(2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

PowerShell Code to check if the SACL of each OU in the AD domain is in canonical order or not.

Also see this blog post.

–

# Clear The Screen
Clear-Host

# Get The UI Config
$uiConfig = (Get-Host).UI.RawUI
$uiConfig.ForegroundColor = "Yellow"

# Import The Required Module
Import-Module ActiveDirectory

#Get The RootDSE Info
$rootDSE = Get-ADRootDSE

# Get List Of OUs In AD Domain
$listOfOUsToProcess = Get-ADOrganizationalUnit -Filter * | %{$_.DistinguishedName}

# Process Each OU
$OUsWithSACLInCanonicalOrder = @()
$OUsWithSACLNOTInCanonicalOrder = @()
$listOfOUsToProcess | %{
    $ou = $_
    $ouDrivePath = $("AD:\" + $ou)
    $aclOU = Get-Acl $ouDrivePath -Audit
    If ($aclOU.AreAuditRulesCanonical) {
        $ouObj = "" | Select "List Of OUs That DO Have The SACL In Canonical Order"
        $ouObj."List Of OUs That DO Have The SACL In Canonical Order" = $ou
        $OUsWithSACLInCanonicalOrder += $ouObj
    }
    If (!$aclOU.AreAuditRulesCanonical) {
        $ouObj = "" | Select "List Of OUs That DO NOT Have The SACL In Canonical Order"
        $ouObj."List Of OUs That DO NOT Have The SACL In Canonical Order" = $ou
        $OUsWithSACLNOTInCanonicalOrder += $ouObj
    }
}
$uiConfig.ForegroundColor = "Red"
If ($OUsWithSACLNOTInCanonicalOrder.Count -eq 0) {
    $ouObj = "" | Select "List Of OUs That DO NOT Have The SACL In Canonical Order"
    $ouObj."List Of OUs That DO NOT Have The SACL In Canonical Order" = "+++ NONE +++"
    $OUsWithSACLNOTInCanonicalOrder += $ouObj
}
$OUsWithSACLNOTInCanonicalOrder | FT -Autosize
$uiConfig.ForegroundColor = "Green"
If ($OUsWithSACLInCanonicalOrder.Count -eq 0) {
    $ouObj = "" | Select "List Of OUs That DO Have The SACL In Canonical Order"
    $ouObj."List Of OUs That DO Have The SACL In Canonical Order" = "+++ NONE +++"
    $OUsWithSACLInCanonicalOrder += $ouObj
}
$OUsWithSACLInCanonicalOrder | FT -Autosize
$uiConfig.ForegroundColor = "Yellow"

–

Figure 1: Checking The Canonical Order Of The SACL On All OUs In The AD Domain Through PowerShell

–

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

• (2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object
• (2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object
• (2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object
• (2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object
• (2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object
• (2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object
• (2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object
• (2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object
• (2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object
• (2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object
• (2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object
• (2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object
• (2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object
• (2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object
• (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
• (2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Advertisement

(2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object

PowerShell Code to remove all auditing entries from one or multiple OUs for some security principal.

Example security principal: ADCORP\MyDelegationAdminGroup

–

# Clear The Screen
Clear-Host

# Get Script Location
$scriptFolder = (Get-Location).Path

# Get File With OUs To Process
$fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt"

# Import The Required Module
Import-Module ActiveDirectory

#Get The RootDSE Info
$rootDSE = Get-ADRootDSE

# Get List Of OUs To Process
$listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess)

# Security Principal To Audit For Actions
$securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup"

# Process Each OU
$listOfOUsToProcess | %{
    $ou = $_
    $ouDrivePath = $("AD:\" + $ou)
    Write-Host ""
    Write-Host "Processing OU: $ou" -Foregroundcolor Cyan
    Write-Host "   REMOVING Audit Entries..."
    Write-Host "      Security Principal...: $securityPrincipalAccount"
    Write-Host ""
    $aclOU = Get-Acl $ouDrivePath -Audit
    $aclOU.Audit | ?{$_.IdentityReference -eq $securityPrincipalAccount} | %{
        $auditRule = $_
        $aclOU.RemoveAuditRule($auditRule)
    }
    $aclOU | Set-Acl $ouDrivePath
}

–

Figure 1: SACL Before Removal

–

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

Figure 2: Configuring The SACL Through PowerShell

–

Figure 3: SACL After Removal

–

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

• (2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object
• (2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object
• (2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object
• (2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object
• (2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object
• (2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object
• (2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object
• (2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object
• (2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object
• (2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object
• (2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object
• (2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object
• (2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object
• (2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object
• (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
• (2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object

PowerShell Code to remove an auditing entry from one or multiple OUs for some security principal when executing some extended right (control access right) on some object.

Example object class: user

Example extended right: Reset Password

Example security principal: ADCORP\MyDelegationAdminGroup

–

# Clear The Screen
Clear-Host

# Get Script Location
$scriptFolder = (Get-Location).Path

# Get File With OUs To Process
$fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt"

# Import The Required Module
Import-Module ActiveDirectory

#Get The RootDSE Info
$rootDSE = Get-ADRootDSE

# Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute
$mappingTable_lDAPDisplayName_schemaIDGUID = @{}
Get-ADObject -SearchBase ($rootDSE.schemaNamingContext) `
    -LDAPFilter "(schemaIDGUID=*)" `
    -Properties lDAPDisplayName,schemaIDGUID | %{
        $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID
    }
    
# Create Hash Table With The displayName And rightsGUID Of Each Extended Right (a.k.a. Control Access Right)
$mappingTable_displayName_rightsGUID = @{}
Get-ADObject -SearchBase $("CN=Extended-Rights," + $rootdse.ConfigurationNamingContext) `
    -LDAPFilter "(&(objectClass=controlAccessRight)(rightsguid=*))" `
    -Properties displayName,rightsGuid | %{
        $mappingTable_displayName_rightsGUID[$_.displayName]=[System.GUID]$_.rightsGuid
    }
    
# Get List Of OUs To Process
$listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess)

# Object Class And Attribute To Configure Auditing For 
$scopedObject = "user"
$schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject]
$scopedCAR = "Reset Password"
$schemaIDGUIDScopedCAR = $mappingTable_displayName_rightsGUID[$scopedCAR]
$inheritanceScope = "Descendents"

# Security Principal To Audit For Actions
$securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup"
$securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)

# Define Auditing Entry
$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight"
$auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure"
$auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedCAR,$inheritanceScope,$schemaIDGUIDScopedObject
$auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition)

# Process Each OU
$listOfOUsToProcess | %{
    $ou = $_
    $ouDrivePath = $("AD:\" + $ou)
    Write-Host ""
    Write-Host "Processing OU: $ou" -Foregroundcolor Cyan
    Write-Host "   REMOVING Audit Entry..."
    Write-Host "      Security Principal...: $securityPrincipalAccount"
    Write-Host "      Audit Type...........: $auditType"
    Write-Host "      Access Type..........: $rightsCollection"
    Write-Host "      Scoped CAR...........: $scopedCAR"
    Write-Host "      Scoped Object Class..: $scopedObject"
    Write-Host "      Scope................: $inheritanceScope"
    Write-Host ""
    $aclOU = Get-Acl $ouDrivePath -Audit
    $aclOU.RemoveAuditRule($auditRule)
    $aclOU | Set-Acl $ouDrivePath
}

–

Figure 1: SACL Before Removal

–

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

Figure 2: Configuring The SACL Through PowerShell

–

Figure 3: SACL After Removal

–

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

• (2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object
• (2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object
• (2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object
• (2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object
• (2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object
• (2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object
• (2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object
• (2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object
• (2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object
• (2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object
• (2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object
• (2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object
• (2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object
• (2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object
• (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
• (2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object

PowerShell Code to remove a specific auditing entry from one or multiple OUs for some security principal on some object.

Example object class: user

Example permission: Read Property

Example attribute: employeeID

Example security principal: ADCORP\MyDelegationAdminGroup

–

# Clear The Screen
Clear-Host

# Get Script Location
$scriptFolder = (Get-Location).Path

# Get File With OUs To Process
$fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt"

# Import The Required Module
Import-Module ActiveDirectory

#Get The RootDSE Info
$rootDSE = Get-ADRootDSE

# Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute
$mappingTable_lDAPDisplayName_schemaIDGUID = @{}
Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) `
    -LDAPFilter "(schemaIDGUID=*)" `
    -Properties lDAPDisplayName,schemaIDGUID | %{
        $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID
    }

# Get List Of OUs To Process
$listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess)

# Object Class And Attribute To Configure Auditing For 
$scopedObject = "user"
$schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject]
$scopedAttribute = "employeeID"
$schemaIDGUIDScopedAttribute = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedAttribute]
$inheritanceScope = "Descendents"

# Security Principal To Audit For Actions
$securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup"
$securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)

# Define Auditing Entry
$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ReadProperty"
$auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure"
$auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedAttribute,$inheritanceScope,$schemaIDGUIDScopedObject
$auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition)

# Process Each OU
$listOfOUsToProcess | %{
    $ou = $_
    $ouDrivePath = $("AD:\" + $ou)
    Write-Host ""
    Write-Host "Processing OU: $ou" -Foregroundcolor Cyan
    Write-Host "   REMOVING Audit Entry..."
    Write-Host "      Security Principal...: $securityPrincipalAccount"
    Write-Host "      Audit Type...........: $auditType"
    Write-Host "      Access Type..........: $rightsCollection"
    Write-Host "      Scoped Attribute.....: $scopedAttribute"
    Write-Host "      Scoped Object Class..: $scopedObject"
    Write-Host "      Scope................: $inheritanceScope"
    Write-Host ""
    $aclOU = Get-Acl $ouDrivePath -Audit
    $aclOU.RemoveAuditRule($auditRule)
    $aclOU | Set-Acl $ouDrivePath
}

–

Figure 1: SACL Before Removal

–

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

Figure 2: Configuring The SACL Through PowerShell

–

Figure 3: SACL After Removal

–

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

• (2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object
• (2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object
• (2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object
• (2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object
• (2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object
• (2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object
• (2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object
• (2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object
• (2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object
• (2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object
• (2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object
• (2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object
• (2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object
• (2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object
• (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
• (2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object

PowerShell Code to remove a specific auditing entry from one or multiple OUs for some security principal on some object.

Example object class: user

Example permission: Create Child

Example security principal: ADCORP\MyDelegationAdminGroup

–

# Clear The Screen
Clear-Host

# Get Script Location
$scriptFolder = (Get-Location).Path

# Get File With OUs To Process
$fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt"

# Import The Required Module
Import-Module ActiveDirectory

#Get The RootDSE Info
$rootDSE = Get-ADRootDSE

# Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute
$mappingTable_lDAPDisplayName_schemaIDGUID = @{}
Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) `
    -LDAPFilter "(schemaIDGUID=*)" `
    -Properties lDAPDisplayName,schemaIDGUID | %{
        $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID
    }

# Get List Of OUs To Process
$listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess)

# Object Class And Attribute To Configure Auditing For 
$scopedObject = "user"
$schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject]
$inheritanceScope = "All"

# Security Principal To Audit For Actions
$securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup"
$securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)

# Define Auditing Entry
$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"CreateChild"
$auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure"
$auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedObject,$inheritanceScope
$auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition)

# Process Each OU
$listOfOUsToProcess | %{
    $ou = $_
    $ouDrivePath = $("AD:\" + $ou)
    Write-Host ""
    Write-Host "Processing OU: $ou" -Foregroundcolor Cyan
    Write-Host "   REMOVING Audit Entry..."
    Write-Host "      Security Principal...: $securityPrincipalAccount"
    Write-Host "      Audit Type...........: $auditType"
    Write-Host "      Access Type..........: $rightsCollection"
    Write-Host "      Scoped Object Class..: $scopedObject"
    Write-Host "      Scope................: $inheritanceScope"
    Write-Host ""
    $aclOU = Get-Acl $ouDrivePath -Audit
    $aclOU.RemoveAuditRule($auditRule)
    $aclOU | Set-Acl $ouDrivePath
}

–

Figure 1: SACL Before Removal

–

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

Figure 2: Configuring The SACL Through PowerShell

–

Figure 3: SACL After Removal

–

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

• (2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object
• (2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object
• (2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object
• (2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object
• (2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object
• (2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object
• (2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object
• (2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object
• (2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object
• (2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object
• (2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object
• (2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object
• (2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object
• (2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object
• (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
• (2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object

PowerShell Code to add an auditing entry to one or multiple OUs for some security principal when executing some extended right (control access right) on some object.

Example object class: user

Example extended right: Reset Password

Example security principal: ADCORP\MyDelegationAdminGroup

–

# Clear The Screen
Clear-Host

# Get Script Location
$scriptFolder = (Get-Location).Path

# Get File With OUs To Process
$fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt"

# Import The Required Module
Import-Module ActiveDirectory

#Get The RootDSE Info
$rootDSE = Get-ADRootDSE

# Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute
$mappingTable_lDAPDisplayName_schemaIDGUID = @{}
Get-ADObject -SearchBase ($rootDSE.schemaNamingContext) `
    -LDAPFilter "(schemaIDGUID=*)" `
    -Properties lDAPDisplayName,schemaIDGUID | %{
        $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID
    }
    
# Create Hash Table With The displayName And rightsGUID Of Each Extended Right (a.k.a. Control Access Right)
$mappingTable_displayName_rightsGUID = @{}
Get-ADObject -SearchBase $("CN=Extended-Rights," + $rootdse.ConfigurationNamingContext) `
    -LDAPFilter "(&(objectClass=controlAccessRight)(rightsguid=*))" `
    -Properties displayName,rightsGuid | %{
        $mappingTable_displayName_rightsGUID[$_.displayName]=[System.GUID]$_.rightsGuid
    }
    
# Get List Of OUs To Process
$listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess)

# Object Class And Attribute To Configure Auditing For 
$scopedObject = "user"
$schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject]
$scopedCAR = "Reset Password"
$schemaIDGUIDScopedCAR = $mappingTable_displayName_rightsGUID[$scopedCAR]
$inheritanceScope = "Descendents"

# Security Principal To Audit For Actions
$securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup"
$securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)

# Define Auditing Entry
$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight"
$auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure"
$auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedCAR,$inheritanceScope,$schemaIDGUIDScopedObject
$auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition)

# Process Each OU
$listOfOUsToProcess | %{
    $ou = $_
    $ouDrivePath = $("AD:\" + $ou)
    Write-Host ""
    Write-Host "Processing OU: $ou" -Foregroundcolor Cyan
    Write-Host "   ADDING Audit Entry..."
    Write-Host "      Security Principal...: $securityPrincipalAccount"
    Write-Host "      Audit Type...........: $auditType"
    Write-Host "      Access Type..........: $rightsCollection"
    Write-Host "      Scoped CAR...........: $scopedCAR"
    Write-Host "      Scoped Object Class..: $scopedObject"
    Write-Host "      Scope................: $inheritanceScope"
    Write-Host ""
    $aclOU = Get-Acl $ouDrivePath -Audit
    $aclOU.AddAuditRule($auditRule)
    $aclOU | Set-Acl $ouDrivePath
}

–

Figure 1: Configuring The SACL Through PowerShell

–

Figure 2: The Auditing Entry That Was Added

–

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

• (2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object
• (2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object
• (2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object
• (2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object
• (2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object
• (2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object
• (2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object
• (2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object
• (2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object
• (2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object
• (2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object
• (2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object
• (2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object
• (2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object
• (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
• (2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object

PowerShell Code to add an auditing entry to one or multiple OUs for some security principal when reading/writing some attribute on some object.

Example object class: user

Example permission: Read Property and Write Property

Example attribute: employeeID

Example security principal: ADCORP\MyDelegationAdminGroup

–

# Clear The Screen
Clear-Host

# Get Script Location
$scriptFolder = (Get-Location).Path

# Get File With OUs To Process
$fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt"

# Import The Required Module
Import-Module ActiveDirectory

#Get The RootDSE Info
$rootDSE = Get-ADRootDSE

# Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute
$mappingTable_lDAPDisplayName_schemaIDGUID = @{}
Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) `
    -LDAPFilter "(schemaIDGUID=*)" `
    -Properties lDAPDisplayName,schemaIDGUID | %{
        $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID
    }

# Get List Of OUs To Process
$listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess)

# Object Class And Attribute To Configure Auditing For
$scopedObject = "user"
$schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject]
$scopedAttribute = "employeeID"
$schemaIDGUIDScopedAttribute = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedAttribute]
$inheritanceScope = "Descendents"

# Security Principal To Audit For Actions
$securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup"
$securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)

# Define Auditing Entry
$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ReadProperty","WriteProperty"
$auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure"
$auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedAttribute,$inheritanceScope,$schemaIDGUIDScopedObject
$auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition)

# Process Each OU
$listOfOUsToProcess | %{
    $ou = $_
    $ouDrivePath = $("AD:\" + $ou)
    Write-Host ""
    Write-Host "Processing OU: $ou" -Foregroundcolor Cyan
    Write-Host "   ADDING Audit Entry..."
    Write-Host "      Security Principal...: $securityPrincipalAccount"
    Write-Host "      Audit Type...........: $auditType"
    Write-Host "      Access Type..........: $rightsCollection"
    Write-Host "      Scoped Attribute.....: $scopedAttribute"
    Write-Host "      Scoped Object Class..: $scopedObject"
    Write-Host "      Scope................: $inheritanceScope"
    Write-Host ""
    $aclOU = Get-Acl $ouDrivePath -Audit
    $aclOU.AddAuditRule($auditRule)
    $aclOU | Set-Acl $ouDrivePath
}

–

Figure 1: Configuring The SACL Through PowerShell

–

Figure 2: The Auditing Entry That Was Added

–

Figure 3: Detailed Info Of The Auditing Entry

–

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

• (2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object
• (2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object
• (2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object
• (2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object
• (2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object
• (2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object
• (2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object
• (2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object
• (2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object
• (2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object
• (2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object
• (2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object
• (2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object
• (2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object
• (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
• (2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object

PowerShell Code to add an auditing entry to one or multiple OUs for some security principal when creating/deleting some object.

Example object class: user

Example permission: Create Child and Delete Child

Example security principal: ADCORP\MyDelegationAdminGroup

–

# Clear The Screen
Clear-Host

# Get Script Location
$scriptFolder = (Get-Location).Path

# Get File With OUs To Process
$fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt"

# Import The Required Module
Import-Module ActiveDirectory

#Get The RootDSE Info
$rootDSE = Get-ADRootDSE

# Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute
$mappingTable_lDAPDisplayName_schemaIDGUID = @{}
Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) `
    -LDAPFilter "(schemaIDGUID=*)" `
    -Properties lDAPDisplayName,schemaIDGUID | %{
        $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID
    }

# Get List Of OUs To Process
$listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess)

# Object Class And Attribute To Configure Auditing For 
$scopedObject = "user"
$schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject]
$inheritanceScope = "All"

# Security Principal To Audit For Actions
$securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup"
$securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)

# Define Auditing Entry
$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"CreateChild","DeleteChild"
$auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure"
$auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedObject,$inheritanceScope
$auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition)

# Process Each OU
$listOfOUsToProcess | %{
    $ou = $_
    $ouDrivePath = $("AD:\" + $ou)
    Write-Host ""
    Write-Host "Processing OU: $ou" -Foregroundcolor Cyan
    Write-Host "   ADDING Audit Entry..."
    Write-Host "      Security Principal...: $securityPrincipalAccount"
    Write-Host "      Audit Type...........: $auditType"
    Write-Host "      Access Type..........: $rightsCollection"
    Write-Host "      Scoped Object Class..: $scopedObject"
    Write-Host "      Scope................: $inheritanceScope"
    Write-Host ""
    $aclOU = Get-Acl $ouDrivePath -Audit
    $aclOU.AddAuditRule($auditRule)
    $aclOU | Set-Acl $ouDrivePath
}

–

Figure 1: Configuring The SACL Through PowerShell

–

Figure 2: The Auditing Entry That Was Added

–

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

• (2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object
• (2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object
• (2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object
• (2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object
• (2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object
• (2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object
• (2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object
• (2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object
• (2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object
• (2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object
• (2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object
• (2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object
• (2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object
• (2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object
• (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
• (2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-07-08) Enabling Auditing Of Issued Claims In ADFS v1.0 and ADFS v1.1

As an Identity Provider (IdP) and/or as a Service Provider (SP) you might need to be able to audit the issued claims in security tokens. This might be especially true if you are the SP that both owns the application and the data within the application and you have federation trusts setup with business partners.

–

If you are still using ADFS v1.x and you need to enable the auditing of issued claims you can do that by performing the following steps:

• In the ADFS Trust Policy enable the following event levels: Success Audit, Failure Audit, Detailed Success, Detailed Failure
• The account that is used in the ADFS application pool must have the “Generated Security Audits” user right on every ADFS v1.x STS server. This can be achieved through:
  • Configuring the user right mentioned within the local security policy of each ADFS v1.x STS server
    OR
  • Configuring the user right mentioned within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering
• At a minimum you must enable successes and failures for the subcategory  “Application Generated” within the category “Object Access”. This can be achieved by:
  • Issuing the following command on each ADFS v1.x STS server: AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:ENABLE /SUCCESS:ENABLE
    (This applies only to W2K8 and higher)
    OR
  • Configuring the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering. (Within GPO: Within GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit Object Access)
    (This applies only W2K3 and W2K8)
  • Configuring the subcategory “Application Generated” within the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering. (Within GPO:  Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Application Generated)
    (This applies only W2K8 R2)

–

All the auditing events with regards to the claims issued can be found in the Security Event Log. If you expect a high churn of all kinds of auditing events in the security event log, you might need to centrally consolidate/store those events using a tool that is able to collect such information.

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2010-07-30) Auditing In Windows Server 2008 R2

Auditing In Windows Server 2008 also provided granular audit policies, but those were only configurable locally on each server through the utility called AUDITPOL. From within a GPO you could only configure the global auditing policies. Windows Server 2008 R2 now also allows you to configure the granular audit policies through a GPO.

The Granular Audit Policies can be found in a GPO at the following location:

–> Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration

It contains the following node and sub nodes:

• Audit Policies
  • Account Logon
    • Audit Credential Validation
    • Audit Kerberos Authentication Service
    • Audit Kerberos Service Ticket Operations
    • Audit Other Account Logon Events
  • Account Management
    • Audit Application Group Management
    • Audit Computer Management
    • Audit Distribution Group Management
    • Audit Other Account Management Events
    • Audit Security Group Management
    • Audit User Account Management
  • Detailed Tracking
    • Audit DPAPI Activity
    • Audit Process Creation
    • Audit Process Termination
    • Audit RPC Events
  • DS Access
    • Audit Detailed Directory Service Replication
    • Audit Directory Service Access
    • Audit Directory Service Changes
    • Audit Directory Service Replication
  • Logon/Logoff
    • Audit Account Lockout
    • Audit IPSec Extended Mode
    • Audit IPSec Main Mode
    • Audit IPSec Quick Mode
    • Audit Logoff
    • Audit Logon
    • Audit Network Policy Server
    • Audit Other Logon/Logoff Events
    • Audit Special Logon
  • Object Access
    • Audit Application Generated
    • Audit Certification Services
    • Audit Detailed File Share
    • Audit File Share
    • Audit File System
    • Audit Filtering Platform Connection
    • Audit Filtering Platform Packet Drop
    • Audit Handle Manipulation
    • Audit Kernel Object
    • Audit Other Object Access Events
    • Audit Registry
    • Audit SAM
  • Policy Change
    • Audit Audit Policy Change
    • Audit Authentication Policy Change
    • Audit Authorization Policy Change
    • Audit Filtering Platform Policy Change
    • Audit MPSSVC Rule-Level Policy Change
    • Audit Other Policy Change Events
  • Privilege Use
    • Audit Non-Sensitive Privilege Use
    • Audit Sensitive Privilege Use
    • Audit Other Privilege Use Events
  • System
    • Audit IPsec Driver
    • Audit Other System Events
    • Audit Security State Change
    • Audit Security System Extension
    • Audit System Integrity
  • Global Object Access Auditing
    • File System (Global Object Access Auditing)
    • Registry (Global Object Access Auditing)

More detailed information about each auditing topic (including events) can be found:

• Advanced Security Audit Policy Settings
• Advanced Security Audit Policy Step-by-Step Guide
• Planning and Deploying Advanced Security Audit Policies
• Advanced Security Auditing FAQ
• Security Audit Events for Windows 7 and Windows Server 2008 R2

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————