Active Directory Script Highlight: Disable and Move Users Who Have Not Logged on In 180 Days

PowerShell-Active-Directory-1In my last post I showed a simple script to identify users that have not logged on in the last 180 days and export basic information to a CSV file.  This allowed you to look through the list and determine if the users were valid and really did include the users that you wanted to target for disabling.  Once you are comfortable with the users you are targeting, it’s time to disable them.  The following script will again set the population that is over 180 days since last logon, then disable them, then move them to a designated disabled users OU.

$Dusers = Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 180.00:00:00 | ?{$_.enabled -eq $True}

Disable-ADAccount $Dusers

Get-ADUser -Properties * -Filter * | ? Enabled -eq $False | Move-ADObject “OU=DisabledUsers,DC=YourDomain,DC=Local”

* Looks at Users older than 180 days within the whole domain,  that are not already disabled, disables them, and moves them the DisabledUsers OU for YourDomain.Local.

If you are looking to target a particular OU of users you can simply add the –SearchBase following by the distinguished name of the OU you want to search in like the following.

$Dusers = Search-ADAccount –SearchBase “OU=YourUsers,DC=YourDomain,DC=Local”  -UsersOnly -AccountInactive -TimeSpan 180.00:00:00 | ?{$_.enabled -eq $True}

Disable-ADAccount $Dusers

Get-ADUser -Properties * -Filter * | ? Enabled -eq $False | Move-ADObject “OU=DisabledUsers,DC=YourDomain,DC=Local”

* Looks at Users older than 180 days in a particular Organization Unit that are not already disabled, disables them, and moves them the DisabledUsers OU for YourDomain.Local.

Advertisements
Posted in Active Directory, PowerShell | Tagged , , , , , , | 1 Comment

Active Directory Script Highlight: Identify User Not Logged in in 180 days

PowerShell-Active-Directory-1Domain migrations are in full swing so I thought I would start to share some of the scripts used in the process.  This one identifies users that have not logged on in over 180 days.  The thought behind this is to find the target population to be migrated.  We all have old accounts in our Active Directories.  There is no reason to migrate all of those stale accounts so this will help you find them early in your identification stages.  This will allow you to disable them and allow for any re-enabling if necessary before the user migration process.

Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 180.00:00:00 | ?{$_.enabled -eq $True} | sort lastlogondate | select-object samaccountname, lastlogondate, name, distinguishedname, enabled | Export-Csv c:\temp\Users180.csv

* Looks at Users older than 180 days within the whole domain,  that are not already disabled and outputting samaccountname, lastlogondate, name, distinguishedname, enabled to a CSV file

Posted in Active Directory, PowerShell | Tagged , , , | Leave a comment

Hyper-V/RHEL7.4: Hang When Thaw on Microsoft Hyper-V

product-ms-hyper-vredhat (1)I came across this bug report from RedHat when researching and issue where our newly deployed RHEL 7.4 VMs on Hyper-V would go into a hang state at times during the host backup process.  Lots to good work done here to find a potential solution by upgrading to the latest kernel 3.10.0-843.el7.

 

See the full bug report (Bug 1502601) and process here: https://bugzilla.redhat.com/show_bug.cgi?id=1502601

Posted in Backup, Hyper-V, Linux, RHEL, RHEL 7.4 | Tagged , , , , , | Leave a comment

Latest Article – Preserve Hyper-V security from Meltdown and Spectre vulnerabilities

A complementary article to my last blog post here, but this time focusing on how to protect Hyper-V VMs from the Meltdown and Spectre vulnerabilities.

imageThe Spectre and Meltdown vulnerabilities have admins scrambling for safety, and virtualization presents a particular challenge — one that requires host and VM protection in order to maintain Hyper-V security.

These vulnerabilities are inherent to the hardware architecture of processors in modern CPUs, which forces vendors to search for fixes through software patches. Microsoft Hyper-V admins can start the process of applying these patches by using the following steps to protect their VMs.

…. Read the rest of the article at SearchServerVirtualization.com

Posted in Hyper-V, MVP, PowerShell | Tagged , , , , , , , | Leave a comment

Hyper-V and Spectre/Meltdown: Protecting Your Hosts – Do This!

SMThere is a lot of information swirling around out there on what to do with the latest Spectre/Meltdown vulnerabilities. Whereas I can’t tell you how to solve the vulnerabilities for for every Hardware and Operating System combination, I can tell you how to get your Hyper-V environments protected.  You might be interested in every fine detail of what is happening or you may want to just find out how to get protected as quick as possible.  If you are interested in the latter, then this is the blog to start with.    Here are the no nonsense steps that will protect your Hyper-V hosts.  I will be making a second post for the VMs running on these hosts.

Windows 2012 R2 and Windows 2016 Hosts

All Associated Files for Fixing and Testing for Spectre/Meltdown can be found HERE:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

    • OR through Group Policy Registry Preference if you want to get to a baseline throughout your environment across all your hosts.

 

 

* Other Firmware Modules that I use can be found here:  Removed Due to Issues with first version of release firmware.  I will include more here once the final revisions have been released.

https://1drv.ms/f/s!AkBgjSJPQpxUnLQwzcraOFu8i5CsuA

For links to your HP or Dell hosts updated firmware for the Spectre/Meltdown Vulnerability, you can check the links below

HP: https://h22208.www2.hpe.com/eginfolib/securityalerts/SCAM/Side_Channel_Analysis_Method.html

Dell: http://www.dell.com/support/article/us/en/19/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en

 

Testing:

  • Download the Following Test Scripts from HERE and place them on a folder on your Hyper-V host.
    • SpeculationControl.psd1
    • SpeculationControl.psm1
    • SpeculationControl-runme.ps1
  • Open PowerShell and Change your Directory to the location of your scripts i.e. CD \Spectre_Meltdown
  • Run Import-Module .\SpeculationControl.psd1
  • Run Get-SpeculationControlSettings
  • If patched correctly, your results should look like the screenshot below.

PS_Commands_ScreenShot

If it looks like this, with lots of green, you are on the right track.  Check back to see if there are any other additions that come out in the next few days/weeks.

 

Sources for More Information:

https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms

Support Guidance:

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

 

 

 

 

Posted in Hyper-V, PowerShell, Vendor, Windows Server 2012 R2, Windows Server 2016 | Tagged , , , , , , , , , , , , , , , | Leave a comment

Computer Account Domain Migration Oddities – No Access to ADMIN$ share

When attempting to run the Security Translation Wizard to ensure resources like Local Profiles, Printers, Mapped Drives, Desktop, etc… are migrated over when users start to logon with their migrated user accounts, I ran into an odd error within ADMT.

Unable to access ADMIN$ share on the machine ‘COMPUTERNAME.DOMAIN.COM’. Make sure the share exists and the account running ADMT is a member of local administrators group on the machine ‘COMPUTERNAME.DOMAIN.COM’. hr=0x80070005. Access is denied.

image

The migration server, with ADMT installed, that was joined to the Target Domain was unable to access some PCs by name using UNC path name i.e. \\ComputerName\admin$, but I  could access this location using IP Address and could resolve the name with NSLookup have it respond to PING by name, and remotely connect by name to a RDP to the remote computer. Another anomaly I noticed was that when I went to Computer Management and try to access this machine remotely, the Local Users and Groups section is inaccessible from this server.

Solution:

Turns out, the reason for this was that the Source computer object was still enabled.  Once I disabled or deleted the Source computer object, I was immediately able to access the ADMIN$ shares and remote computer managment of the migrated PCs.

Posted in Active Directory, ADMT | Tagged , , , , , | Leave a comment

Enable or disable modern authentication in Exchange Online

image[15]

Recently when working with a domain migration I experienced and issue with Outlook autodiscover working incorrectly for accounts that have been migrated to the target domain.  The newly migrated users were keeping their same email addresses and their mailboxes were still hosted on O365 and all the appropriate object identifiers and directory synchronization (different article to follow on how this was done), but Outlook clients were failing authentication since is was trying to use basic authentication.  Using the PowerShell command in the Link below to modify the tenant setting in O365, Outlook 2016 clients work pretty much immediately and Outlook 2013 can work with a registry modification.  (Outlook 2010 and Outlook 2007 can not use Modern Authentication)

Enable or disable modern authentication in Exchange Online

https://support.office.com/en-us/article/Enable-or-disable-modern-authentication-in-Exchange-Online-58018196-f918-49cd-8238-56f57f38d662

Posted in Active Directory, O365 | Tagged | Leave a comment