• Email Address: forum@outsourcepath.com
  • English
Topics related to active directory

Set-ADUser Modify Active Directory Users with PowerShell - Do it now ?

This article covers how to use Set-ADUser Modify Active Directory Users with PowerShell.

Basically, the Set-ADUser cmdlet is part of the Active Directory module for Windows PowerShell.

The Identity parameter specifies the Active Directory user to modify. 

You can identify a user by its distinguished name, GUID, security identifier (SID), or Security Account Manager (SAM) account name. 

You can also set the Identity parameter to an object variable such as $<localUserObject>, or you can pass an object through the pipeline to the Identity parameter.

Domain Password Policy in the Active Directory - How to Set it up

This article covers an effective method to configure Domain Password Policy in the Active Directory which ensures a high level of security for user accounts. 

Group policy with password policy should be assigned to domain level, not OU, you can have multiple GPO's with password policies in domain level however only one policy will be applied to all users in their priority.

Basic Password Policy Settings on Windows:

Let's consider all available Windows password settings. 

There are six password settings in GPO:

1. Enforce password history – determines the number of old passwords stored in AD, thus preventing a user from using an old password.

However, the domain admin or user who has been delegated password reset permissions in AD can manually set the old password for the account;

2. Maximum password age – sets the password expiration in days. After the password expires, Windows will ask the user to change the password. Ensures the regularity of password changes by users;

You can find out when a specific user’s password expires using the PowerShell: 

Get-ADUser -Identity j.werder -Properties msDS-UserPasswordExpiryTimeComputed | select-object @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") }}.

3. Minimum password length – it is recommended that passwords should contain at least 8 symbols (if you specify 0 here, the password is not required);

4. Minimum password age – sets how often users can change their passwords. This setting won’t allow the user to change the password too often to get back to an old password they like by removing them from the Password History after the password has been changed several times in a row. As a rule, it is worth to set 1 day here in order users can change a password themselves if it gets compromised (otherwise an administrator will have to change it);

5. Password must meet complexity requirements – if the policy is enabled, a user cannot use the account name in a password (not more than 2 symbols of a username or Firstname in a row), also 3 types of symbols must be used in the password: numbers (0–9), uppercase letters, lowercase letters and special characters ($, #, %, etc.). Also, to prevent using weak passwords (from the password dictionary), it is recommended to regularly audit user passwords in the AD domain;

6. Store passwords using reversible encryption – user passwords are stored encrypted in the AD database, but in some cases you have to grant access to user passwords to some apps. If this policy setting is enabled, passwords are less protected (almost plain text). It is not secure (an attacker can get access to the password database if the DC is compromised; an read-only domain controllers (RODC) can be used as one of the protection measures).

Map Network Drives or Shared Folders with Group Policy - How to do it

This article covers how to map network drives or shared folders with Group Policy.

Mapping network drives using Group Policy preferences is flexible, provides easy control over who receives the drive mappings, and has easy-to-use user interfaces, all of which are in stark contrast with the complexities associated with scripts.

To Set up drive mappings with Group Policy preferences:

1. Group Policy preferences are a set of extensions that increase the functionality of Group Policy Objects (GPOs). 

2. Administrators can use them to deploy and manage applications on client computers with configurations targeted to specific users. 

3. The Drive Maps policy in Group Policy preferences allows an administrator to manage drive letter mappings to network shares.

To Deploy item-level targeting with Group Policy preferences:

Item-level targeting (ILT) is a feature of Group Policy preferences that allows preference settings to be applied to individual users and/or computers dynamically. ILT allows an administrator to specify a list of conditions that must be met in order for a preference setting to be applied or removed to a user or computer object.

You can configure drive mapping, only users in the Product Managers group would receive the mapping. 

1. Under the Common tab of the mapped drive properties, check the Item-level targeting option, and then click Targeting….

2. In the Targeting Editor window, click New Item and select Security Group.

3. Click the … button, and type in the name of the security group.

4. Click OK to close the Targeting Editor once you're finished adding items to the list. 

Create Keytab File for Kerberos Authentication in Active Directory

This article covers how to create keytab files for Kerberos. Active Directory uses Kerberos version 5 as authentication protocol in order to provide authentication between server and client. Kerberos protocol is built to protect authentication between server and client in an open network where other systems also connected.

The Kerberos Keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to log into the Kerberos Key Distribution Center (KDC).

The Kerberos Keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to log into the Kerberos Key Distribution Center (KDC).

The keytab is generated by running kadmin and issuing the ktadd command. If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host ( trillium , in the above example) without sending it unencrypted over the network.

To Create a Kerberos principal and keytab files for each encryption type you use:

1. Log on as theKerberos administrator (Admin) and create a principal in the KDC.

You can use cluster-wide or host-based credentials.

The following is an example when cluster-wide credentials are used. It shows MIT Kerberos with admin/cluster1@EXAMPLE.COM as the Kerberos administrator principal:

bash-3.00$ kadmin -p admin@EXAMPLE.COM

kadmin: add_principal vemkd/cluster1@EXAMPLE.COM

Enter password for principal "vemkd/cluster1@EXAMPLE.COM": password

Re-enter password for principal "vemkd/cluster1@EXAMPLE.COM": passwordCopy code

If you do not create a VEMKD principal, the default value of vemkd/clustername@Kerberos_realm is used.

2. Obtain the key of the principal by running the subcommand getprinc principal_name.

3. Create the keytab files, using the ktutil command:

Create a keytab file for each encryption type you use by using the add_entry command.

For example, run ktutil: add_entry -password -p principal_name -k number -e encryption_type for each encryption type.

Add domain in PRTG

This article will guide you on how to add a #domain in the #PRTG #monitoring system.

PRTG is a network monitoring system to monitor a #website.

If you are working in more complex environments or those with a desire to reduce the number of authentication mechanisms on their networks, PRTG includes the option to easily integrate with Active Directory (AD).

1. PRTG additionally adds the probe device to the local probe. This is an internal system device with several sensors. It has access to the probe system and monitors the system's health parameters. 

2. PRTG automatically analyzes the devices that you add and recommends appropriate #sensors on the device's Overview tab.

Backup Active Directory Domain Controller

This article will guide you on how to #backup #active #directory domain controller.
A System State backup generally includes a copy of any installed device #drivers and related files, most of the Windows directory, the #Windows #Registry, the Active Directory configuration (where applicable) and system files under Windows File Protection.
In production it is best practice to have at least 2 domain controllers per domain. If you factor in each child domain and the other domains that could easily scale up fast if you have two in each one.
To Configure Windows Backup Users on a Domain Controller:
1. Expand Active Directory "Users > Computers > Users".
2. Right-click the appropriate user who will be performing backups and click Properties.
3. On the Member Of tab, click Add to add the Backup Operators group to the User.
4. Click OK.

Find the Source of Account Lockouts in Active Directory

This article will guide you on steps to find the source of Account Lockouts in the Active Directory #domain.

The most common underlying cause for #AD account lockouts, beyond users forgetting their password, is a running application or background service on a device that is authenticating with stale credentials. 

To Track Source of Account Lockouts in #Active #Directory:

1. Search for the #DC (Domain Controller) having the PDC Emulator Role. 

2. Look for the Event ID 4740. 

3. Put Appropriate Filters in Place. 

4. Find Out the Locked Out Account Event Whose Information is Require. 

5. Open the #Event Report, to Find the Source of the Locked Out account.

ElasticSearch LDAP Authentication on the Active Directory

This article will guide you on how to authenticate #ElasticSearch users using the Active Directory from #Microsoft #Windows and the #LDAP protocol.

#Active #Directory (#AD) supports both Kerberos and LDAP – Microsoft AD is by far the most common directory services system in use today.

To Set up Active Directory Authentication using LDAP:

1. Enter the LDAP "Server" and "Port" attributes on the Server Overview tab of the LDAP Users page. 

2. Enter the proper base for the Active Directory in the "Base DN" attribute. 

3. Set the Search Scope. 

4. Enter the Username Attribute. 

5. Enter the Search Filter. 

6. Verify that the #settings are correct by clicking the Verify button.

Zabbix Single Sign-On SSO Authentication in Active Directory

This article will guide you on how to set #Zabbix : Single Sign-On (#SSO) Authentication in #Active Directory which helps users authenticate the Zabbix frontpage without entering credentials.
Users and resources are added to the directory service for central management and ADDS works with authentication protocols like #NTLM and #Kerberos. Thus, users that belong to ADDS can authenticate from their #machines and get access to others #systems that integrate with ADDS. This is a form of Single Sign-on.

Nagios Authentication and Importing Users with AD and LDAP

This article will guide you on how to integrate #Nagios Log Server with Active Directory or #LDAP to allow user authentication and validation with the Nagios Log Server interface.
Currently by default LDAP traffic (without SSL/TLS) is unsigned and unencrypted making it vulnerable to man-in-the-middle attacks and eavesdropping. After the patch or the windows update would be applied, LDAPS must be enabled with Active Directory.
To Set up Active Directory Authentication using LDAP:
1. Enter the LDAP "Server" and "Port" attributes on the Server Overview tab of the LDAP Users page.
2. Enter the proper base for the Active Directory in the "Base DN" attribute.
3. Set the Search Scope.
4. Enter the Username Attribute.
5. Enter the Search Filter.
6. Verify that the settings are correct by clicking the Verify button.

Steps to Setup Ansible AWS Dynamic Inventory

This article will guide you on how to use #AWS resources using Ansible with the help of Dynamic Inventory.

The #Ansible #inventory file defines the #hosts and groups of hosts upon which #commands, #modules, and tasks in a playbook operate. The file can be in one of many formats depending on your Ansible #environment and plugins.

Ansible will use it as an inventory source as long as it returns a #JSON structure like the one above when the script is called with the --list .

Clean up Domain Controller DNS Records with Powershell

This article will guide you on the process to clean up Stale/Dead #DC DNS records with the help of #PowerShell. You can see that it is easy to clean up domain controller records with the help of this method using few Windows PowerShell #commands.

To remove old DNS records from a domain controller, simply Remove #DNS Entries by:

1. Right click a #Zone in DNS console and go to properties, Under Name server tab delete the entries that are related to decommissioned DC.

2. Open DNS Console and Remove the IP of the decommissioned DC that might be present on the #network #adapter.

How to restore Deleted Active Directory Objects and Users

This article will put you through the steps to restore Deleted Active Directory Objects/Users. You can also right click on any unwanted change or object deletion in #Active #Directory and click “Rollback Change” to restore the change with a single-click.

Active Directory #Recycle Bin feature preserves all link valued and non link valued attributes. This means that a restored object will retain all it's settings when restored. By default, a deleted object can be restored within 180 days.

How to use ADUC MMC to process queries in Active Directory user and Computers

This article describes how to use saved queries in relation to Active Directory Users and Computers (ADUC) which is a MMC snap-in for managing Active Directory.

Recent Post