Archive for the 'Password management' Category

Read Active Directory Permissions

One of the biggest advances of AD cmdlets 1.1 is support for AD security operations. In this post we will look at the Get-QADPermission cmdlet and how you can use it to read permissions set on AD objects.

To get a list of permissions set on an AD objects directly you just need to use:

Get-QADPermission Identity – where identity is Name, DN, Canonical name, Domain\Name, and so on. For example:

Get-QADPermission Dmitry Sotnikov

As usual you can pipeline a set of objects into the cmdlet to get results for all of them, e.g.:

Get-QADUser -SearchRoot domain.local/employees/chicago -SecurityMask DACL | Get-QADPermission

Here I am getting access control for all permissions directly set on users in the domain.local/employees/chicago OU. Note that I am also using the -SecurityMask parameter to tell the Get-QADUser cmdlet to retrieve the access list (DACL – Discretionary Account Control List). This is optionally but highly recommended because if you use this parameter Get-QADPermission does not have to retrieve the DACL again – less calls to the DC, better performance.

The examples above deal only with the permissions set on the object directly, you can add inherited permissions by simply adding -Inherited. In a similar fashion, the -SchemaDefault parameter adds Account Control Entries (ACE) that came from the default security descriptor. So this will give you everything:

Get-QADPermission Dmitry Sotnikov -Inherited -SchemaDefault

Or the same but much faster:
Get-QADUser -Name Dmitry Sotnikov -SecurityMask DACL | Get-QADPermission -Inherited -SchemaDefault

You can look for the rights which specific trusties have:

Get-QADPermission Dmitry Sotnikov -Account (domain\bill, self) -UseTokenGroups

Note that I have added -UseTokenGroups to make sure I get Bill’s rights even if he got those via group membership.

Or for specific rights set on specific properties:

Get-QADPermission Dmitry Sotnikov -Rights WriteProperty -Property (samAccountName,name)

You can also check for extended rights. Let’s see if I can change my password:

Get-QADPermission Dmitry Sotnikov -account self,everyone -Allow -ExtendedRight User-Change-Password -InheritedSchemaDefault

-Allow and -Deny parameters allow to check specifically for allowing and denying ACEs.

And there’s much much more: just check out:

get-help Get-QADPermission -detailed

Good job by the team trying to cover each and every case they could think of. If you can think of something they have not covered or implemented in a suboptimal way – please provide your feedback in the AD PowerShell forum – the team is there and listening.

Here’s the AD cmdlets download page which has the latest 1.1 beta drop.

Tags: , , , , , , , , ,

Retrieving Domain Password Policies

AD cmdlets 1.1 add a few nifty features which let you easily access password-related settings of your domain. Basically, all related properties are just a part of the attributes domain objects have, so you can do:

[PS] C:\>Get-QADObject scorpio.local/ | Format-List Name, *Password*, *Lockout*

Name                     : scorpio
MinimumPasswordAge       : 1 days
MaximumPasswordAge       : 42 days
PasswordHistoryLength    : 24 passwords remembered
MinimumPasswordLength    : 1 characters
LockoutDuration          : 30 minutes
LockoutTreshold          : 0 invalid logon attempts
ResetLockoutCounterAfter : 30 minutes

Or if you do not want to specify the domain name explicitly:

[PS] C:\>(Get-QADRootDSE).Domain | Format-List Name, *Password*, *Lockout*

Name                     : scorpio
MinimumPasswordAge       : 1 days
MaximumPasswordAge       : 42 days
PasswordHistoryLength    : 24 passwords remembered
MinimumPasswordLength    : 1 characters
LockoutDuration          : 30 minutes
LockoutTreshold          : 0 invalid logon attempts
ResetLockoutCounterAfter : 30 minutes

Another tip is that you can actually get a hold of the Domain property for any AD account: e.g. user.

So if you have:

$user = Get-QADObject 'Dmitry Sotnikov'

And want to learn the password policies you can just do:

$user.Domain | Format-Table Name, *Password*, *Lockout*

Nice and easy!

This all applies to domain policies. Fine-grained password policies have their own set of cmdlets as well.

Tags: , , , , , ,

What’s new in AD cmdlets 1.1.0?

Here’s a quick summary of the new and exciting features added in Quest’s free AD cmdlets 1.1.0 just published on the web (I plan to provide more details and examples next week):

1. Get-QADGroupMember -Indirect – this new parameter allows you to retrieve complete group membership for nested AD groups in one command!

2. Permission management cmdlets:

  • Get-QADPermission,
  • Add-QADPermission,
  • Remove-QADPermission,
  • Get-QADObjectSecurity,
  • Remove-QADObjectSecurity.

3. New parameters of Get-QADUser:

  • HomeDirectory (string)
  • HomeDrive (string)
  • ProfilePath (string)
  • LogonScript (string)
  • Email (string)
  • AccountExpiresBefore (DateTime)
  • AccountExpiresAfter (DateTime)
  • AccountNeverExpires (bool)
  • PasswordNeverExpires (bool)

4. New parameters of Set-QADUser

  • HomeDirectory (string)
  • HomeDrive (string)
  • ProfilePath (string)
  • LogonScript (string)
  • Email (string)
  • AccountExpires (DateTime, nullable)
  • PasswordNeverExpires (bool)
  • UserMustChangePassword (bool)
  • TsProfilePath (string)
  • TsHomeDirectory (string)
  • TsHomeDrive (string)
  • TsWorkDirectory (string)
  • TsInitialProgram (string)
  • TsMaxDisconnectionTime (TimeSpan)
  • TsMaxConnectionTime (TimeSpan)
  • TsMaxIdleTime (TimeSpan)
  • TsAllowLogon (bool)
  • TsRemoteControl (int)
  • TsReconnectionAction (int)
  • TsBrokenConnectionAction (int)
  • TsConnectClientDrives (bool)
  • TsConnectPrinterDrives (bool)
  • TsDefaultToMainPrinter (bool)

5. New properties of User object

  • HomeDirectory (string)
  • HomeDrive (string)
  • ProfilePath (string)
  • LogonScript (string)
  • AccountExpires (DateTime, nullable)
  • PasswordLastSet (DateTime, nullable, readonly)
  • PasswordAge (TimeSpan, nullable, readonly)
  • PasswordExpires (DateTime, nullable, readonly)
  • LastLogonTimestamp (DateTime, nullable, readonly)
  • LastLogon (DateTime, nullable, readonly)
  • LastLogoff (DateTime, nullable, readonly)
  • AccountIsDisabled (bool)
  • AccountIsLockedOut (bool)
  • PasswordNeverExpires (bool)
  • UserMustChangePassword (bool)

6. Set-QADGroup now has GroupType and GroupScope parameters (to change group type and scope ;))
7. New cmdlet Get-QADRootDSE
8. Disambiguation prefixes in Identity parameter: e.g. Get-QADUser ‘dn=cn=object_with@sign’
9. Access to default domain password policies through the domain object:e.g. Get-QADObject mydomain.local/ | format-list *
10. Functionality specific to Quest ActiveRoles Server (this will only work if you have the commercial app):

  • Access template link management,
  • Dynamic groups.

Lots of cool and exciting features and numerous bugfixes.

You can download the beta on the Quest’s AD cmdlets page. Please provide your feedback in the AD PowerShell discussion forums.

Tags: , , , , , , , , ,

AD Cmdlets RTM

AD cmdlets are finally gold!

We kind of kept sticking to the fashion of perpetual betas for quite some time now (since the first 1.0 beta released late March through the RC 1.0.5 this fall) and we feel that the product is now feature rich and stable enough for us to drop the beta label.

In the coming weeks I’ll blog more about the cmdlets features and the changes compared to the RC build but for now, here’s a quick list:

User account management:

Set-QADUser
Unlock-QADUser
Disable-QADUser
Deprovision-QADUser
Enable-QADUser
New-QADUser
Get-QADUser

Plus a few common ones:

Move-QADObject
Rename-QADObject
Remove-QADObject

Group management:

Set-QADGroup
Get-QADGroup
New-QADGroup
Get-QADGroupMember
Add-QADGroupMember
Remove-QADGroupMember

Move, Rename, Remove obviously also apply:

Move-QADObject
Rename-QADObject
Remove-QADObject

Managing computer accounts:

Get-QADComputer
Set-QADObject
Move-QADObject
Rename-QADObject
Remove-QADObject
New-QADObject

OUs and other objects:

Set-QADObject
Move-QADObject
Rename-QADObject
Remove-QADObject
New-QADObject
Get-QADObject

Fine-Grained Password Policies:

New-QADPasswordSettingsObject
Get-QADPasswordSettingsObject
Add-QADPasswordSettingsObjectAppliesTo
Remove-QADPasswordSettingsObjectAppliesTo

Selecting DC/domain/ADAM instance/ARS proxy or supplying alternate credentials:

Connect-QADService
Disconnect-QADService

Auxiliary cmdlets to make life easier:

Convert-QADAttributeValue
Set-QADPSSnapinSettings
Set-QADPSSnapinSettings

It is more or less the same list we had in RC (with one new cmdlet and a few improvements and bugfixes in the others – and finally full PowerShell v2 compatibility ;)), but the EULA change alone (not a beta any more!) is probably worth making the upgrade all by itself!

And did I say that despite the RTM status AD cmdlets still remain free? Any reason for not going to the site right away and getting them? 😉

Tags: , , , , ,

Fine-Grained Password Management post from Tyson

Tyson Kopczynski – the author of Windows PowerShell Unleashed (sample chapter available here) has a post on Managing Fine Grained Password Policies.

In which he also complaints that big vendors – Microsoft in this case – are sometimes releasing features – like BitLocker or fine-grained password policies – without fully providing sufficient management tools to actually use them. Needless to say this is very much inline with what I am thinking on the need for do-it-yourself administrative consoles.

Tyson concludes by the following:

My reply to my co-worker was to use either the PasswordSettingsObject cmdlets from Quest or the PowerGUI snap-in which uses those cmdlets – http://powergui.org/entry.jspa?externalID=882&categoryID=46.

I’ve also previously blogged about both the cmdlets and the UI:

Tags: , , , , , , , , , , , ,

Generate random password with PowerShell

So I was updating the PowerGUI AD pack the other day and wanted to add random password generation function for Reset Password action.

Here’s the code I came up with:

#Set up random number generator
$rand = New-Object System.Random
#Generate a new 10 character password
1..10 | ForEach { $NewPassword = $NewPassword + [char]$rand.next(33,127) }
#Reset the password
Set-QADUser "Dmitry Sotnikov" -UserPassword $NewPassword

That’s it. I guess I could get more fancy by ensuring that characters from 3 out of 4 character groups are present, etc. but this was the easiest one-liner to keep me going.

Tags: , , , , , , , ,

Free UI Console for Fine-Grained Password Policies

I spent most of the day today using the password policy cmdlets and the PowerShell UI we all use and love to create graphical user interface for fine-grained password policies (see overviews in 4sysops and Ulf’s blog) in my Windows 2008 lab. And here’s the result (click to see it full size):

Graphical console to manage fine-grained password policies in Windows 2008 domains

What you see on the screen is the graphical user interface to manage those granular password policies and they are far nicer than ADSIEdit. 😉

I included the following functionality:

  • Create new password policy,
  • See password policy properties (PowerGUI adds sorting, filtering, reporting, copy to clipboard and other goodies),
  • Link a password policy to a user or group,
  • Unlink a password policy,
  • Remove a password policy,
  • See the resultant policy for a selected user.

All these operations also support bulk selection.

You can download the pack from PowerGUI library: Fine-Grained Password Policies – please provide feedback so I can make it better.

And, as usual, should you want to learn the command-line or script the same actions, just click the PowerShell Code tab at the bottom of the PowerGUI window – and copy/paste from there.

Dmitry

Tags: , , , , , , , , , , ,

Manage Fine-Grained Password Policies with PowerShell

One of the major new features in the upcoming Windows Server 2008 (aka Longhorn) are granular password policies. The feature allows you to have multiple password policies within a single AD domain and thus be able to better fine-tune the security in your organization.

You can find pretty good write-ups about the feature and using ADSIedit to manage it at 4sysops and Ulf’s blog. However, as Richard pointed recently, using PowerShell to manage them is so much easier than ADSIEdit, so here’s a transcript of me experimenting with the policies in my Longhorn (Beta 3) lab (using AD cmdlets 1.0.3):

PS C:\> # Get the list of all password policies in the domain
PS C:\> Get-QADPasswordSettingsObject

Name      Type               DN                                                                       ----      ----               --                                                                       new pso   msDS-PasswordSe... CN=new pso,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft

PSO2      msDS-PasswordSe... CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft   


PS C:\> # Let's see all settings of a particular policy
PS C:\> Get-QADPasswordSettingsObject pso | Format-List

AppliesTo                   : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow                              ,DC=spb,DC=qsft}

CanonicalName               : cow.spb.qsft/System/Password Settings Container/PSO2

CreationDate                : 5/16/2007 4:50:29 PM

Description                 : 

DisplayName                 : 

DN                          : CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft

Guid                        : 59632928-e3ff-4ced-afbf-c99ba2b60a8d

LockoutDuration             : -00:30:00

LockoutThreshold            : 0

MaximumPasswordAge          : -20.00:00:00

MinimumPasswordAge          : -1.00:00:00

MinimumPasswordLength       : 8

ModificationDate            : 6/18/2007 11:03:13 AM

Name                        : PSO2

PasswordComplexityEnabled   : True

PasswordHistoryLength       : 24

Precedence                  : 10

ResetLockoutCounterAfter    : -00:30:00

ReversibleEncryptionEnabled : False

Type                        : msDS-PasswordSettings


PS C:\> # Create a new policy, set a few attributes and leave the rest default
PS C:\> New-QADPasswordSettingsObject -Name BeatlesPolicy -Precedence 5 -PasswordHistoryLength 10 -PasswordComplexityEnabled $true

Name            Type               DN                                                                               ----            ----               --                                                                               

BeatlesPolicy   msDS-PasswordSe... CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft  


PS C:\> # See the properties of the new policy
PS C:\> Get-QADPasswordSettingsObject BeatlesPolicy | Format-List

AppliesTo                   : CanonicalName               : cow.spb.qsft/System/Password Settings Container/BeatlesPolicy

CreationDate                : 6/18/2007 11:41:17 AM

Description                 : 

DisplayName                 : 

DN                          : CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft

Guid                        : c76a72fd-6612-4647-b279-b42cf648e4eb

LockoutDuration             : -00:30:00

LockoutThreshold            : 5

MaximumPasswordAge          : -42.00:00:00

MinimumPasswordAge          : -30.00:00:00

MinimumPasswordLength       : 0

ModificationDate            : 6/18/2007 11:41:17 AM

Name                        : BeatlesPolicy

PasswordComplexityEnabled   : True

PasswordHistoryLength       : 10

Precedence                  : 5

ResetLockoutCounterAfter    : -00:30:00

ReversibleEncryptionEnabled : False

Type                        : msDS-PasswordSettings


PS C:\> # Link the policy to the COW\Beatles group
PS C:\> Add-QADPasswordSettingsObjectAppliesTo BeatlesPolicy -AppliesTo COW\Beatles

Name          Type               DN                                                                               

----          ----               --                                                                               

BeatlesPolicy msDS-PasswordSe... CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft  


PS C:\> # See where are all the polies linked now
PS C:\> Get-QADPasswordSettingsObject | Format-List Name, AppliesTo

Name      : new psoAppliesTo : {CN=Kelly Smith,CN=Users,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}



Name      : PSO2

AppliesTo : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}



Name      : BeatlesPolicy

AppliesTo : {CN=Beatles,CN=Users,DC=cow,DC=spb,DC=qsft}


PS C:\> # Check resultant policy for user jlennon (note that the Beatles policy got applied via group membership)
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name         msDS-ResultantPSO                                          

----         -----------------                                          

John Lennon  CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Check resultant policy for user jlennon (note that the Beatles policy got applied via group membership)
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name        msDS-ResultantPSO                                          

----        -----------------                                          

John Lennon CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Check the resultant policy and note that the one linked directly won
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name        msDS-ResultantPSO                                          

----        -----------------                                          

John Lennon CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Check where the policy is applied
PS C:\> Get-QADPasswordSettingsObject PSO2 | Format-List Name, AppliesTo

Name      : PSO2AppliesTo : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}


PS C:\> # Unlink the policy
PS C:\> Remove-QADPasswordSettingsObjectAppliesTo PSO2 -AppliesTo COW\jlennon

Name  Type               DN                                                                               

----  ----               --                                                                               

PSO2  msDS-PasswordSe... CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft           


PS C:\> # Resultant policy changed back to the group one
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name         msDS-ResultantPSO                                          

----         -----------------                                          

John Lennon  CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Remove the policy from the directory
PS C:\> Remove-QADObject BeatlesPolicy

Warning!
Are you sure you want to delete this object: CN=BeatlesPolicy,CN=Password Settings
Container,CN=System,DC=cow,DC=spb,DC=qsft?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y

Windows Server 2008 and PowerShell – are better together! 😉

Here’s the fine-grained-passwords-demo.txt file with the commands in case you want to have fun with them yourself (just change the domain name, etc. to match your lab)

Tags:, , , , , , , , , ,


My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

June 2022
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
27282930  

%d bloggers like this: