in order to collect who is logging on to Server via Remote Sessions and event subscription can be created with the following XML filters
*[System[(EventID=4624 or EventID=4625)]] and *[EventData[Data[@Name=’LogonType’] and Data=10]]
in order to collect who is logging on to Server via Remote Sessions and event subscription can be created with the following XML filters
*[System[(EventID=4624 or EventID=4625)]] and *[EventData[Data[@Name=’LogonType’] and Data=10]]
A quick bit of memory Refresh regarding Certificate Template best practice:
I’m starting this from the point where an administrator requests a certificate and send you the request.
When you receive a Certificate Request,vfirst check the template requested. This can be done with the following command:
1 |
certutil <filename.REQ> |
there will be a page or two of information and somewhere in that information there should be a line of information
1 2 |
Certificate Template Name (Certificate Type) myC-WebServer |
We need to ensure this matches there template names that the CA issues. If it is the standard WebServer… either they haven’t requested the right cert… or the CA is issuing the standard Template.
Next we issue the request to the Certificate Authority. we need to add the CertificateTemplate to the request that we are making. This is done by adding an attribute as below then submitting the filename:
1 |
certreq -attrib "CertificateTemplate:MyC-WebServer" -submit <filename.REQ> |
1 2 3 4 5 6 |
Active Directory Enrollment Policy {0B94AA91-153F-4C9B-BDF2-DCD362782668} ldap: RequestId: 573 RequestId: "573" Certificate request is pending: Taken Under Submission (0) |
Here you must remember the requestID, the requestId is used to complete the certificate request and
next approve the request in the Certificate Authority Console
1 |
certreq.exe -retrieve 573 <filename.crt> |
When changing the group membership of a computer account the group will not be added to the computer account until the computer account is re-authenitcated. Just as when you add new permission or User Object the person need to logout and back in to get the new permissions.
The easiest way to accomplish this is to reboot the server… however we all know that is not alway posable. A handy little tool to get the computer to renew the Ticket is
klist -li 0x3e7
you get a list of the system account’s ticket
klist -li 0x3e7 purge
you can delete all tickets and force the system to get new ones with updated group membership information without rebooting at all
The other day I came across a curious function. I had a requirement in a script to send an email. Now, when I wrote the script and tested everything was working fine. However when I ran the script from the test schedule, the script executed fine but no email was sent!
After a few hours of searching the system of the exchange host.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
Log Name: Application Source: MSExchangeTransport Date: 9/5/2016 4:57:57 PM Event ID: 1025 Task Category: SmtpReceive Level: Error Keywords: Classic User: N/A Computer: Server.domain.local Description: SMTP rejected a (P1) mail from 'importexport@domain.local' with 'Client SERVER' connector and the user authenticated as 'doamin\importexport'. The Active Directory lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchangeTransport" /> <EventID Qualifiers="49156">1025</EventID> <Level>2</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2016-09-05T16:57:57.000000000Z" /> <EventRecordID>410601</EventRecordID> <Channel>Application</Channel> <Computer>SERVER.domain.local</Computer> <Security /> </System> <EventData> <Data>importexport@domain.local</Data> <Data>Client SERVER-01</Data> <Data>domain.local\importexport</Data> <Data>P1</Data> <Data>Microsoft.Exchange.Data.ProviderError</Data> </EventData> </Event> |
Hold the phone! under my account it worked perfectly but under the service account running the task scheduler it failed.
after a few failed attempts I noticed that if I mistyped the username and password while passing the credentials to the using the -Credentials $Creds argument.. it actually work… WFT
so I quickly worked out that if I passed “dummy” credentials the script worked.
To c create a dummy credential I first had to create a secure string. Then I could pass this script type into a new credential object… as so:
1 2 3 |
$sPassword = New-Object System.Security.SecureString $creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "NT AUTHORITY\ANONYMOUS LOGON", $sPassword |
in just included this at the top of the script when declaring variables.
1 |
Send-MailMessage -To "User01 <user01@example.com>" -From "ITGroup <itdept@example.com>" -Cc "User02 <user02@example.com>" -bcc "ITMgr <itmgr@example.com>" -Subject "Don't forget today's meeting!" -Credential $creds |
WORKS!
1 |
Get-WmiObject win32_service -computer gdc-slo-p-slg01 |select-object @{Label="Server Name"; Expression={$_.__SERVER}}, Name , Startname |ConvertTo-HTML | Out-File "C:\test.htm" |
Get Services on remote computer and save to file
1 2 3 4 |
foreach ($computer in $computerlist ) { Write-Host $computer +" - Admin list" (Get-LocalGroupMembers $computer).members } |
Loads a list of computes and looks who is in the admin group
* get-localGroupMembers is a function:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
<span class="powerShell__keyword">function</span> Get<span class="powerShell__operator">-</span>LocalGroupMembers { <span class="powerShell__keyword">param</span>( [parameter(Mandatory=<span class="powerShell__variable">$true</span>,ValueFromPipeline=<span class="powerShell__variable">$true</span>,ValueFromPipelineByPropertyName=<span class="powerShell__variable">$true</span>)] [Alias(<span class="powerShell__string">"Name"</span>)] [string]<span class="powerShell__variable">$ComputerName</span>, [string]<span class="powerShell__variable">$GroupName</span> = <span class="powerShell__string">"Administrators"</span> ) <span class="powerShell__keyword">begin</span> {} <span class="powerShell__keyword">process</span> { <span class="powerShell__com"># If the account name of the computer object was passed in, it will </span> <span class="powerShell__com"># end with a $. Get rid of it so it doesn't screw up the WMI query. </span> <span class="powerShell__variable">$ComputerName</span> = <span class="powerShell__variable">$ComputerName</span>.Replace(<span class="powerShell__string">"`$"</span>, <span class="powerShell__string">''</span>) <span class="powerShell__com"># Initialize an array to hold the results of our query. </span> <span class="powerShell__variable">$arr</span> = @() <span class="powerShell__com"># Get hostname of remote system. $computername could reference cluster/alias name. Need real hostname for subsequent WMI query.</span> <span class="powerShell__variable">$hostname</span> = (<span class="powerShell__cmdlets">Get-WmiObject</span> <span class="powerShell__operator">-</span>ComputerName <span class="powerShell__variable">$ComputerName</span> <span class="powerShell__operator">-</span>Class Win32_ComputerSystem).Name <span class="powerShell__variable">$wmi</span> = <span class="powerShell__cmdlets">Get-WmiObject</span> <span class="powerShell__operator">-</span>ComputerName <span class="powerShell__variable">$ComputerName</span> <span class="powerShell__operator">-</span>Query <span class="powerShell__string">"SELECT * FROM Win32_GroupUser WHERE GroupComponent=`"</span>Win32_Group.Domain=<span class="powerShell__string">'$Hostname'</span>,Name=<span class="powerShell__string">'$GroupName'</span>`<span class="powerShell__string">""</span> <span class="powerShell__com"># Parse out the username from each result and append it to the array. </span> <span class="powerShell__keyword">if</span> (<span class="powerShell__variable">$wmi</span> <span class="powerShell__operator">-</span>ne <span class="powerShell__variable">$null</span>) { <span class="powerShell__keyword">foreach</span> (<span class="powerShell__variable">$item</span> <span class="powerShell__keyword">in</span> <span class="powerShell__variable">$wmi</span>) { <span class="powerShell__variable">$data</span> = <span class="powerShell__variable">$item</span>.PartComponent <span class="powerShell__operator">-</span>split <span class="powerShell__string">"\,"</span> <span class="powerShell__variable">$domain</span> = (<span class="powerShell__variable">$data</span>[0] <span class="powerShell__operator">-</span>split <span class="powerShell__string">"="</span>)[1] <span class="powerShell__variable">$name</span> = (<span class="powerShell__variable">$data</span>[1] <span class="powerShell__operator">-</span>split <span class="powerShell__string">"="</span>)[1] <span class="powerShell__variable">$arr</span> <span class="powerShell__operator">+</span>= (<span class="powerShell__string">"$domain\$name"</span>).Replace(<span class="powerShell__string">""</span><span class="powerShell__string">""</span>,<span class="powerShell__string">""</span>) [Array]::<span class="powerShell__alias">Sort</span>(<span class="powerShell__variable">$arr</span>) } } <span class="powerShell__variable">$hash</span> = @{ComputerName=<span class="powerShell__variable">$ComputerName</span>;Members=<span class="powerShell__variable">$arr</span>} <span class="powerShell__keyword">return</span> <span class="powerShell__variable">$hash</span> } <span class="powerShell__keyword">end</span>{} } |
Found Here
https://gallery.technet.microsoft.com/scriptcenter/List-local-group-members-c25dbcc4
Sometimes the standard event log filtering just isn’t enough, you need and more refined search criteria.
I find the best way to do this it Is to select the current event log category that you wish to search then filter current log.
This adds all the search criteria and selection criteria that you need. You can then begin to edit the query using XML tab. You will see something such as the following:
1 2 3 4 5 |
<QueryList> <Query Id="0" Path="System"> <Select Path="System">*</Select> </Query> </QueryList> |
In that list you will see a select statement between the two >< you will see an *. Here is where you enter your select query.
Individual queries are formed by Square parentheses below you will see some examples:
1 2 3 |
*[System[(EventID='4728')]] and *[EventData[Data[@Name='TargetUserName'] and (Data='Domain Admins') ]] |
The above example will give a list of events where a group change has been made to domain Admins.
* if you wish to target specific data viewing an event in the event log and check the XML data Will give you the information.
All Credit for this article goes HERE Thanks to Stephanie Kahlam
In previous versions of Dirsync (latest version 1.0.6862.0000) there was a nifty little shell that could be found in
1 2 3 |
C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell miisclient.exe |
I liked to create a shortcut on my desktop along with the ever so ambiguously named DirSync GUI, miisclient.exe. When I logged into my server I had quick access to launch DirSync GUI and also quick access to Force a Synchronization if required.
Today the DirSyncConfigShell.psc1 is no more. In order to enable the ability to “start” a quick synchronization you will now need to open a PS shell in Admin mode, enter “import-module DirSync” then run “start-onlinecoexistencesync”
If you need to check what version of DirSync you currently have installed, simply run the following PowerShell cmdlet:
By default DirSync (Windows Azure Active Directory Sync) will synchronize every 3 hours. This interval can be changed by editing the Microsoft.Online.DirSync.Scheduler.exe config file found in C:Program FilesWindows Azure Active Directory Sync
This window shows a sync interval of 5 mins after the config file has been edited
During setup of the Windows Azure Active Directory Sync tool Configuration Wizard you will be asked for two sets of credentials; Azure Office 365 Company Administrator and On-Premises AD domain administrator.
The account specified for Windows Azure is not required to be licensed in Office 365
This account should however, be configured with a NON expiring password as DirSync will cease to run if the password changes in Office 365. The password can be changed at the DirSync GUI should this occur but it is probably easier to set it to NON expiring and avoid service disruption to your Synchronization process.
To set a user to a non expiring password run the following PowerShell command:
If you need to change the password in DirSync GUI perform the following:
Open miisclient.exe
Click on Management Agents
Right click Windows Azure Active Directory Connector and choose properties
Click on Conncetivity then update the password