers
            Object is up-to-date on all servers.
         ……………………. C1FSRWDC1 passed test ObjectsReplicated
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test because /testdomain: was
         not entered
         ……………………. C1FSRWDC1 passed test OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=ADCORP,DC=LAB
               Latency information for 25 entries in the vector were ignored.
                  25 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB
               Latency information for 25 entries in the vector were ignored.
                  25 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=ADCORP,DC=LAB
               Latency information for 25 entries in the vector were ignored.
                  25 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=ADCORP,DC=LAB
               Latency information for 16 entries in the vector were ignored.
                  15 were retired Invocations.  1 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB
               Latency information for 12 entries in the vector were ignored.
                  12 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=CHILD,DC=ADCORP,DC=LAB
               Latency information for 12 entries in the vector were ignored.
                  12 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
         ……………………. C1FSRWDC1 passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 30607 to 1073741823
         * C1FSRWDC1.CHILD.ADCORP.LAB is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 30107 to 30606
         * rIDPreviousAllocationPool is 30107 to 30606
         * rIDNextRID: 30107
         ……………………. C1FSRWDC1 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ……………………. C1FSRWDC1 passed test Services
      Starting test: SystemLog
         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ……………………. C1FSRWDC1 passed test SystemLog
      Starting test: Topology
         * Configuration Topology Integrity Check
         * Analyzing the connection topology for DC=ForestDnsZones,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ……………………. C1FSRWDC1 passed test Topology
      Starting test: VerifyEnterpriseReferences
         ……………………. C1FSRWDC1 passed test
         VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB and
         backlink on
         CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         are correct.
         The system object reference (serverReferenceBL)
         CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB
         and backlink on
         CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         are correct.
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB
         and backlink on
         CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB are
         correct.
         ……………………. C1FSRWDC1 passed test VerifyReferences
      Starting test: VerifyReplicas
         ……………………. C1FSRWDC1 passed test VerifyReplicas
  
      Starting test: DNS
        
         DNS Tests are running and not hung. Please wait a few minutes…
         See DNS test in enterprise tests section for results
         ……………………. C1FSRWDC1 passed test DNS
  
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ……………………. ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. ForestDnsZones passed test
         CrossRefValidation
  
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ……………………. DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. DomainDnsZones passed test
         CrossRefValidation
  
   Running partition tests on : CHILD
      Starting test: CheckSDRefDom
         ……………………. CHILD passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. CHILD passed test CrossRefValidation
  
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ……………………. Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. Schema passed test CrossRefValidation
  
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ……………………. Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. Configuration passed test CrossRefValidation
  
   Running enterprise tests on : ADCORP.LAB
      Starting test: DNS
         Test results for domain controllers:
           
            DC: C1FSRWDC1.CHILD.ADCORP.LAB
            Domain: CHILD.ADCORP.LAB
           
                 
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
                 
               TEST: Basic (Basc)
                  The OS
                  Microsoft Windows Server 2012 R2 Datacenter (Service Pack level: 0.0)
                  is supported.
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter [00000010] Intel(R) PRO/1000 MT Network Connection:
                     MAC address is 00:0C:29:9E:4E:46
                     IP Address is static
                     IP address: 10.1.1.11
                     DNS servers:
                        10.1.1.11 (C1FSRWDC1) [Valid]
                        10.1.1.1 (<name unavailable>) [Valid]
                        127.0.0.1 (C1FSRWDC1) [Valid]
                  The A host record(s) for this DC was found
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found primary
                  Root zone on this DC/DNS server was not found
                 
               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     10.1.1.254 (<name unavailable>) [Invalid (unreachable)]
                     Error: All forwarders in the forwarder list are invalid.
                  Root hint Information:
                     Name: a.root-servers.net. IP: 198.41.0.4 [Invalid (unreachable)]
                     Name: b.root-servers.net. IP: 128.9.0.107 [Invalid (unreachable)]
                     Name: c.root-servers.net. IP: 192.33.4.12 [Invalid (unreachable)]
                     Name: d.root-servers.net. IP: 128.8.10.90 [Invalid (unreachable)]
                     Name: e.root-servers.net. IP: 192.203.230.10 [Invalid (unreachable)]
                     Name: f.root-servers.net. IP: 192.5.5.241 [Invalid (unreachable)]
                     Name: g.root-servers.net. IP: 192.112.36.4 [Invalid (unreachable)]
                     Name: h.root-servers.net. IP: 128.63.2.53 [Invalid (unreachable)]
                     Name: i.root-servers.net. IP: 192.36.148.17 [Invalid (unreachable)]
                     Name: j.root-servers.net. IP: 192.58.128.30 [Invalid (unreachable)]
                     Name: k.root-servers.net. IP: 193.0.14.129 [Invalid (unreachable)]
                     Name: l.root-servers.net. IP: 198.32.64.12 [Invalid (unreachable)]
                     Name: m.root-servers.net. IP: 202.12.27.33 [Invalid (unreachable)]
                  Error: Both root hints and forwarders are not configured or
                  broken. Please make sure at least one of them works.
                 
               TEST: Delegations (Del)
                  No delegations were found in this zone on this DNS server
                 
               TEST: Dynamic update (Dyn)
                  Test record dcdiag-test-record added successfully in zone CHILD.ADCORP.LAB
                  Test record dcdiag-test-record deleted successfully in zone CHILD.ADCORP.LAB
                 
               TEST: Records registration (RReg)
                  Network Adapter
                  [00000010] Intel(R) PRO/1000 MT Network Connection:
                     Matching CNAME record found at DNS server 10.1.1.11:
                     227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     C1FSRWDC1.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.d38f52d2-f045-485a-af19-105ca6d9683f.domains._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._udp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kpasswd._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.gc._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _gc._tcp.DTCNTR01._sites.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.pdc._msdcs.CHILD.ADCORP.LAB

                     Matching CNAME record found at DNS server 10.1.1.1:
                     227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.1:
                     C1FSRWDC1.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.d38f52d2-f045-485a-af19-105ca6d9683f.domains._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._udp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kpasswd._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.gc._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.1:
                     gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _gc._tcp.DTCNTR01._sites.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.DTCNTR01._sites.gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.pdc._msdcs.CHILD.ADCORP.LAB

                     Matching CNAME record found at DNS server 10.1.1.11:
                     227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     C1FSRWDC1.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.d38f52d2-f045-485a-af19-105ca6d9683f.domains._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._udp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kpasswd._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.gc._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _gc._tcp.DTCNTR01._sites.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.pdc._msdcs.CHILD.ADCORP.LAB

        
         Summary of test results for DNS servers used by the above domain
         controllers:
        
            DNS server: 10.1.1.254 (<name unavailable>)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.1.1.254               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 10.1.1.254
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 128.63.2.53
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 128.8.10.90
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 128.9.0.107
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.112.36.4
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.203.230.10
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.33.4.12
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.36.148.17
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.5.5.241
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.58.128.30
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 193.0.14.129
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 198.32.64.12
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 198.41.0.4
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 202.12.27.33
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 10.1.1.1 (<name unavailable>)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
              
            DNS server: 10.1.1.11 (C1FSRWDC1)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
              
         Summary of DNS test results:
        
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: CHILD.ADCORP.LAB
               C1FSRWDC1                    PASS PASS FAIL PASS PASS PASS n/a 
        
         ……………………. ADCORP.LAB failed test DNS
      Starting test: LocatorCheck
         GC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         PDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Preferred Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         KDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         ……………………. ADCORP.LAB passed test LocatorCheck
      Starting test: FsmoCheck
         GC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         PDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Preferred Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         KDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         ……………………. ADCORP.LAB passed test FsmoCheck
      Starting test: Intersite
         Skipping site BRANCH01, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site BRANCH02, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site DMZ, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site DTCNTR01, this site is outside the scope provided by the
         command line arguments provided.
         ……………………. ADCORP.LAB passed test Intersite

-

Additional Information:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Promotion/Demotion, Replication, SYSVOL | Leave a Comment »

(2014-09-17) Finding Conflicting Objects In Your AD

Posted by Jorge on 2014-09-17


You might have seen it in your own AD or in somebody else’s AD, conflicting/duplicate objects. Those objects are exactly same objects that were created on different RWDCs at nearly the same time. After replication kicks and those conflicting/duplicate objects replicate to other RWDCs, AD replication needs to apply its own conflict resolution mechanism to ensure every object is and remains unique.

So, let’s say you create the object "CN=TestObject,OU=MyOU,DC=DOMAIN,DC=COM" on 2 different RWDCs at (nearly) the same time. After AD replication has converged you will see the following objects:

  1. "CN=TestObjectACNF:4862d44c-76ab-41b7-bac8-8682900e661b,OU=MyOU,DC=DOMAIN,DC=COM"
  2. "CN=TestObject,OU=MyOU,DC=DOMAIN,DC=COM"

-

[1] is the first created object and [2] was the last created object. The last object created is always the one that does not have ACNF:<objectGUID> in its CN/RDN. AD puts ACNF:<objectGUID> in the CN/RDN telling us it is a CONflict object and making sure it is unique in the container where also the other object is in.

-

The following PowerShell script helps you finding these objects in your AD forest. Based upon the information of the objects you need to determine yourself which of the two objects should be removed and which one can remain in AD.

-

# Clear The Screen Clear-Host # Checking Number Of Arguments $numArgs = $args.count $arg0 = $args[0] # Discovering A GC Retrieving Its DNS HostName $dnsHostNameGC = (Get-ADDomainController -Service GlobalCatalog -Discover:$true).HostName[0] $gcHostPort = $dnsHostNameGC + ":3268" $dsContextDC = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer",$dnsHostNameGC) $dc = [System.DirectoryServices.ActiveDirectory.DomainController]::GetDomainController($dsContextDC) # General Execution Of Script If ($numArgs -eq 0) { $listOfConflictingObjects = Get-ADObject -server $gcHostPort -LDAPFilter '(name=*CNF:*)' } If ($numArgs -eq 1) { If ($arg0.ToLower() -eq "computer") { $listOfConflictingObjects = Get-ADComputer -server $gcHostPort -LDAPFilter '(name=*CNF:*)' -Properties pwdLastSet } If ($arg0.ToLower() -eq "user") { $listOfConflictingObjects = Get-ADUser -server $gcHostPort -LDAPFilter '(name=*CNF:*)' -Properties pwdLastSet } } If ($listOfConflictingObjects -ne $null) { $listOfDuplicates = @() $listOfConflictingObjects | %{ $objCNF = $_ $dnCNFobj = $objCNF.DistinguishedName $classCNFobj = $_.ObjectClass $guidCNFobj = $_.ObjectGUID If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $sAMAccountCNFobj = $_.SamAccountName $pwdLastSetCNFobj = $_.pwdLastSet If ($pwdLastSetCNFobj -ne $null){ $pwdLastSetCNFobj = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($pwdLastSetCNFobj))) -Format "yyyy-MM-dd HH:mm:ss" } Else { $pwdLastSetCNFobj = "---" } } $objCNFMetadata = $dc.GetReplicationMetadata($dnCNFobj) $objCNFOrigSrv = $objCNFMetadata | %{($_.objectclass).OriginatingServer} $objCNFOrigTime = $objCNFMetadata | %{($_.objectclass).LastOriginatingChangeTime} $dnORGobj = $dnCNFobj.Substring(0,$dnCNFobj.IndexOf("\")) + $dnCNFobj.Substring($dnCNFobj.IndexOf(",")) If ($numArgs -eq 0) { $objORG = Get-ADObject -server $gcHostPort -Identity $dnORGobj } If ($numArgs -eq 1) { If ($arg0.ToLower() -eq "computer") { $objORG = Get-ADComputer -server $gcHostPort -Identity $dnORGobj -Properties pwdLastSet } If ($arg0.ToLower() -eq "user") { $objORG = Get-ADUser -server $gcHostPort -Identity $dnORGobj -Properties pwdLastSet } } $dnORGobj = $null $classORGobj = $null $guidORGobj = $null $sAMAccountORGobj = $null $pwdLastSetORGobj = $null $objORGMetadata = $null If ($objORG -ne $null) { $dnORGobj = $objORG.DistinguishedName $classORGobj = $objORG.ObjectClass $guidORGobj = $objORG.ObjectGUID If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $sAMAccountORGobj = $objORG.SamAccountName $pwdLastSetORGobj = $objORG.pwdLastSet If ($pwdLastSetORGobj -ne $null){ $pwdLastSetORGobj = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($pwdLastSetORGobj))) -Format "yyyy-MM-dd HH:mm:ss" } Else { $pwdLastSetORGobj = "---" } } $objORGMetadata = $dc.GetReplicationMetadata($dnORGobj) $objORGOrigSrv = $objORGMetadata | %{($_.objectclass).OriginatingServer} $objORGOrigTime = $objORGMetadata | %{($_.objectclass).LastOriginatingChangeTime} } Else { $dnORGobj = "Does Not Exit" $classORGobj = "Does Not Exit" $guidORGobj = "Does Not Exit" If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $sAMAccountORGobj = "Does Not Exit" $pwdLastSetORGobj = "Does Not Exit" } $objORGOrigSrv = "Does Not Exit" $objORGOrigTime = "Does Not Exit" } If ($numArgs -eq 0) { $adObj = "" | Select "> > >DN (CNF)..........","objectClass (CNF)......","objectGUID (CNF).......","Originating DC (CNF)...","Originating Time (CNF).","> > >DN (ORG)..........","objectClass (ORG)......","objectGUID (ORG).......","Originating DC (ORG)...","Originating Time (ORG)." } If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $adObj = "" | Select "> > >DN (CNF)..........","objectClass (CNF)......","objectGUID (CNF).......","Account Name (CNF).....","PWD Last Set (CNF).....","Originating DC (CNF)...","Originating Time (CNF).","> > >DN (ORG)..........","objectClass (ORG)......","objectGUID (ORG).......","Account Name (ORG).....","PWD Last Set (ORG).....","Originating DC (ORG)...","Originating Time (ORG)." } $adObj."> > >DN (CNF).........." = $dnCNFobj $adObj."objectClass (CNF)......" = $classCNFobj $adObj."objectGUID (CNF)......." = $guidCNFobj If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $adObj."Account Name (CNF)....." = $sAMAccountCNFobj $adObj."PWD Last Set (CNF)....." = $pwdLastSetCNFobj } $adObj."Originating DC (CNF)..." = $objCNFOrigSrv $adObj."Originating Time (CNF)." = $objCNFOrigTime $adObj."> > >DN (ORG).........." = $dnORGobj $adObj."objectClass (ORG)......" = $classORGobj $adObj."objectGUID (ORG)......." = $guidORGobj If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $adObj."Account Name (ORG)....." = $sAMAccountORGobj $adObj."PWD Last Set (ORG)....." = $pwdLastSetORGobj } $adObj."Originating DC (ORG)..." = $objORGOrigSrv $adObj."Originating Time (ORG)." = $objORGOrigTime $listOfDuplicates += $adObj } Write-Host "" If ($numArgs -eq 0) { Write-Host "LIST OF DUPLICATE/CONFLICTING OBJECTS IN THE AD FOREST" -Foregroundcolor Cyan } If ($numArgs -eq 1 -And $arg0.ToLower() -eq "computer") { Write-Host "LIST OF DUPLICATE/CONFLICTING COMPUTER OBJECTS IN THE AD FOREST" -Foregroundcolor Cyan } If ($numArgs -eq 1 -And $arg0.ToLower() -eq "user") { Write-Host "LIST OF DUPLICATE/CONFLICTING USER OBJECTS IN THE AD FOREST" -Foregroundcolor Cyan } $listOfDuplicates | FL } Else { Write-Host "NO DUPLICATE/CONFLICTING OBJECTS DETECTED IN THE AD FOREST" -Foregroundcolor Green }

-

The following is an example result when executing the script as: .\Retrieve-List-Of-Conflicting-Objects.ps1

image

Figure 1: Detecting Conflicting/Duplicate Objects In The AD Forest

-

The following is an example result when executing the script as: .\Retrieve-List-Of-Conflicting-Objects.ps1 computer

image

Figure 2: Detecting Conflicting/Duplicate Computer Objects In The AD Forest

-

The following is an example result when executing the script as: .\Retrieve-List-Of-Conflicting-Objects.ps1 user

image

Figure 3: Detecting Conflicting/Duplicate User Objects In The AD Forest

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Conflicting Objects, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

Posted by Jorge on 2014-09-15


PowerShell Code to check if the SACL of each OU in the AD domain is in canonical order or not.

Also see this blog post.

-

# Clear The Screen Clear-Host # Get The UI Config $uiConfig = (Get-Host).UI.RawUI $uiConfig.ForegroundColor = "Yellow" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs In AD Domain $listOfOUsToProcess = Get-ADOrganizationalUnit -Filter * | %{$_.DistinguishedName} # Process Each OU $OUsWithSACLInCanonicalOrder = @() $OUsWithSACLNOTInCanonicalOrder = @() $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) $aclOU = Get-Acl $ouDrivePath -Audit If ($aclOU.AreAuditRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO Have The SACL In Canonical Order" $ouObj."List Of OUs That DO Have The SACL In Canonical Order" = $ou $OUsWithSACLInCanonicalOrder += $ouObj } If (!$aclOU.AreAuditRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO NOT Have The SACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The SACL In Canonical Order" = $ou $OUsWithSACLNOTInCanonicalOrder += $ouObj } } $uiConfig.ForegroundColor = "Red" If ($OUsWithSACLNOTInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The SACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The SACL In Canonical Order" = "+++ NONE +++" $OUsWithSACLNOTInCanonicalOrder += $ouObj } $OUsWithSACLNOTInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Green" If ($OUsWithSACLInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO Have The SACL In Canonical Order" $ouObj."List Of OUs That DO Have The SACL In Canonical Order" = "+++ NONE +++" $OUsWithSACLInCanonicalOrder += $ouObj } $OUsWithSACLInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Yellow"

-

SNAGHTML322d8c92

Figure 1: Checking The Canonical Order Of The SACL On All OUs In The AD Domain Through PowerShell

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL

Posted by Jorge on 2014-09-13


PowerShell Code to check if the DACL of each OU in the AD domain is in canonical order or not.

Also see this blog post.

-

# Clear The Screen Clear-Host # Get The UI Config $uiConfig = (Get-Host).UI.RawUI $uiConfig.ForegroundColor = "Yellow" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs In AD Domain $listOfOUsToProcess = Get-ADOrganizationalUnit -Filter * | %{$_.DistinguishedName} # Process Each OU $OUsWithDACLInCanonicalOrder = @() $OUsWithDACLNOTInCanonicalOrder = @() $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) $aclOU = Get-Acl $ouDrivePath If ($aclOU.AreAccessRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO Have The DACL In Canonical Order" $ouObj."List Of OUs That DO Have The DACL In Canonical Order" = $ou $OUsWithDACLInCanonicalOrder += $ouObj } If (!$aclOU.AreAccessRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = $ou $OUsWithDACLNOTInCanonicalOrder += $ouObj } } $uiConfig.ForegroundColor = "Red" If ($OUsWithDACLNOTInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = "+++ NONE +++" $OUsWithDACLNOTInCanonicalOrder += $ouObj } $OUsWithDACLNOTInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Green" If ($OUsWithDACLInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = "+++ NONE +++" $OUsWithDACLInCanonicalOrder += $ouObj } $OUsWithDACLInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Yellow"

-

SNAGHTML322b396a

Figure 1: Checking The Canonical Order Of The DACL On All OUs In The AD Domain Through PowerShell

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object

Posted by Jorge on 2014-09-11


PowerShell Code to remove all auditing entries from one or multiple OUs for some security principal.

Example security principal: ADCORP\MyDelegationAdminGroup

-

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entries..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.Audit | ?{$_.IdentityReference -eq $securityPrincipalAccount} | %{ $auditRule = $_ $aclOU.RemoveAuditRule($auditRule) } $aclOU | Set-Acl $ouDrivePath }

-

image

Figure 1: SACL Before Removal

-

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

-

image

Figure 3: SACL After Removal

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object

Posted by Jorge on 2014-09-09


PowerShell Code to remove an auditing entry from one or multiple OUs for some security principal when executing some extended right (control access right) on some object.

Example object class: user

Example extended right: Reset Password

Example security principal: ADCORP\MyDelegationAdminGroup

-

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase ($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Create Hash Table With The displayName And rightsGUID Of Each Extended Right (a.k.a. Control Access Right) $mappingTable_displayName_rightsGUID = @{} Get-ADObject -SearchBase $("CN=Extended-Rights," + $rootdse.ConfigurationNamingContext) ` -LDAPFilter "(&(objectClass=controlAccessRight)(rightsguid=*))" ` -Properties displayName,rightsGuid | %{ $mappingTable_displayName_rightsGUID[$_.displayName]=[System.GUID]$_.rightsGuid } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedCAR = "Reset Password" $schemaIDGUIDScopedCAR = $mappingTable_displayName_rightsGUID[$scopedCAR] $inheritanceScope = "Descendents" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedCAR,$inheritanceScope,$schemaIDGUIDScopedObject $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped CAR...........: $scopedCAR" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.RemoveAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

-

image

Figure 1: SACL Before Removal

-

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

-

image

Figure 3: SACL After Removal

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object

Posted by Jorge on 2014-09-07


PowerShell Code to remove a specific auditing entry from one or multiple OUs for some security principal on some object.

Example object class: user

Example permission: Read Property

Example attribute: employeeID

Example security principal: ADCORP\MyDelegationAdminGroup

-

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedAttribute = "employeeID" $schemaIDGUIDScopedAttribute = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedAttribute] $inheritanceScope = "Descendents" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ReadProperty" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedAttribute,$inheritanceScope,$schemaIDGUIDScopedObject $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Attribute.....: $scopedAttribute" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.RemoveAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

-

image

Figure 1: SACL Before Removal

-

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

-

image

Figure 3: SACL After Removal

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object

Posted by Jorge on 2014-09-05


PowerShell Code to remove a specific auditing entry from one or multiple OUs for some security principal on some object.

Example object class: user

Example permission: Create Child

Example security principal: ADCORP\MyDelegationAdminGroup

-

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $inheritanceScope = "All" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"CreateChild" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedObject,$inheritanceScope $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.RemoveAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

-

image

Figure 1: SACL Before Removal

-

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

-

image

Figure 3: SACL After Removal

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

 
%d bloggers like this: