PowerShell
141 TopicsServer 2019 reporting wrong build via PowerShell
Hi, I've had this issue both this month and also in September. Both times, after installing the patch Tuesday update, my management tool is providing the wrong build for Windows Server 2019 due to a very strange issue. When manually looking in the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" I see that the build (for November) is 6532. However, when I retrieve the exact same data using PowerShell, it report back with build 6530? Does anyone know why these builds are different? Is this just a Microsoft issue? I've only ever had this issue these two specific months, never before...23Views0likes0CommentsActive Directory is not working
I had microsoft server 2003. i installed 2012 R2 on a new machine and joined the old domain. Then the migration was done by some person and i dont know how he did it. The old server crashed now and the new one is working. DNS and DHCP are working fine but Active directory is not. I am new so can anyone please help me with this. I will share the results whatever is required. Thank you.240Views0likes5CommentsForce a specific default lock screen and logon image
Dear, I currently have a DC deployed on Windows Server 2019. i want to configure a specific default image on lock screens on Windows 10 pro clients via group policy. Is this possible or is it only compatible with Enterprise or Education editions? Thanks in advance,136Views0likes2CommentsWin32_PerfRawData_W3SVC_WebService
Hello Team, When I ran the below command on windows server 2019 standard I am getting error. Please someone help me with the solution. WMIC /NAMESPACE:\\root\cimv2\ PATH Win32_PerfRawData_W3SVC_WebService WHERE name='_Total' GET /value Result: Description = Not found317Views0likes1CommentAdmin accounts which do not have the flag "This account is sensitive and cannot be delegated"
Hi AD Brain trust, I'm currently working on a security assessment for our internal AD environment. One of the item in the report is - Presence of Admin accounts which do not have the flag "This account is sensitive and cannot be delegated": 6 I'm struggling to understand the consequences of setting the flag for admin accounts. If anyone can shed some lights on the implications/recommendations to resolve this detection would be greatly appreciated ! Thank you!4.4KViews1like1Commenttracking user activity to data/shares
Hello, Sorry in advance if this isn't the right place to post this. I have a group of people that I need to figure out what data/shares they are accessing the most. Is there a way to see this in AD or by using some sort of PowerShell command? Thank you, J221Views0likes0CommentsActive Directory Advanced Threat Hunting - Tracing the cause of account lockouts and password errors
Dear Microsoft Active Directory friends, In this article we are going on a "search for clues" :-). In the life of an IT administrator, you have certainly often had to reset a user's password or remove an account lockout. Now the question arises on which system the account was locked or on which system the password was entered incorrectly. In order to determine this information with PowerShell, some preparations must be made. "Advanced Audit Policy Configuration" must be configured in the group policies. This article from Microsoft provides a good starting point: https://learn.microsoft.com/en-us/defender-for-identity/deploy/event-collection-overview In my example, I have adapted the Default Domain Controls Policy. Before we begin, here is some important information about MITRE techniques: Account Access Removal: https://attack.mitre.org/techniques/T1531/ User Account: https://attack.mitre.org/datasources/DS0002/ Brute Force: Password Spraying: https://attack.mitre.org/techniques/T1110/003/ Account lockouts are logged in the Windows event logs with the ID 4740. We will therefore focus on this event ID first. The start of the PowerShell script looks like this: #Prep work for lockouts, Account lockout Event ID $LockOutID = 4740 #Find the PDC (Get-ADDomain).PDCEmulator $PDCEmulator = (Get-ADDomain).PDCEmulator #Connect to the PDC Enter-PSSession -ComputerName $PDCEmulator #Query event log Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } #Parse the event and assign to a variable $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } #Examine some properties $events[0].Message #Regex? $events[0].Message -match 'Caller Computer Name:\s+(?<caller>[^\s]+)' $Matches.caller #Cool, but not as easy as: $events[0].Properties $events[0].Properties[1].Value #For all events: ForEach($event in $events){ [pscustomobject]@{ UserName = $event.Properties[0].Value CallerComputer = $event.Properties[1].Value TimeStamp = $event.TimeCreated } } #And we'll make that a function Function Get-ADUserLockouts { [CmdletBinding( DefaultParameterSetName = 'All' )] Param ( [Parameter( ValueFromPipeline = $true, ParameterSetName = 'ByUser' )] [Microsoft.ActiveDirectory.Management.ADUser]$Identity ) Begin{ $LockOutID = 4740 $PDCEmulator = (Get-ADDomain).PDCEmulator } Process { If($PSCmdlet.ParameterSetName -eq 'All'){ #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } }ElseIf($PSCmdlet.ParameterSetName -eq 'ByUser'){ $user = Get-ADUser $Identity #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } | Where-Object {$_.Properties[0].Value -eq $user.SamAccountName} } ForEach($event in $events){ [pscustomobject]@{ UserName = $event.Properties[0].Value CallerComputer = $event.Properties[1].Value TimeStamp = $event.TimeCreated } } } End{} } #Usage Get-ADUserLockouts #Single user Get-ADUser 'jesse.pinkman' | Get-ADUserLockouts Now we come to the incorrectly entered passwords. These events are logged in the Windows event logs with the ID 4625. #Prep work for bad passwords -Event ID $badPwId = 4625 #Get the events from the PDC $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $badPwId } #Correlate the logon types $LogonType = @{ '2' = 'Interactive' '3' = 'Network' '4' = 'Batch' '5' = 'Service' '7' = 'Unlock' '8' = 'Networkcleartext' '9' = 'NewCredentials' '10' = 'RemoteInteractive' '11' = 'CachedInteractive' } #Format the properties ForEach($event in $events){ [pscustomobject]@{ TargetAccount = $event.properties.Value[5] LogonType = $LogonType["$($event.properties.Value[10])"] CallingComputer = $event.Properties.Value[13] IPAddress = $event.Properties.Value[19] TimeStamp = $event.TimeCreated } } #Bring it all together in a function Function Get-ADUserBadPasswords { [CmdletBinding( DefaultParameterSetName = 'All' )] Param ( [Parameter( ValueFromPipeline = $true, ParameterSetName = 'ByUser' )] [Microsoft.ActiveDirectory.Management.ADUser]$Identity ) Begin { $badPwId = 4625 $PDCEmulator = (Get-ADDomain).PDCEmulator $LogonType = @{ '2' = 'Interactive' '3' = 'Network' '4' = 'Batch' '5' = 'Service' '7' = 'Unlock' '8' = 'Networkcleartext' '9' = 'NewCredentials' '10' = 'RemoteInteractive' '11' = 'CachedInteractive' } } Process { If($PSCmdlet.ParameterSetName -eq 'All'){ #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $badPwId } }ElseIf($PSCmdlet.ParameterSetName -eq 'ByUser'){ $user = Get-ADUser $Identity #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $badPwId } | Where-Object {$_.Properties[5].Value -eq $user.SamAccountName} } ForEach($event in $events){ [pscustomobject]@{ TargetAccount = $event.properties.Value[5] LogonType = $LogonType["$($event.properties.Value[10])"] CallingComputer = $event.Properties.Value[13] IPAddress = $event.Properties.Value[19] TimeStamp = $event.TimeCreated } } } End{} } #Usage Get-ADUserBadPasswords | Format-Table #Single account Get-ADUser administrator | Get-ADUserBadPasswords | Format-Table I hope that this information is helpful to you and that you have been given a good "little" foundation. This article/information is by no means complete and exhaustive. But I still hope that this information is helpful to you. Thank you for taking the time to read the article. Happy Hunting, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler7.3KViews6likes1Commentsetting GP Link failure
I'm trying to connect several group policies to their OU via Powershell the command used is New-GPLink -Name $line.Displayname -Target $line.Target -LinkEnabled $LinkEnable -Order $line.Order where the viariables are read from a csv file The command fails with the following error New-GPLink : A referral was returned from the server. At D:\Scripts\LinkGPO.ps1:17 char:1 + New-GPLink -Name $line.Displayname -Target $line.Target -LinkEnabled ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-GPLink], DirectoryServicesCOMException + FullyQualifiedErrorId : System.DirectoryServices.DirectoryServicesCOMException,Microsoft.GroupPolicy.Commands.NewGPLinkCommand I also tried the same command with the explicit path and names but it fails as well connecting it via the Group Policy Management works indeed any help ?260Views0likes0CommentsGPO Configured Startup Powershell Script & Execution Policy
Hi all, Earlier this year, we replaced all of our Domain Controllers, moving from Windows Server 2012R2 to Windows Server 2022. Ever since we made this change, we have seen some different behavior with GPO-configured Startup scripts. These scripts are located in the NETLOGON directory (or a subfolder of NETLOGON). For about a decade, we have had a GPO-configured startup script to install our AV software on every machine in the domain. After we upgraded, it is no longer running. After some troubleshooting, it seems that the script isn't trusted. Our execution policy is set to remote signed. EDIT: Logon scripts that are PowerShell scripts seem to work as expected. It appears to only be with Startup scripts. I haven't found anything through internet searches about AD changes to the way NETLOGON is trusted. Has anyone else seen, experienced, hopefully resolved this problem? Thanks1.2KViews0likes3Comments