Tag Archives: PowerShell

Review Active Directory Domain Service Events with PowerShell

There are different ways to review Active Directory service related logs in a domain controller. Most common way is to review events under Event Viewer mmc. 

event1

We can review events using server manager too. 

event2

We also can use PowerShell commands to review event logs or filter events from local and remote computers without any additional service configurations. Get-EventLog is the primary cmdlet we can use for this task. 

Get-EventLog -List

Above command will list down the details about the log files in your local system including the log file name, max log file size, number of entries. 

Get-EventLog -LogName ‘Directory Service’ | fl

Above command will list down all the events under the log file Directory Service

we also can limit the number of events we need to list down. As an example, if we only need to list down the latest 5 events from the Directory Service log file, we can use,

Get-EventLog -Newest 5 -LogName ‘Directory Service’

We can further filter down it by listing down evens according to entry type. 

Get-EventLog -Newest 5 -LogName ‘Directory Service’ -EntryType Error

Above command will list down first five “errors” in the Directory Service log file.

We also can add time limit to filter events more. 

Get-EventLog -Newest 5 -LogName ‘Directory Service’ -EntryType Error –After (Get-Date).AddDays(-1)

Above command will list down the events with error type ‘error’ with in last 24 hours under Directory Service log.

We also can get the events from the remote computers. 

Get-EventLog -Newest 5 -LogName ‘Directory Service’ -ComputerName ‘REBEL-SRV01’ | fl -Property *

Above command will list down the first five log entries in Directory Service log file from REBEL-SRV01 remote computer. 

event3

We also can extract events from few computers in same time. 

Get-EventLog -Newest 5 -LogName ‘Directory Service’ -ComputerName “localhost”,“REBEL-SRV01”

Above command will list down the log entries from local computer and the REBEL-SRV01 remote computer. 

When it comes to filtering, we can further filter events using the event source. 

Get-EventLog -LogName ‘Directory Service’ -Source “NTDS KCC”

Above command will list down the events with the source NTDS KCC

It also allows to search for the specific event ids. 

Get-EventLog -LogName ‘Directory Service’ | where {$_.eventID -eq 1000}

Above command will list down the events with event id 1000. 

Note – There are recommended list of events which we need to audit periodically to identify potential issues in active directory environment. The complete list is available for review under https://docs.microsoft.com/en-gb/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.  

MANAGE AZURE ACTIVE DIRECTORY WITH POWERSHELL – PART 02

In previous part of this blog serious, I have explained how we can install Azure AD PowerShell module and how it can use it to manage Azure Active Directory directly using PowerShell Commands. If you not read it yet you can find it using http://www.rebeladmin.com/2017/02/manage-azure-active-directory-powershell-part-01/

In this post, I am going to explain about another set of cmdlets and the ways to use.

Some of the commands which we use for on-premises Active Directory Management works for Azure Active Directory too. only difference is the cmdlet itself. As an example, in on-premises AD, we use New-ADUser to add user, in Azure AD it becomes New-​Msol​User. If you like to know further about command and its use, easiest way to start is using following commands.

More information about a command can view using,

Get-Help New-​Msol​User -Detailed

Technical Information about thecommand can view using,

Get-Help New-​Msol​User -Full

Online information about the command can view using,

Get-Help New-Msol​User -Online

We also can view some example for the command using,

Get-Help New-Msol​User -Example

power1

We can simply create new user using,

New-MsolUser -UserPrincipalName "jeffm@therebeladmin.com" -DisplayName "Jeff Mak" -FirstName "Jeff" -LastName "Mak" -PasswordNeverExpires $true

power2

In order to create a user, you need to connect to Azure AD with a user who has “Global Admin” role.

In above command UserPrincipalName specify the UPN and user password s set not to expire.

It is obvious sometime we need to change password of an existing account.

Set-MsolUserPassword -UserPrincipalName "jeffm@therebeladmin.com" -NewPassword "pa$$word"

The above command will reset the password for the jeffm@therebeladmin.com in to new password.

Instead of specifying password, following command will generate random password and force user to reset it on next login.

Set-MsolUserPassword -UserPrincipalName "jeffm@therebeladmin.com" -ForceChangePassword $true

power3

Azure Active Directory does have predefined administrative roles with different capabilities. This allows administrators to assign permissions to users to do only certain tasks.

More details about these administrative roles and their capabilities can found on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles

We can list down these administrative roles using

Get-MsolRole

power4

According to requirements, we can add users to these administrative roles.

Add-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberObjectId "e74c79ec-250f-4a47-80dd-78022455e383"

Above command will add user with object id e74c79ec-250f-4a47-80dd-78022455e383 to the role.

In order to view existing members of different administrator roles, we can use command similar to below.

$RoleMembers = Get-MsolRole -RoleName "User Account Administrator"

Get-MsolRoleMember -RoleObjectId $RoleMembers.ObjectId

This will list down the users with User Account Administrator role assigned.

power5

Apart from the roles, AD also have security groups.

New-MsolGroup -DisplayName "HelpDesk" -Description "Help Desk Users"

Above command creates a group called HelpDesk

power6

power7

A group contains members. We can add members to group using commands similar to below.

Add-MsolGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1 -GroupMemberType User -GroupMemberObjectId e74c79ec-250f-4a47-80dd-78022455e383

This will add user with object id e74c79ec-250f-4a47-80dd-78022455e383 to group with object id a53cc08c-6ffa-4bd6-8b03-807740e100f1.

We can list down the users of the group using

Get-MsolGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1

power8

We can view all the groups and their group ids using

Get-MsolGroup

power9

In order to remove member from the security group we can use Remove-MsoLGroupMember cmdlet.

Remove-MsoLGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1 -GroupMemberType User -GroupmemberObjectId e74c79ec-250f-4a47-80dd-78022455e383

In order to remove a user from administrator role we can use Remove-MsolRoleMember cmdlet.

Remove-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberType User -RoleMemberObjectId "e74c79ec-250f-4a47-80dd-78022455e383"

Above command will remove user with object id e74c79ec-250f-4a47-80dd-78022455e383 from the group User Account Administrator

This is the end of the part 2 of this series. In next part, we will look further in to Azure AD management with PowerShell.

If you have any questions feel free to contact me on rebeladm@live.com

Just Enough Administration (JEA)

I was off from blogging for few months as I had to spend my free time on another task which will help all of you more. Stay tuned! More info will share soon. Anyway, I am back on blogging!

JEA was first introduced in 2014 and it was the first approach towards the privilege access management comes with windows server 2016. JEA allows to provides role based privileges instead of full administrative privileges.

Peter is working in 2nd line support. Every month he needs to run script against helpdesk system to create custom report which indicates monthly support tickets progress. In order to do that he log in to helpdesk server and run the script. This script needs to run as administrator of the server. there for he is member of administrator group. However, this is the only task he run on that server with such privileges. Administrator of a server has privileges to do almost anything on the server. if someone else got access to peter’s account, nothing will prevent from changing entire helpdesk system. Using JEA, we can assign just enough privileges for peter to run the scripts from helpdesk host instead of giving administrator privileges. Privileges assigned for peter is only valid for helpdesk server and he cannot run same script from another server.

There are few limitations with JEA,

  • This is fully worked with PowerShell. Not everyone uses PowerShell.
  •  Not supported with each and every management tasks. If you working with script which works with multiple hosts it will difficult to use JEA.
  • Not every third-party application support to work with JEA.

If above limitations stopping you, most suitable solution with be the privileged access management with windows server 2016. Privileged access management will be covered in later blog post.

There are two components in JEA,

PowerShell Session Configuration file

This allows to map users to the hosts. Using it we can map users, groups to specific management roles. It also allows to configure global settings such as virtual accounts and transcription policies. PowerShell Session Configuration file is system specific. There for, configuration settings can apply per-host basis.

Role Capability files

These configuration files specify what actions can perform by the users. It can be a running a script, running a service, running cmdlets or running a program. These tasks can group in to roles and share it with other users. 

Configuration

In this demo, I am using a system with windows server 2016 with latest updates.

In order to install JEA, we need to log in to the system as local administrator and open the PowerShell.

1. Then run command, Install-Module xJEA. It will ask few questions before it import some modules. Provide appropriate answers to install them.

jea1

2. Once its completed we can confirm it using Find-Module –Name xJEA

jea2

3. Once JEA module installed and next step is to prepare the environment. It can be done using a script which comes with JEA module. it is located at, C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples\SetupJEA.ps1

This script will,

·         Removes all existing endpoint configuration from the host

·         Configure the DSC Local Configuration Manager to apply changes, then checks every 30 minutes to make sure the configuration has not altered

·         Enables Debug mode

To run the file, navigate to folder C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples\ and run .\SetupJEA.ps1

jea3

That’s it! we done the installation and initial configuration. 

Testing!

JEA installation comes with 3 demo endpoint configurations which we can use as reference to create endpoint. These demo files are located in C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples

Demo1.ps1

cls

 

configuration Demo1

{

    Import-DscResource -module xjea

    xJeaToolKit Process

    {

        Name         = 'Process'

        CommandSpecs = @"

Name,Parameter,ValidateSet,ValidatePattern

Get-Process

Get-Service

Stop-Process,Name,calc;notepad

Restart-Service,Name,,^A

"@

    }

    xJeaEndPoint Demo1EP

    {

        Name                   = 'Demo1EP'

        Toolkit                = 'Process'

        SecurityDescriptorSddl = 'O:NSG:BAD:P(A;;GX;;;WD)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)'                                 

        DependsOn              = '[xJeaToolKit]Process'

    }

}

Demo1 -OutputPath C:\JeaDemo

 

Start-DscConfiguration -Path C:\JeaDemo -ComputerName localhost -Verbose -wait -debug -ErrorAction SilentlyContinue -ErrorVariable errors

if($errors | ? FullyQualifiedErrorId -ne 'HRESULT 0x803381fa')

{

    $errors | Write-Error     

}

 

start-sleep -Seconds 30 #Wait for WINRM to restart

 

$s = New-PSSession -cn . -ConfigurationName Demo1EP

Invoke-command $s {get-command} |out-string

Invoke-Command $s {get-command stop-process -Syntax}

# Enter-pssession $s

 

Remove-PSSession $s

#EOF

As per the above it only allowed to use following cmdlets.

  • Default JEA configuration
  • Get-Process
  • Get-Service
  • Stop-Process,Name,calc;notepad
  • Restart-Service,Name

According to above Stop-Process cmdlet only can use to stop calculator and notepad process. But it allows to use Restart-Service, Get-Process, Get-Service cmdlets.

In order to run the demo config, navigate to C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples and run .\Demo1.ps1

jea4

Once its successfully execute, we can verify the new PowerShell session configuration using,

Get-PSSessionConfiguration

jea5

In order to test, now we need to connect to new endpoint. It can be done using

Enter-PSSession –ComputerName localhost –ConfigurationName demo1ep

In above –ConfigurationName defines the endpoint name.

As soon as I run the command, its connect to the endpoint and change the path to C:\Users\JSA-Demo1EP\Documents

jea6

in the backend JEA commands execute using JEA local administrator account. This login details no need to know by end users and its password been reset on daily basis automatically. This user is setup as part of the installation process by JEA.

jea7

jea8

Once session is connected, we can test it with an allowed command first. According to configuration we allowed to run Get-Service command without any limits.

jea9

The use I logged in to this computer is a local administrator. So, I have enough privileges to restart the computer using Restart-Computer cmdlet. But now I am connected to endpoint. According to endpoint config it should not allow me to do so.

jea10

Voila! It is working as expected. there are lot of channel9 videos, articles out there which discuss about JEA capabilities. I encourage you to go through them and get more understanding on this great tool. Also through the GitHub you can find lot of sample endpoint configurations.

Hope this post was helpful and if you have any question contact me on rebeladm@live.com

How to force Azure AD Sync to sync data with Azure AD?

Azure AD Sync is used to sync on-premises AD data with Azure AD. By default Azure AD sync will sync data with Azure AD in every 3 hours’ time. But will it be enough? Do we need to wait for 3 hours to get data sync?

Answer is no. there is 2 options to do this.

1)    Change the Default schedule to lower the sync intervals from 3 hours to match with your requirement.
2)    Forcefully sync data with Azure AD when required.

In this demo I am using on premises AD server which running windows server 2016 TP4.

Change Default Sync Schedule

1)    Log in to the On-premises AD server which have AD sync tool installed as Domain/Enterprise admin
2)    Go to > Task Scheduler
3)    Then you will be able to see the schedule called “Azure AD Sync Scheduler

adsync1

4)    Double click on the schedule, then go to triggers tab. Double click on trigger to edit.

adsync2

5)    In here you can define the time to sync.
6)    When you save it will ask which user account to use for the job. You can define service account to run this task.


Force to sync data via PowerShell

1)    Log in to the On-premises AD server which have AD sync tool installed Domain/Enterprise admin
2)    Load the powershell with admin privileges.

adsync3

3)    Then change directory to C:\Program Files\Microsoft Azure AD Sync\Bin

adsync4

4)    Then run .\DirectorySyncClientCmd.exe

adsync5

5)    This will run full sync of your on-premises AD with Azure AD

If you have any questions feel free to contact me on rebeladm@live.com

How to change UPN (User Principle Name) suffix for entire domain?

In organization, company may need to use multiple UPN suffixes for their operations. I wrote an article before explaining how to add multiple UPN suffixes to the domain. You can read it from http://www.rebeladmin.com/2015/01/how-to-configure-multiple-user-principal-name-upn-suffixes/

There are situation where you will need to do mass UPN suffix change. One of the recent challenge I face was, changing domain name suffix which end with .local to public domain name which ends with .com. because I was working with Azure AD integration with local AD. It only supports with public domain name. In my issue it was only few users since its demo, but what happen if you need to change it for hundreds of users? If you use manual method it will take ages to complete.

In following demo I am going to show how it can be done using power shell script.

In AD I have 3 users under “Test OU” called user1 to user3. All 3 are using canitpro.local as the UPN suffix.

suffix1

I need to change all users in to UPN suffix “rebeladmin.com”.

To do that, open PowerShell ISE with appropriate admin permissions.

suffix2

Then type and press enter,

Import-Module ActiveDirectory
$oldSuffix = "canitpro.local"
$newSuffix = "rebeladmin.com"
$ou = "DC=canitpro,DC=local"
$server = "DCM1"
Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

In above $oldSuffix represent the old domain UPN suffix. $newSuffix represent the new UPN suffix it should change in to. $ou represent the search path. You can use specific OU or entire domain. I used entire domain for the demo. $server represent the DC server name.

suffix4

Now, let’s go and check if it’s changed. As we can see its changed in to new suffix.

suffix5

If you have any question about the post feel free to contact me on rebeladm@live.com