param ( $computername, $dnsrecord ) $script:computernameSam = $computername + "$" try { import-module activedirectory } catch { write-error "This script requires the AD powershell module" exit } while ( (test-path -path Ad:) -ne $true ) { start-sleep -seconds 2 } #Standard ACL for a dynamic dns entry #ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete, # GenericWrite, WriteDacl, WriteOwner #InheritanceType : None #ObjectType : 00000000-0000-0000-0000-000000000000 #InheritedObjectType : 00000000-0000-0000-0000-000000000000 #ObjectFlags : None #AccessControlType : Allow #IdentityReference : Domain\machine$ #IsInherited : False #InheritanceFlags : None #PropagationFlags : None # function get-partition { param ( $record ) #need to split off everything after first name to find longest zone match #using get-dnsserverzone ($name) $dnsrecordparts = $record.split(".") for ($i = 1; $i -lt $dnsrecordparts.length; $i++) { $zonenameTest = $dnsrecordparts[$i..($dnsrecordparts.length -1)] -join "." $zoneObj = get-dnsserverzone $zonenameTest -ea 0 if ($zoneObj -ne $null) { write-output -inputobject $zoneobj $i = $dnsrecordparts.length + 1 } } } function get-dnsobject { param ($record) $zoneObject = get-partition -record $record if ($zoneObject -ne $null) { $zonename = $zoneObject.zonename $record -match "(.*)(\.$zonename)" $dnsRecordDN = "dc=" + $matches[1] + "," + $zoneobject.distinguishedname try { get-adobject $dnsRecordDN } catch { Throw "Unable to find dns record for this machine"} } else { throw "DNS zone not found"} } try { try { $guid = [guid]'00000000-0000-0000-0000-000000000000' $adcomputer = get-adcomputer $computername -property objectsid $sid = $adcomputer.objectsid $ctrl = [System.Security.AccessControl.AccessControlType]::Allow $rights = 983423 $intype =[System.DirectoryServices.ActiveDirectorySecurityInheritance]::None $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid) } catch { throw "Unable to get computer account SID" } try { #find record $dnsDN = get-dnsObject -record $dnsrecord } catch { throw $_ } try { $acl = get-acl ad:"$($dnsDN.distinguishedname)" $acl.setowner([system.security.principal.ntaccount]"$script:computernameSam") $acl.AddAccessRule($rule) Set-Acl -acl $acl -path ad:"$($dnsDN.distinguishedname)" } catch { throw $_ } } catch { $_}
Tuesday, December 27, 2016
Fixing dns record permissions for dynamic dns
Wednesday, December 21, 2016
DNS - limited forwarding delegated subdomain (in AD integrated zone)
Example:
-Organization has AD integrated zone Contoso.com on all AD domain controllers.
-Organization is outsourcing dns for subdomain hosting.contoso.com to external domain name servers
-Only 2 out of 50 domain controllers can access external dns for name resolution. All others do general forwarding to these 2 domain controllers.
Problem:
1) If we create a delegation in contoso.com directly to the external dns servers, recursion is not available and name resolution is not going to happen.
2) if we create AD integrated conditional forwarding for the subdomain, all servers will try to forward to external dns and will be unable to do so, causing queries to fail
Solution:
-Create a subdomain delegation in contoso.com using only the name servers of the 2 internal domain controllers that have access to forward dns queries to external servers
-Create non-AD integrated conditional forwarders for hosting.contoso.com on these same 2 servers, which use the dns server IP's of the external dns provider
-On the external provider, set up a dns zone for hosting.contoso.com
Wednesday, December 14, 2016
Learn typing on arabic keyboards
Tuesday, December 6, 2016
SCCM windows update deployment failure 0x80240438
wuauhandler.log
<![LOG[OnSearchComplete - Failed to end search job. Error = 0x80240438.]LOG]!><time=".." date=".." component="WUAHandler" context="" type="3" thread="2744" file="cwuahandler.cpp:3223">
<![LOG[Scan failed with error = 0x80240438.]LOG]!><time=".." date=".." component="WUAHandler" context="" type="3" thread="2744" file="cwuahandler.cpp:3679">
updateshandler.log
<![LOG[Updates scan completion received, result = 0x80240438.]LOG]!><time=".." date=".." component="UpdatesHandler" context="" type="1" thread="9884" file="capplicabilityhandler.cpp:100">
updatesdeployment.log
<![LOG[Job error (0x80240438) received for assignment ({guid}) action]LOG]!><time=".." date=".." component="UpdatesDeploymentAgent" context="" type="3" thread="7056" file="updatesassignment.cpp:2235">
scanagent.log
<![LOG[ScanJob({guid}): CScanJobManager::OnScanComplete- failed at CScanJob::OnScanComplete with error=0x80240438]LOG]!><time=".." date=".." component="ScanAgent" context="" type="3" thread="11024" file="utils.cpp:537">
ciagent.log
<![LOG[Failed result received from applicability handler, error = 0x80240438]LOG]!><time=".." date=".." component="CIAgent" context="" type="3" thread="7056" file="capplicabilitybroker.cpp:79">
WindowsUpdate.log
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: Web service call failed with hr = 80240438.
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: Current service auth scheme='None'.
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: Proxy List used: '127.0.0.1:8888', Bypass List used: '(null)', Last Proxy used: '127.0.0.1:8888', Last auth Schemes used: 'None'.
yyyy-mm-dd hh:mm:ss 1068 30a4 WS FATAL: OnCallFailure failed with hr=0X80240438
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: NWS retry 1 for transient error 0x80240438
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: Nws Failure: errorCode=0x803d0010
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: There was an error communicating with the endpoint at 'http://deploymentserver:8530/ClientWebService/client.asmx'.
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: The given proxy cannot be reached.
------------------------------------------
netsh winhttp>show proxy
Current WinHTTP proxy settings:
Proxy Server(s) : 127.0.0.1:8888
Bypass List : (none)
Wednesday, September 28, 2016
Masjid Nabawi (Madinah) - Tips
Tuesday, August 16, 2016
ئىنگلىزچە
ئىنگلىزچە - ئۇيغۇر 2
Thursday, July 28, 2016
MS - Certificate autoenrollment behind a firewall
Client to domain controller:
Ldap (TCP 389)
RPC (tcp 135)
RPC on dynamic port (>1023 TCP)
Client to certificate server(s) with the template available
Dynamic RPC (TCP > 1023) for CA servers on windows 2003 and earlier
Dynamic RPC (TCP > 49151) for CA servers on newer windows OS's
ProtSeq:ncacn_ip_tcp
Endpoint:52775
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:computername[52775]
UUID:91ae6020-9e3c-11cf-8d7c-00aa00c091be
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 0 VersMinor 0
Once you have obtained the port, you can use any port testing tool from the client to the CA server, like test-netconnection to see if that port, and port 135 is accessible to the client.
Thursday, July 21, 2016
"SSLv3 Information Disclosure Vulnerability" - Dell Openmanage
OMSA 8.x
<Connector compression="force" SSLEnabled="true" clientAuth="false" keystoreFile="conf/keystore.db" keystorePass="${keystore_password}" keyPass="${key_password}" maxThreads="150" maxPostSize="6291456" port="1311" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"/>
--------------
OMSA 7.x
<-- <Connector port="1311" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> <Connector compression="force" SSLEnabled="true" address="*" clientAuth="false" keystoreFile="conf/keystore.db" keystorePass="${keystore_password}" keyPass="${key_password}" maxThreads="150" maxPostSize="6291456" port="1311" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
You can test SSLv3 connections with openssl.
Server with OMSA 8.3
C:\>openssl s_client -connect OMSA8server-ssl3 Loading 'screen' into random state - done CONNECTED(00000230) 12252:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:./ssl/s3_pkt.c:284:
Server with OMSA 7.3
C:\>openssl s_client -connect OMSA7Server:1311 -ssl3
Loading 'screen' into random state - done
CONNECTED(00000230)
depth=0 /C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=OMSA7Server
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=OMSA7Server
verify return:1
*snip*
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 57901ECD7AE62B7F65EFA4160F2106E5ED39AB0BC5E53FEA6AD8359F7DC01AAB
Session-ID-ctx:
Master-Key: B37B02F7037C019E471A564F56629C1FBF45967F120DF631A15DCA048202CD2F069C9628116DAA00BB93466EDF5FA2E8
Key-Arg : None
Start Time: 1469062860
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
"TLS/SSL RC4 Cipher Suites Information Disclosure Vulnerability" Dell OpenManage
OMSA 8.x
<Connector compression="force" SSLEnabled="true" clientAuth="false" keystoreFile="conf/keystore.db" keystorePass="${keystore_password}" keyPass="${key_password}" maxThreads="150" maxPostSize="6291456" port="1311" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"/>
--------------
OMSA 7.x
<-- <Connector port="1311" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> <Connector compression="force" SSLEnabled="true" address="*" clientAuth="false" keystoreFile="conf/keystore.db" keystorePass="${keystore_password}" keyPass="${key_password}" maxThreads="150" maxPostSize="6291456" port="1311" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
You can test cipher's with openssl. The example below is RC4-MD5. The format of available cipher commands in openssl is different than the tomcat configurations above. You can run "openssl ciphers" to get the list.
Server with OMSA 8.3
C:\>openssl s_client -connect OMSA8Server:1311 -cipher RC4-MD5
Loading 'screen' into random state - done
CONNECTED(00000234)
11868:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:./ssl/s23_lib.c:188:
Server with OMSA 7.3
C:\>openssl s_client -connect OMSA7Server:1311 -cipher RC4-MD5
Loading 'screen' into random state - done
CONNECTED(00000230)
depth=0 /C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=OMSA7Server
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=OMSA7Server
verify return:1
---
Certificate chain
0 s:/C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=OMSA7Server
i:/C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=OMSA7Server
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=/C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=OMSA7Server
issuer=/C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=OMSA7Server
---
No client certificate CA names sent
---
SSL handshake has read 1044 bytes and written 359 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 57901EA40CB03FB263CDC30D1B77107D9B872C0BB8D9DF655981A3AA3DA67C94
Session-ID-ctx:
Master-Key: 707E2C192E1ED22E22684CBEF9B1EC139F6EA00456AFE5B6E473242064006D9C86F3D85E0CBAEC39697D82CE65F6BA4D
Key-Arg : None
Start Time: 1469062820
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
Tuesday, June 21, 2016
Tips for AD group membership managment in powershell
Fails: Get-adgroupmember "LargeGroup"
error: Get-ADGroupMember : The size limit for this request was exceeded
Works: Add-adgroupmember and remove-adgroupmember
Work Around: get-adgroup "LargeGroup" -properties members | select -expand members
This will get the distinguishednames of all members as an array.
-----------------------------------------------
Piping groups or users into a group membership cmdlet to change the group memberships.
1) When you are piping groups into a cmdlet where the user(s) are static. Pipe to Add-ADGroupMember.
Ex: get-adgroup -filter {name -like "HelpDesk*"}| add-adgroupmember -members $userdn
2) When you are piping users into a cmdlet where the group(s) are static. Pipe to Add-ADPrincipalGroupMembership
Ex: get-aduser bob | Add-ADPrincipalGroupMembership -memberof $groupdn
NOTE: Add-ADPrincipalGroupMembership will generate successful security audit events (Directory Service Change) for the addition of the group member, even if they were already a member of the group
-----------------------------------------------
When using Add-ADGroupMember with an array of members, if any of them are part of the group already, the whole operation will fail. Its best to try adding one at a time.
Thursday, June 16, 2016
Piping get-aduser output through several custom powershell functions
What I wanted:
Take an OU, run get-aduser on the OU -> Pipe to an analysis function to check password expiration for different types of accounts and password policies, then decide if an email notice needed to be sent -> Pipe (if needed) to an email function -> Pipe the results of all of the above to logging function.
At each stage, different bits of calculated data or additional properties needed to be added to the original get-aduser object. This was possible by using custom PSObjects after the initial analysis function. The basics of the code is below:
function process-OU { param( [parameter(mandatory=$true)][string]$searchbase, [string]$type="standard" ) Get-ADUser -Filter {(enabled -eq $True) -and (mail -like "*") } ` -SearchBase $SearchBase ` -Properties mail, PasswordLastSet, sn, PasswordNeverExpires | analyze-user -type $type |email-user |log-result } function Analyze-User{ [CmdletBinding()] param ( [Parameter(Mandatory=$True,ValueFromPipeline=$True)] [Microsoft.ActiveDirectory.Management.ADAccount]$user, [string]$Type ) begin {} process { #do some analysis and decide if you want to #continue with write-output $user # #Add any additional pieces of information to the user object with # add-member -input $user -force NoteProperty Expired $False if ($proceedtoEmail) { write-output $user } } } function Email-User { [CmdletBinding()] Param( [Parameter(Mandatory=$True,ValueFromPipeline=$True)] [PSobject]$emailuser ) #Notice the parameter type is a generic #[psobject] as it is no long conforming #to the [Microsoft.ActiveDirectory.Management.ADAccount] type Begin{} Process { #handle email creation and sending. #Check if it was sent without error, #add email status as another property } } function log-result { [CmdletBinding()] Param( [Parameter(Mandatory=$True,ValueFromPipeline=$True)] [PSObject]$user ) begin {} process { #do some logging here } } process-OU -searchbase "ou=myusers,dc=contoso,dc=com" -type "regular"
Wednesday, April 27, 2016
Start menu won't open in Windows 10 Home
In the event logs, they were full of ESENT events:
Event 465: ESENT
svchost (2972) TILEREPOSITORYS-1-5-21-1971466138-3024181641-1488003878-1003: Corruption was detected during soft recovery in logfile C:\Users\thekid\AppData\Local\TileDataLayer\Database\EDB.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 279 (0x00000117). This logfile has been damaged and is unusable.
Event 477: ESENT
svchost (2972) TILEREPOSITORYS-1-5-21-1971466138-3024181641-1488003878-1003: The log range read from the file "C:\Users\thekid\AppData\Local\TileDataLayer\Database\EDB.log" at offset 1142784 (0x0000000000117000) for 4096 (0x00001000) bytes failed verification due to a range checksum mismatch. The expected checksum was 9075318455674107058 (0x7df2020d660074b2) and the actual checksum was 9075318455674107058 (0x7df2020d660074b2). The read operation will fail with error -501 (0xfffffe0b). If this condition persists then please restore the logfile from a previous backup.
Event 454: ESENT
svchost (2972) TILEREPOSITORYS-1-5-21-1971466138-3024181641-1488003878-1003: Database recovery/restore failed with unexpected error -501.
When I went into Settings -> Accounts -> Family & other users area to try to delete the account, the only options are change account type and block. To actually delete it, I had to use the "Manage family settings online" option. Under the more menu pull down, there is an option to remove from family. This shifts the account from "Your Family" down to "Other Users", where you will have an option to remove them from the machine once you click on the name. It takes a bit of time to wipe out their profile, but once its done, their user account folder is empty.
As some Microsoft people will write, user profile corruption really doesn't exist, but in reality it happens a lot. Windows 10 seems to be pretty sensitive to it and fails catastrophically. I wish schools would just use free office apps so we can stick to Linux.
There are several write ups that could help resolve this type of problem if you go searching for the specific event ID's above. If you just search for the start button not working, the tips you may come across seem pretty useless. Deleting a user account has its own issues (loss of data, or requirement to backup before doing so). For some other methods of dealing with this issue check out this post.
Thursday, April 14, 2016
Tuesday, April 12, 2016
Active Directory ACL's explained
Permission set in GUI: "Apply to: All Descendant objects, create/delete Conference Site objects"
ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType : Descendents
ObjectType : msExchConferenceContainer
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : TEST.LOCAL\Nathan
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
Permission set in GUI: "Apply to: This object and all descendant objects, create/delete Contact objects"
ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType : All
ObjectType : contact
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : TEST.LOCAL\Nathan
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
Permission set in GUI: "Apply to: This object only, create/delete Computer Objects"
ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType : None
ObjectType : computer
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : TEST.LOCAL\Nathan
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
Permission set in GUI: "Apply to: Descendent Computer objects, Modify Owner"
ActiveDirectoryRights : WriteOwner
InheritanceType : Descendents
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : computer
ObjectFlags : InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : BHI-MASTER\adminlinlnat
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
InheritedObjectType: Notice this will be all zero's when the permission is for creating a child object in a container. When it is permissions being set on a specific type of child objects, then it will be set that that object type, and the ObjectType value will be all zero's. When setting a permission on a specific property of a specific type of child object, you will get both fields filled in with the ObjectType being the specified property, and InheritedObjectType being the AD object's type.
PropagationFlags: InheritOnly exists when applying to something other than the current OU. (https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags(v=vs.110).aspx)
InheritenceFlags: ContainerInherit when applying to anything below the current level, ObjectInherit when applying to child objects (https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags(v=vs.110).aspx)
InheritanceType: All (everything from this level down), Descendents (children and descendants, not the current object), None (current level only) (https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx)
Wednesday, February 24, 2016
Some useful links for group policy client side debugging
How to enable it: http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx
Enabling it for older OS's: http://social.technet.microsoft.com/wiki/contents/articles/4506.group-policy-debug-log-settings.aspx
How to understand the log files: http://blogs.msdn.com/b/richpec/archive/2009/07/20/userenv-debugging-line-by-line.aspx
Repairing local security policy: https://support.microsoft.com/en-us/kb/278316