Archive for the 'Password management' Category

Read Active Directory Permissions

Published May 13, 2008 Active Directory , AD , AD cmdlets , cmdlets , Examples , one-liner , oneliner , Password management , PowerShell , Security Comments

One of the biggest advances of AD cmdlets 1.1 is support for AD security operations. In this post we will look at the Get-QADPermission cmdlet and how you can use it to read permissions set on AD objects.

To get a list of permissions set on an AD objects directly you just need to use:

Get-QADPermission Identity – where identity is Name, DN, Canonical name, Domain\Name, and so on. For example:

Get-QADPermission Dmitry Sotnikov

As usual you can pipeline a set of objects into the cmdlet to get results for all of them, e.g.:

Get-QADUser -SearchRoot domain.local/employees/chicago -SecurityMask DACL | Get-QADPermission

Here I am getting access control for all permissions directly set on users in the domain.local/employees/chicago OU. Note that I am also using the -SecurityMask parameter to tell the Get-QADUser cmdlet to retrieve the access list (DACL – Discretionary Account Control List). This is optionally but highly recommended because if you use this parameter Get-QADPermission does not have to retrieve the DACL again – less calls to the DC, better performance.

The examples above deal only with the permissions set on the object directly, you can add inherited permissions by simply adding -Inherited. In a similar fashion, the -SchemaDefault parameter adds Account Control Entries (ACE) that came from the default security descriptor. So this will give you everything:

Get-QADPermission Dmitry Sotnikov -Inherited -SchemaDefault

Or the same but much faster:
Get-QADUser -Name Dmitry Sotnikov -SecurityMask DACL | Get-QADPermission -Inherited -SchemaDefault

You can look for the rights which specific trusties have:

Get-QADPermission Dmitry Sotnikov -Account (domain\bill, self) -UseTokenGroups

Note that I have added -UseTokenGroups to make sure I get Bill’s rights even if he got those via group membership.

Or for specific rights set on specific properties:

Get-QADPermission Dmitry Sotnikov -Rights WriteProperty -Property (samAccountName,name)

You can also check for extended rights. Let’s see if I can change my password:

Get-QADPermission Dmitry Sotnikov -account self,everyone -Allow -ExtendedRight User-Change-Password -InheritedSchemaDefault

-Allow and -Deny parameters allow to check specifically for allowing and denying ACEs.

And there’s much much more: just check out:

get-help Get-QADPermission -detailed

Good job by the team trying to cover each and every case they could think of. If you can think of something they have not covered or implemented in a suboptimal way – please provide your feedback in the AD PowerShell forum – the team is there and listening.

Here’s the AD cmdlets download page which has the latest 1.1 beta drop.

Tags: , , , , , , , , ,

Retrieving Domain Password Policies

Published May 7, 2008 Active Directory , AD , AD cmdlets , cmdlets , one-liner , Password management , PowerShell Leave a Comment

AD cmdlets 1.1 add a few nifty features which let you easily access password-related settings of your domain. Basically, all related properties are just a part of the attributes domain objects have, so you can do:

[PS] C:\>Get-QADObject scorpio.local/ | Format-List Name, *Password*, *Lockout*

Name                     : scorpio
MinimumPasswordAge       : 1 days
MaximumPasswordAge       : 42 days
PasswordHistoryLength    : 24 passwords remembered
MinimumPasswordLength    : 1 characters
LockoutDuration          : 30 minutes
LockoutTreshold          : 0 invalid logon attempts
ResetLockoutCounterAfter : 30 minutes

Or if you do not want to specify the domain name explicitly:

[PS] C:\>(Get-QADRootDSE).Domain | Format-List Name, *Password*, *Lockout*

Name                     : scorpio
MinimumPasswordAge       : 1 days
MaximumPasswordAge       : 42 days
PasswordHistoryLength    : 24 passwords remembered
MinimumPasswordLength    : 1 characters
LockoutDuration          : 30 minutes
LockoutTreshold          : 0 invalid logon attempts
ResetLockoutCounterAfter : 30 minutes

Another tip is that you can actually get a hold of the Domain property for any AD account: e.g. user.

So if you have:

$user = Get-QADObject 'Dmitry Sotnikov'

And want to learn the password policies you can just do:

$user.Domain | Format-Table Name, *Password*, *Lockout*

Nice and easy!

This all applies to domain policies. Fine-grained password policies have their own set of cmdlets as well.

Tags: , , , , , ,

What’s new in AD cmdlets 1.1.0?

Published May 2, 2008 Active Directory , ActiveRoles Server , AD , AD cmdlets , cmdlets , Freeware , Password management , PowerShell , Release , Security 10 Comments

Here’s a quick summary of the new and exciting features added in Quest’s free AD cmdlets 1.1.0 just published on the web (I plan to provide more details and examples next week):

1. Get-QADGroupMember -Indirect – this new parameter allows you to retrieve complete group membership for nested AD groups in one command!

2. Permission management cmdlets:

  • Get-QADPermission,
  • Add-QADPermission,
  • Remove-QADPermission,
  • Get-QADObjectSecurity,
  • Remove-QADObjectSecurity.

3. New parameters of Get-QADUser:

  • HomeDirectory (string)
  • HomeDrive (string)
  • ProfilePath (string)
  • LogonScript (string)
  • Email (string)
  • AccountExpiresBefore (DateTime)
  • AccountExpiresAfter (DateTime)
  • AccountNeverExpires (bool)
  • PasswordNeverExpires (bool)

4. New parameters of Set-QADUser

  • HomeDirectory (string)
  • HomeDrive (string)
  • ProfilePath (string)
  • LogonScript (string)
  • Email (string)
  • AccountExpires (DateTime, nullable)
  • PasswordNeverExpires (bool)
  • UserMustChangePassword (bool)
  • TsProfilePath (string)
  • TsHomeDirectory (string)
  • TsHomeDrive (string)
  • TsWorkDirectory (string)
  • TsInitialProgram (string)
  • TsMaxDisconnectionTime (TimeSpan)
  • TsMaxConnectionTime (TimeSpan)
  • TsMaxIdleTime (TimeSpan)
  • TsAllowLogon (bool)
  • TsRemoteControl (int)
  • TsReconnectionAction (int)
  • TsBrokenConnectionAction (int)
  • TsConnectClientDrives (bool)
  • TsConnectPrinterDrives (bool)
  • TsDefaultToMainPrinter (bool)

5. New properties of User object

  • HomeDirectory (string)
  • HomeDrive (string)
  • ProfilePath (string)
  • LogonScript (string)
  • AccountExpires (DateTime, nullable)
  • PasswordLastSet (DateTime, nullable, readonly)
  • PasswordAge (TimeSpan, nullable, readonly)
  • PasswordExpires (DateTime, nullable, readonly)
  • LastLogonTimestamp (DateTime, nullable, readonly)
  • LastLogon (DateTime, nullable, readonly)
  • LastLogoff (DateTime, nullable, readonly)
  • AccountIsDisabled (bool)
  • AccountIsLockedOut (bool)
  • PasswordNeverExpires (bool)
  • UserMustChangePassword (bool)

6. Set-QADGroup now has GroupType and GroupScope parameters (to change group type and scope ;) )
7. New cmdlet Get-QADRootDSE
8. Disambiguation prefixes in Identity parameter: e.g. Get-QADUser ‘dn=cn=object_with@sign’
9. Access to default domain password policies through the domain object:e.g. Get-QADObject mydomain.local/ | format-list *
10. Functionality specific to Quest ActiveRoles Server (this will only work if you have the commercial app):

  • Access template link management,
  • Dynamic groups.

Lots of cool and exciting features and numerous bugfixes.

You can download the beta on the Quest’s AD cmdlets page. Please provide your feedback in the AD PowerShell discussion forums.

Tags: , , , , , , , , ,

AD Cmdlets RTM

Published December 20, 2007 Active Directory , AD , AD cmdlets , cmdlets , Password management , PowerShell 10 Comments

AD cmdlets are finally gold!

We kind of kept sticking to the fashion of perpetual betas for quite some time now (since the first 1.0 beta released late March through the RC 1.0.5 this fall) and we feel that the product is now feature rich and stable enough for us to drop the beta label.

In the coming weeks I’ll blog more about the cmdlets features and the changes compared to the RC build but for now, here’s a quick list:

User account management:

Set-QADUser
Unlock-QADUser
Disable-QADUser
Deprovision-QADUser
Enable-QADUser
New-QADUser
Get-QADUser

Plus a few common ones:

Move-QADObject
Rename-QADObject
Remove-QADObject

Group management:

Set-QADGroup
Get-QADGroup
New-QADGroup
Get-QADGroupMember
Add-QADGroupMember
Remove-QADGroupMember

Move, Rename, Remove obviously also apply:

Move-QADObject
Rename-QADObject
Remove-QADObject

Managing computer accounts:

Get-QADComputer
Set-QADObject
Move-QADObject
Rename-QADObject
Remove-QADObject
New-QADObject

OUs and other objects:

Set-QADObject
Move-QADObject
Rename-QADObject
Remove-QADObject
New-QADObject
Get-QADObject

Fine-Grained Password Policies:

New-QADPasswordSettingsObject
Get-QADPasswordSettingsObject
Add-QADPasswordSettingsObjectAppliesTo
Remove-QADPasswordSettingsObjectAppliesTo

Selecting DC/domain/ADAM instance/ARS proxy or supplying alternate credentials:

Connect-QADService
Disconnect-QADService

Auxiliary cmdlets to make life easier:

Convert-QADAttributeValue
Set-QADPSSnapinSettings
Set-QADPSSnapinSettings

It is more or less the same list we had in RC (with one new cmdlet and a few improvements and bugfixes in the others – and finally full PowerShell v2 compatibility ;) ), but the EULA change alone (not a beta any more!) is probably worth making the upgrade all by itself!

And did I say that despite the RTM status AD cmdlets still remain free? Any reason for not going to the site right away and getting them? ;)

Tags: , , , , ,

Fine-Grained Password Management post from Tyson

Published September 20, 2007 Active Directory , AD , AD cmdlets , Blogosphere , cmdlets , Longhorn , Password management , Policies , PowerGUI , PowerPack , PowerShell , UI , Windows Server 2008 Leave a Comment

Tyson Kopczynski – the author of Windows PowerShell Unleashed (sample chapter available here) has a post on Managing Fine Grained Password Policies.

In which he also complaints that big vendors – Microsoft in this case – are sometimes releasing features – like BitLocker or fine-grained password policies – without fully providing sufficient management tools to actually use them. Needless to say this is very much inline with what I am thinking on the need for do-it-yourself administrative consoles.

Tyson concludes by the following:

My reply to my co-worker was to use either the PasswordSettingsObject cmdlets from Quest or the PowerGUI snap-in which uses those cmdlets – http://powergui.org/entry.jspa?externalID=882&categoryID=46.

I’ve also previously blogged about both the cmdlets and the UI:

Tags: , , , , , , , , , , , ,

Generate random password with PowerShell

Published July 18, 2007 Active Directory , AD , AD cmdlets , cmdlets , Examples , one-liner , oneliner , Password management Comments

So I was updating the PowerGUI AD pack the other day and wanted to add random password generation function for Reset Password action.

Here’s the code I came up with:

#Set up random number generator
$rand = New-Object System.Random
#Generate a new 10 character password
1..10 | ForEach { $NewPassword = $NewPassword + [char]$rand.next(33,127) }
#Reset the password
Set-QADUser "Dmitry Sotnikov" -UserPassword $NewPassword

That’s it. I guess I could get more fancy by ensuring that characters from 3 out of 4 character groups are present, etc. but this was the easiest one-liner to keep me going.

Tags: , , , , , , , ,

Free UI Console for Fine-Grained Password Policies

Published June 19, 2007 Active Directory , AD , AD cmdlets , cmdlets , Longhorn , Password management , Policies , PowerGUI , PowerPack , PowerShell , UI , Windows Server 2008 11 Comments

I spent most of the day today using the password policy cmdlets and the PowerShell UI we all use and love to create graphical user interface for fine-grained password policies (see overviews in 4sysops and Ulf’s blog) in my Windows 2008 lab. And here’s the result (click to see it full size):

Graphical console to manage fine-grained password policies in Windows 2008 domains

What you see on the screen is the graphical user interface to manage those granular password policies and they are far nicer than ADSIEdit. ;)

I included the following functionality:

  • Create new password policy,
  • See password policy properties (PowerGUI adds sorting, filtering, reporting, copy to clipboard and other goodies),
  • Link a password policy to a user or group,
  • Unlink a password policy,
  • Remove a password policy,
  • See the resultant policy for a selected user.

All these operations also support bulk selection.

You can download the pack from PowerGUI library: Fine-Grained Password Policies – please provide feedback so I can make it better.

And, as usual, should you want to learn the command-line or script the same actions, just click the PowerShell Code tab at the bottom of the PowerGUI window – and copy/paste from there.

Dmitry

Tags: , , , , , , , , , , ,

Manage Fine-Grained Password Policies with PowerShell

Published June 18, 2007 Active Directory , AD , AD cmdlets , cmdlets , Demo , Longhorn , one-liner , oneliner , Password management , PowerShell , Windows Server 2008 Comments

One of the major new features in the upcoming Windows Server 2008 (aka Longhorn) are granular password policies. The feature allows you to have multiple password policies within a single AD domain and thus be able to better fine-tune the security in your organization.

You can find pretty good write-ups about the feature and using ADSIedit to manage it at 4sysops and Ulf’s blog. However, as Richard pointed recently, using PowerShell to manage them is so much easier than ADSIEdit, so here’s a transcript of me experimenting with the policies in my Longhorn (Beta 3) lab (using AD cmdlets 1.0.3):

PS C:\> # Get the list of all password policies in the domain
PS C:\> Get-QADPasswordSettingsObject

Name      Type               DN                                                                       ----      ----               --                                                                       new pso   msDS-PasswordSe... CN=new pso,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft

PSO2      msDS-PasswordSe... CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft


PS C:\> # Let's see all settings of a particular policy
PS C:\> Get-QADPasswordSettingsObject pso | Format-List

AppliesTo                   : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow                              ,DC=spb,DC=qsft}

CanonicalName               : cow.spb.qsft/System/Password Settings Container/PSO2

CreationDate                : 5/16/2007 4:50:29 PM

Description                 : 

DisplayName                 : 

DN                          : CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft

Guid                        : 59632928-e3ff-4ced-afbf-c99ba2b60a8d

LockoutDuration             : -00:30:00

LockoutThreshold            : 0

MaximumPasswordAge          : -20.00:00:00

MinimumPasswordAge          : -1.00:00:00

MinimumPasswordLength       : 8

ModificationDate            : 6/18/2007 11:03:13 AM

Name                        : PSO2

PasswordComplexityEnabled   : True

PasswordHistoryLength       : 24

Precedence                  : 10

ResetLockoutCounterAfter    : -00:30:00

ReversibleEncryptionEnabled : False

Type                        : msDS-PasswordSettings


PS C:\> # Create a new policy, set a few attributes and leave the rest default
PS C:\> New-QADPasswordSettingsObject -Name BeatlesPolicy -Precedence 5 -PasswordHistoryLength 10 -PasswordComplexityEnabled $true

Name            Type               DN                                                                               ----            ----               --                                                                               

BeatlesPolicy   msDS-PasswordSe... CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft


PS C:\> # See the properties of the new policy
PS C:\> Get-QADPasswordSettingsObject BeatlesPolicy | Format-List

AppliesTo                   : CanonicalName               : cow.spb.qsft/System/Password Settings Container/BeatlesPolicy

CreationDate                : 6/18/2007 11:41:17 AM

Description                 : 

DisplayName                 : 

DN                          : CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft

Guid                        : c76a72fd-6612-4647-b279-b42cf648e4eb

LockoutDuration             : -00:30:00

LockoutThreshold            : 5

MaximumPasswordAge          : -42.00:00:00

MinimumPasswordAge          : -30.00:00:00

MinimumPasswordLength       : 0

ModificationDate            : 6/18/2007 11:41:17 AM

Name                        : BeatlesPolicy

PasswordComplexityEnabled   : True

PasswordHistoryLength       : 10

Precedence                  : 5

ResetLockoutCounterAfter    : -00:30:00

ReversibleEncryptionEnabled : False

Type                        : msDS-PasswordSettings


PS C:\> # Link the policy to the COW\Beatles group
PS C:\> Add-QADPasswordSettingsObjectAppliesTo BeatlesPolicy -AppliesTo COW\Beatles

Name          Type               DN                                                                               

----          ----               --                                                                               

BeatlesPolicy msDS-PasswordSe... CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft


PS C:\> # See where are all the polies linked now
PS C:\> Get-QADPasswordSettingsObject | Format-List Name, AppliesTo

Name      : new psoAppliesTo : {CN=Kelly Smith,CN=Users,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}



Name      : PSO2

AppliesTo : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}



Name      : BeatlesPolicy

AppliesTo : {CN=Beatles,CN=Users,DC=cow,DC=spb,DC=qsft}


PS C:\> # Check resultant policy for user jlennon (note that the Beatles policy got applied via group membership)
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name         msDS-ResultantPSO                                          

----         -----------------                                          

John Lennon  CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Check resultant policy for user jlennon (note that the Beatles policy got applied via group membership)
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name        msDS-ResultantPSO                                          

----        -----------------                                          

John Lennon CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Check the resultant policy and note that the one linked directly won
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name        msDS-ResultantPSO                                          

----        -----------------                                          

John Lennon CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Check where the policy is applied
PS C:\> Get-QADPasswordSettingsObject PSO2 | Format-List Name, AppliesTo

Name      : PSO2AppliesTo : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}


PS C:\> # Unlink the policy
PS C:\> Remove-QADPasswordSettingsObjectAppliesTo PSO2 -AppliesTo COW\jlennon

Name  Type               DN                                                                               

----  ----               --                                                                               

PSO2  msDS-PasswordSe... CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft


PS C:\> # Resultant policy changed back to the group one
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name         msDS-ResultantPSO                                          

----         -----------------                                          

John Lennon  CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Remove the policy from the directory
PS C:\> Remove-QADObject BeatlesPolicy

Warning!
Are you sure you want to delete this object: CN=BeatlesPolicy,CN=Password Settings
Container,CN=System,DC=cow,DC=spb,DC=qsft?
 [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y

Windows Server 2008 and PowerShell – are better together! ;)

Here’s the fine-grained-passwords-demo.txt file with the commands in case you want to have fun with them yourself (just change the domain name, etc. to match your lab)

Tags:, , , , , , , , , ,

 Subscribe in a reader

Subscribe by email

Add to Technorati Favorites

My Recent Tweets

RSS My company’s blog

  • Fun at HostingCon 2013
    The smell of the hosting industry’s finest is in the air, and of course we sent some of the Jelastic team to attend and proudly exhibit at HostingCon 2013 this week in Austin, Texas.  From what I have been reading, there are more than 50 scheduled sessions from Sales and Marketing, Technology, Issues and Trends and [...]The post Fun at HostingCon 2013 appear […]
  • Secure Access to Your Jetty Web Application
    Today’s post focuses on the web application security related features of Jetty app server. After reading this article you should be able to configure security realms to provide authentication and access control for your Jetty web application, as well as to grant access to your app for dedicated IP-addresses only. Before we start let’s examine what Jetty real […]
  • Software Stacks Market Share: May 2013
    We are back to update you with the latest trends in software stacks popularity for May 2013. This time we decided to collect the numbers in a different way to get more accurate statistics. As you remember previously we counted the number of the environments, where each software stack was used. We’ve changed the reporting [...]The post Software Stacks Market […]
  • Setting Up a Cronjob in Jelastic Cloud
    Cronjob allows you to configure regularly scheduled tasks so that the jobs can be run automatically at a pre-set point of time. It repeats itself and does not need any regular manual instructions. Cron automates your system and can be used for quite different purposes. This wonderful tool is a standard part of all sysadmins toolkit. Also cronjob has a [...]T […]
  • How to Deploy Joget Cluster into the Cloud
    Joget Workflow is an open source platform that allows you to build enterprise web applications easily, due to its rich set of tools. It is also a rapid application development platform that provides complete agile development capabilities, including consisting of processes, forms, lists, CRUD and UI; not just back-end EAI/orchestration/integration or the tas […]
  • Liferay Cluster in the Cloud
    Liferay Portal is one of the most popular Java CMSs in the world due to its impressive ease-of-use. Since we published the tutorial on Liferay deployment to the cloud we have seen an extremely positive reaction from its community. Also we have received multiple requests from Liferay fans asking about clustering, replication and fail-over capabilities in the […]
  • Mark Zbikowski Veteran Microsoft Architect Joins Jelastic
    Jelastic already has an impressive team of advisers including Serguei Beloussov, the founder of Parallels. We also have technical geniuses who endorse and use Jelastic including the father of Java James Gosling, David Blevins who founded the TomEE project, and Michael “Monty” Widenius, the author of the original version of the open-source MySQL database and […]

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my former employer - Quest Software, or my current employer - Jelastic or anyone else for that matter. All trademarks acknowledged.

© 2007-2013 Dmitry Sotnikov

Pages

June 2013
M T W T F S S
« May    
 12
3456789
10111213141516
17181920212223
24252627282930
Follow

Get every new post delivered to your Inbox.

Join 67 other followers

%d bloggers like this: