Quantcast
Channel: Active Directory – Jacques Dalbera's IT world
Viewing all 302 articles
Browse latest View live

Difference between ADFS and Dirsync

June 25, 2014, 2:43 pm
$
0
0

DirSync and ADFS are totally different:

  • DirSync allows you to synch your AD on Office 365, that way this creates all users/groups on Office 365 based on your AD; this means 2 different accounts and password for your users, BUT the latest version of DirSync allows password sync also; there will be only 2 different accounts as soons the AD password has been synched with Office 365
  • ADFS allows you to forward Office 365 authentication request to your AD; this means YOUR AD is responsible for authentication, if your AD or ADFS become unavailable, there will be no authentication possible

You can setup DirSync WITHOUT ADFS, but you have to have DirSync for ADFS

Dirsync on Technet: http://technet.microsoft.com/en-us/library/dn441212.aspx

To download DirSync, go to http://portal.microsoftonline.com (Requires an enterprise account), then go to Office 365 Admin center, user and groups, Active Directory synchronization, setup …

Setup DirSync: https://www.cogmotive.com/blog/migration/setting-up-dirsync-between-active-directory-and-office-365


Search

How To Automate Changing The Local Administrator Password

June 25, 2014, 2:58 pm

Server 2012 R2 Domain controller on server 2003 functional domain

July 4, 2014, 7:59 am
$
0
0

“The Windows Server 2003 domain and forest functional levels are deprecated. When you create a new domain or forest, you should consider using a functional level from Windows Server 2008 or newer. When you deploy Windows Server 2012 R2 into an existing Windows Server 2003 environment, you will be notified to move to a newer functional level.”


Detecting intrusions using Windows event log monitoring

July 7, 2014, 12:31 am
$
0
0

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication and firewalls, this document tells you how to securely setup an environment where you can natively consolidate and monitor event log based entries. In addition, the NSA goes onto cover a number of areas that should be monitored – complete with event IDs:

Machine-specific issues – which can be indications of malicious activity

  • Application Crashes
  • System or Service Failures
  • Kernel and Device Signing
  • The Windows Firewall

Administrator Activity – specific actions performed that may be suspect

  • Clearing of Event Logs
  • Software and Service Installation
  • Remote Desktop Logon
  • Account Usage

The bad news is you’re still left to sort out a TON of event log detail and interpret whether the entries are a problem or not.

Additionally: Changes to Group Policy only show up in the events as a change to the policy, but lack detail on exactly what was changed within the Group Policy.

To truly have a grasp on whether you have an “adversary” within or not and, if so, what that adversary is doing, you’re going to require a solution that not only collects events, but can correlate them into something intelligent. Your solution should:

  • Consolidate events
  • Focus on the events you are concerned about
  • Provide comprehensive detail about the changes to your systems, security and data

Three software solutions:

  • Netwrix Auditor for AD
  • Dell change auditor for AD
  • IBM QRadar (SIEM)

Better protect against “Pass the Hash” attacks

July 9, 2014, 12:09 am

Advanced XML filtering in the Windows Event Viewer

July 16, 2014, 2:07 pm

List of most common and useful Windows Event IDs

July 21, 2014, 4:37 am
$
0
0

Here is a list of the most common / useful Windows Event IDs.

Event Log, Source            EventID   EventID   Description
                           Pre-vista   Post-Vista
Security, Security               512   4608  Windows NT is starting up.
Security, Security               513   4609  Windows is shutting down.
Security, USER32                 ---   1074  The process nnn has initiated the restart of computer.
Security, Security               514   4610  An authentication package has been loaded by the Local Security Authority.
Security, Security               515   4611  A trusted logon process has registered with the Local Security Authority.
Security, Security               516   4612  Internal resources allocated for the queuing of audit messages
                                             have been exhausted, leading to the loss of some audits.
Security, Security               518   4614  A notification package has been loaded by the Security Account Manager.
Security, Security,              519   4615  A process is using an invalid local procedure call (LPC) port.
Security, Security               520   4616  The system time was changed.
Security, Security               521    ---  Unable to log events to security log.
Security, Security(Logon/Logoff) 528   4624  Successful Logon.
Security, Security(Logon/Logoff) 540   4624  Successful Network Logon.
Security, Security(Logon/Logoff) 529   4625  Logon Failure - Unknown user name or bad password.
Security, Security(Logon/Logoff) 530   4625  Logon Failure - Account logon time restriction violation.
Security, Security(Logon/Logoff) 531   4625  Logon Failure - Account currently disabled.
Security, Security(Logon/Logoff) 532   4625  Logon Failure - The specified user account has expired.
Security, Security(Logon/Logoff) 533   4625  Logon Failure - User not allowed to logon at this computer.
Security, Security(Logon/Logoff) 534   4625  Logon Failure - The user has not been granted the requested logon type
                                             at this machine.
Security, Security(Logon/Logoff) 535   4625  Logon Failure - The specified account's password has expired.
Security, Security(Logon/Logoff) 536   4625  Logon Failure - The NetLogon component is not active.
Security, Security(Logon/Logoff) 537   4625  Logon failure - The logon attempt failed for other reasons.
Security, Security(Logon/Logoff) 538   4634  User Logoff.
Security, Security(Logon/Logoff) 539   4625  Logon Failure - Account locked out.
Security, Security(Logon/Logoff) ---   4646  IKE DoS-prevention mode started.
Security, Security(Logon/Logoff) 551   4647  User initiated logoff.
Security, Security(Logon/Logoff) 552   4648  A logon was attempted using explicit credentials.
Security, Security(Logon/Logoff) 553   4649  A replay attack was detected.
Security, Security(Logon/Logoff) 601   4697  A service was installed in the system.
Security, Object access          602   4698  A scheduled task was created.
Security, Object access          602   4699  A scheduled task was deleted.
Security, Object access          602   4700  A scheduled task was enabled.
Security, Object access          602   4701  A scheduled task was disabled.
Security, Object access          602   4702  A scheduled task was updated.
Security, Account Management     624   4720  User Account Created.
Security, Account Management     626   4722  User Account Enabled.
Security, Account Management     627   4723  Change Password Attempt.
Security, Account Management     628   4724  User Account password set.
Security, Account Management     629   4725  User Account Disabled.
Security, Account Management     630   4726  User Account Deleted.
Security, Account Management     636   4732  Local User Account Created.
Security, Account Management     642   4738  User Account Changed.
Security, Account Management     643   4739  Domain Policy Changed.
Security, Account Management     644   4740  User Account Locked Out.
Security, Account Management     645   4741  Computer Account Created.
Security, Account Management     646   4742  Computer Account Changed.
Security, Account Management     647   4743  Computer Account Deleted.
Security, Account Management     671   4767  A user account was unlocked.
Security, Security(Logon/Logoff) 678   4774  An account was mapped for logon.
Security, Security(Logon/Logoff) 679   4775  The name: %2 could not be mapped for logon by: %1
Security, Security(Logon/Logoff) 680   4776  Account Used for Logon by.
Security, Security(Logon/Logoff) 681   4777  The logon to account: %2 by: %1 from workstation: %3 failed.
Security, Security(Logon/Logoff) 682   4778  Session reconnected to winstation.
Security, Security(Logon/Logoff) 683   4779  Session disconnected from winstation.
Security, Security(Logon/Logoff) ---   4800  The workstation was locked.
Security, Security(Logon/Logoff) ---   4801  The workstation was unlocked.
Security, Security(Logon/Logoff) ---   4802  The screen saver was invoked.
Security, Security(Logon/Logoff) ---   4803  The screen saver was dismissed.
System, EventLog,                6005  6005  The event log was started.  
System, EventLog,                6006  6006  The Event log service was stopped.
System, EventLog,                6013  6013  System uptime.
System, EventLog,                517   1102  The audit log was cleared.
System, EventLog,                ---   1104  The security Log is now full.
System, EventLog,                ---   1105  Event log automatic backup.
System, EventLog,                ---   1108  The event logging service encountered an error.
System, Service Control Manager  7035  7035  The nnn service was successfully sent a start/Stop control.
System, Service Control Manager  7036  7036  The nnn service entered the Running/Stopped state.
System, W32Time,                  29     29  The time provider NtpClient is configured to acquire time from
                                             one or more time sources; however none of the sources are currently accessible.
System, W32Time,                  38     38  The time provider NtpClient cannot reach or is currently receiving invalid time data.
System, W32Time,                  47     47  Time Provider NtpClient: No valid response received.

All logon/logoff events include a Logon Type code, the precise type of logon or logoff:

2 Interactive
3 Network (remote file shares / printers/iis)
4 Batch (scheduled task)
5 Service (service account)
7 Unlock
8 NetworkCleartext (IIS)
9 NewCredentials (RunAs /netonly)
10 RemoteInteractive (Terminal Services,RDP)
11 CachedInteractive (cached credentials)

When working with Event IDs it can be important to specify the source in addition to the ID, the same number can have different meanings in different logs from different sources.

With the launch of Vista many security event IDs changed, for most security events: VistaEventId = PreVistaEventId + 4096
The relationship between old and new IDs is not entirely 1:1 (you will notice some duplicate numbers in the table above.)

It is possible to view event logs from a remote computer, but if the remote machine is vista or later and the local machine is XP or 2003 then you will see the following error: “The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer.”

Reference:

Q977519 – Description of security events in Windows 7 and in Windows Server 2008 R2
Technet – Event Log Policy Settings (Size/Retention)


Penetration testing resources

July 21, 2014, 2:29 pm
$
0
0
Search

Powershell: One-liners to Get You Started

August 6, 2014, 4:06 pm
$
0
0

The server rebooted recently – who did it and when exactly?

Event ID 1074 covers a few activities beyond reboots, such as shutdown

Get-EventLog -log system –newest 1000 | where-object {$_.eventid –eq ‘1074’} | format-table machinename, username, timegenerated –autosize

Query a remote system:

Get-WinEvent -LogName System -maxevent 3 -FilterXPath ‘*[System[(EventID=1074)]]‘ -ComputerName WIN8-DOT1 | format-table machinename, userid, timecreated –autosize

Parse a list of system names:

Get-Content c:\serverlist.txt | ForEach-Object {Get-WinEvent -LogName System -maxevent 3 -FilterXPath ‘*[System[(EventID=1074)]]‘ –ComputerName $_} | format-table machinename, userid, timecreated –autosize

Is there an easy way to see if KB2862152 is installed?

  • From the local system itself:
    • Get-Hotfix -id kb2862152

If the patch is installed, you’ll get a nice formatted output of where/what/who/when:

  • Query a remote system:
    • Get-Hotfix –id kb2862152 –computername WS2008R2-DC01
  • Parse a handful of system names:
    • Get-Hotfix –id kb2862152 -computername WS2012R2-DC01,WIN8-DOT1| Out-Gridview –Title “KB2862152 Status”

     

I need to backup all of the GPOs in the domain every day

  • Create a Scheduled Task in each domain that runs the following:
    • Backup-GPO –all –path \\AdminServer\GPO-Backups

What are the IP settings on my system(s)?

  • From the local system itself
    • Get-WMIobject win32_networkadapterconfiguration | where {$_.IPEnabled -eq “True”} | Select-Object pscomputername,ipaddress,defaultipgateway,ipsubnet,dnsserversearchorder,winsprimaryserver | format-Table -Auto
  • Query a remote system
    • Get-WMIobject –computername WS2008-DC01 win32_networkadapterconfiguration | where {$_.IPEnabled -eq “True”}| Select-Object pscomputername,ipaddress,defaultipgateway,ipsubnet,dnsserversearchorder,winsprimaryserver | format-Table –Auto
  • Parse a list of system names and use Get-CIMInstance – a newer CMDlet and faster than Get-WMIObject
    • Get-CIMInstance Win32_NetworkAdapterConfiguration -Filter ‘IPEnabled = true’ -ComputerName (Get-Content C:\SERVERLIST.TXT) | Select-Object pscomputername,ipaddress,defaultipgateway,ipsubnet,dnsserversearchorder,winsprimaryserver | Format-Table -AutoSize | out-file c:\IPSettings.txt

 

What are the BIOS versions on my systems?

  • From the local system itself:
    • Get-WMIobject win32_bios | Select-Object pscomputername,name
  • Query a remote system
    • Get-WMIobject -computername WS2008R2-DC01 win32_bios| Select-Object pscomputername,name
  • Parse a list of system names
    • Get-Content c:\serverlist.txt | Foreach-Object {Get-WMIobject -computername $_ win32_bios}| Out-Gridview
    • Or another way…
    • Get-WMIobject -computername (Get-Content c:\serverlist.txt) win32_bios | Select-Object pscomputername,name| out-file c:\BIOSversions.txt

A few more …

  • Are all of my DCs GCs?
    • Get-AdDomainController -Filter * | Select hostname,isglobalcatalog | Format-table -auto
  • Which accounts in my domain are enabled and set to never expire the password?
    • Search-ADAccount -PasswordNeverExpires | Select-Object Name, Enabled | convertto-html > c:\pwdneverexpire.html
  • How can I parse an input file of some AD attribute for users (SAM Account name in this case) and map those entries to another attribute for those users (the DN in this case)?
    • Get-Content C:\userlist.csv | foreach {Get-ADuser $_ | select distinguishedname,samaccountname}| export-csv –path c:\newuserlist.csv
  • What is the OS version and Service Pack level for all of my Windows systems in a certain OU?
    • Get-ADComputer -SearchScope Subtree -SearchBase “OU=PCs,DC=DOMAIN,DC=LAB” –Filter {OperatingSystem -Like “Windows*”} -Property * | Format-Table Name, OperatingSystem, OperatingSystemServicePack
  • Stop and/or Start all of your lab VMs
    • Get-VM | Stop-VM
    • Get-VM | Start-VM

Windows forensics: have I been hacked?

August 8, 2014, 9:43 am
$
0
0

Main question is: How do I know if I have been hacked?

additional resources on my blog: http://wp.me/p15Zft-od

and some other links:  http://www.computerforensicsworld.com/, http://www.forensics.nl/links

The first step is to scan your computer with a Rootkit detector. Our download section has numerous Rootkit scanners available with some being listed below:

Toolkit to help you:

- forensic toolkits: http://www.sleuthkit.org/, http://sourceforge.net/projects/autopsy/

- online scanning: http://www.virustotal.com

-Windows event logs

- Windows safe mode ! (autoruns from sysinternals to detect not well known application/services)

- autoruns,procexp,procmon,tcpview,handles,psloggedon  (http://www.microsoft.com/sysinternals)

- treesize pro (http://www.jam-software.com/treesize/)

- closethedoor (http://sourceforge.net/projects/closethedoor/)

- Wireshark (https://www.wireshark.org/download.html) or Microsoft Message Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=40308)

- nmap: http://nmap.org/download.html#windows

- traceroute: http://www.net.princeton.edu/traceroute.html


Powershell: how to mail enable a group using Quest and Exchange

September 3, 2014, 8:53 am

Certsrv prompted for credentials !

September 10, 2014, 1:13 pm
$
0
0

One of the issues we run into when requesting new certificates from ADCS is the dreaded 401 Unauthorized issue with Certsrv.

Symptom

  1. Type the URL for your Certificate Server

    http://server/certsrv

  2. You are prompted for administrator credentials
  3. You enter said credentials
  4. You are again prompted for administrator credentials
  5. You enter said credentials
  6. You are presented with a 401 Unauthorized error message
  7. You bang your head against your desk in frustration

Cause

The IIS server is not negotiating your credentials correctly.

Solution

  1. Logon to the server hosting the Active Directory Certificate Services
  2. Launch Internet Information Services (IIS) Manager
  3. Drill down and click on the the CertServ application
    (Usually Server –> Sites –> Default Web Site –> CertSrv)
    image
  4. Click and open the Authentication icon in the home view
    image
  5. Click once on Windows Authentication to highlight the entry
    image
  6. Select Providers from the action pain (located a the right of the IIS Manager)
    image
  7. Move the NTLM provider to the top of the list.  It *must* be the first enabled provider
    image
  8. Restart IIS using IISRESET at the command prompt

 


Best Practices for AD DS Backup and Recovery

September 14, 2014, 12:47 pm
$
0
0

The AD DS domain/forest recovery is a very complex procedure that requires regular hands on and proper isolated recovery environment (hyper/V or vmware isolated LAN).

AD DS forest recovery guidelines and procedures:

http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery%28WS.10%29.aspx

Some best practices for backing up and recovering AD DS:

  • Backup DNS integrated zone data:
    • dnscmd /enumzones > C:\Script\AllZones.txt
      for /f %%a in (C:\Script\AllZones.txt) do dnscmd /ZoneExport %%a Export\%%a.dns
  • Backup all Group policies and links
  • Backup all distinguished name of objects in the domain:
    • dsquery * domainroot -scope subtree -attr modifytimestamp distinguishedname -limit 0 > DNlist.txt
  • Store operating system files, the Active Directory database (Ntds.dit), and SYSVOL on separate volumes that do not contain other user, operating system, or application data.
  • For domain controllers, perform regular backups of system state data by using the wbadmin start systemstatebackup command or prefer BMR (bare metal restore backup) using wbadmin (http://blogs.technet.com/b/askcore/archive/2011/05/12/bare-metal-restore.aspx). For more information, see Wbadmin start systemstatebackup (http://go.microsoft.com/fwlink/?LinkId=111741).
  • For domain controllers, you can also use the other variant wbadmin start backup command to include other drives or folders. For more information, see Wbadmin start backup (http://go.microsoft.com/fwlink/?LinkId=111741).
  • Create a backup volume on a dedicated internal or external hard drive. On Vista or Win 2008, you cannot use a network shared folder as a backup target for a system state backup. To store a system state backup on a network shared folder, you must use a local volume as the backup target and then copy the backup to the network shared folder. But since Win 2008 R2, you can use a network share !!!!

example: For ADDS 2008 R2: wbadmin start systemstatebackup -targetserver:\\fileserver\adbackup -quiet

example: For ADDS 2008 R2: wbadmin start backup -targetserver:\\fileserver\adbackups -include:d: -systemstate -vssfull -quiet

  • Turns out that Microsoft disabled the ability to save System State backups to the system volume (termed a “critical” volume here). There is a fix for this in the form of a registry change. The article is located here: http://support.microsoft.com/kb/944530. Note that to implement this change, you will need to create a new key under the HKLM\System\CurrentControlSet\Services\wbengine, as well as adding the necessary entry: AllowSSBToAnyVolume  dword value =1.
  • To avoid having to use the operating system media during recovery, use the Windows Automated Installation Kit to install Windows RE on a separate partition. Use that partition to access Windows Recovery options. For more information about the Windows Automated Installation Kit, see Windows Automated Installation Kit (Windows AIK) (http://go.microsoft.com/fwlink/?LinkId=90643).

Windows Server 2012 IPAM

September 21, 2014, 4:54 am
$
0
0

IP Address Management (IPAM) in Windows Server 2012 is a framework for discovering, monitoring, managing and auditing IP address space on a corporate network. IPAM provides the following features:

  • Automatic IP address infrastructure discovery
  • Highly customizable IP address space display, reporting, and management
  • Configuration change auditing for DHCP and IPAM services
  • Monitoring and management of DHCP and DNS services
  • IP address lease tracking

Web resources:

http://technet.microsoft.com/en-us/library/jj878339.aspx

http://blogs.technet.com/b/canitpro/archive/2013/08/15/step-by-step-setup-windows-server-2012-ipam-in-your-environment.aspx

 

 


Active Directory ldap conformance and ldap filters

October 6, 2014, 2:37 pm
Search

AD object permissions, how to hide AD data, impact on ldap search and browsing

October 14, 2014, 6:10 am
$
0
0

AD object permissions:

http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm

http://technet.microsoft.com/en-us/library/cc740104(v=ws.10).aspx

 

How to hide AD data:

part 1: http://windowsitpro.com/active-directory/hiding-data-active-directory

part 2: http://windowsitpro.com/active-directory/hiding-active-directory-objects-and-attributes

part 3: http://windowsitpro.com/active-directory/hiding-data-active-directory-part-3-enabling-list-object-mode-forest

part 4: http://windowsitpro.com/active-directory/using-confidentiality-bit-hide-data-active-directory

 

 

 

AD permissions – How Rights are Evaluated ?
Two types of rights exist: permissions (authorization to do something such as read or reset a password on a specific object) and privileges or user rights (authorization to do something, like log on or add users, that affects an entire computer rather than a specific object). Similar to the evaluation of file system access control, the right to access or use AD objects is determined by the security context attached to the application that attempts the access. When users authenticate to a system, the authorization information (their SID, SIDs of groups they belong to, and privileges) they’ve been given is collected and later used to create an access token. The access token is used when they attempt to gain access to some object. Programmatically, an access token can be created using the security context of some other security principal, say, the operating system, and used instead during the applications processing. When the application requires the use of some file system, operating system or AD object, the information in its access token is compared with that in the security descriptor of the object. If a match occurs, and no explicit Deny permission exists, access is granted. If no match occurs, or the explicit Deny exists, the requested access is denied.

Right Description
DELETE Delete object.
READ_CONTROL Read security descriptor information (doesn’t include the right to read the SACL).
WRITE_DAC Modify DACL in object’s security descriptor.
WRITE_OWNER Assume ownership of object.
SYNCHRONIZE Use object of synchronization. A thread (the small executable portion of a process) can wait until the object is in the signaled state.
ACCESS_SYSTEM_SECURITY Get or Set SACL.
GENERIC_READ Read security descriptor, examine object and children and read all properties.
GENERIC_WRITE Write properties and write DACL. Add and remove object from directory.
GENERIC_EXECUTE List children of object.
GENERIC_ALL Create or delete children, delete subtree, Read and Write properties, examine children and object, add and remove object from directory, Read or Write with extended right.
DS_CREATE_CHILD Create children (the ACE can specify child object type that can be created. If it doesn’t, this right allows creation of all child object types).
DS_DELETE_CHILD Delete children (the ACE can specify the child object type that can be deleted. If it doesn’t, this right allows deletion of all child object types).
DS_ACTRL_DS_LIST List children of object.
DS_SELF Modify group membership of group object.
DS_READ_PROP Read properties of object (ACE can specify property that can be read. If it doesn’t, this right allows reading of all properties).
DS_WRITE_PROP Write properties (ACE can specify property that can be written. If it doesn’t, this right allows writing of all properties).
DS_DELETE_TREE Delete all children of object, regardless of permission on object.
DS_LIST_OBJECT List a particular object (if not granted to a user, the object is hidden from user).
DS_CONTROL_ACCESS Right to perform operation covered by an extended access right-either a specific extended right or by omission all extended rights.
Additional standard access rights not available on all objects. The list and descriptions come from the Platform SDK documentation.

 

 

NTFS Inheritance Choices AD Comparable Setting AD Differences
This folder only. This object only (Effective ACL).
This folder, subfolders and files. This object and all child objects
This folder and subfolders. Each object is specified.
This folder and files. Each object is specified.
Subfolders and files only. Child objects only (Inherit ACLs).
Subfolders only. Each object is specified.
Files only. Each object is specified.
A comparison of NTFS and AD Inheritance Choices

 

 


How to use fiddler to analyse a SAML request from ADFS

October 22, 2014, 8:05 am

How to move a Secondary ADFS to Primary?

October 22, 2014, 8:31 am
$
0
0

When you deploy AD FS 2.x out of the box and install in a default setup, it will make use of a Windows Internal Database (WID)

The default setup for the WID database is that the Primary AD FS server has a read/write copy and the Secondary server(s) have a read only copy that is synchronizes from the Primary (up to 5 AD FS servers in a single farm maximum!).

If you need to move the Primary role to another server, for whatever reason, you can move the role with a simple PowerShell command.

Run this PowerShell command on the Secondary AD FS server that you want to make Primary AD FS server.

Set-AdfsSyncProperties -Role PrimaryComputer

This will now move the Primary role to the server where the command was run. If you have two or more Secondary servers in the farm you need to update the other Secondary servers.

Run this PowerShell command on the other Secondary AD FS server(s) so that they now sync with the new AD FS Primary server

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN_ADFS_Primary>


How to check expired certificates on multiple computers or user AD attribute?

October 27, 2014, 3:59 pm
$
0
0

How to check expired certificates on multiple computer? 

Just use the Invoke-Command to the Dir command and make sure PowerShell remoting has been set up by using Enable-PSRemoting on the target serv

$threshold = 60   #Number of days to look for expiring certificates
$deadline = (Get-Date).AddDays($threshold)   #Set deadline date
Invoke-Command -ComputerName Server1,Server2,Server3 { Dir Cert:\LocalMachine\My } | foreach {
If ($_.NotAfter -le $deadline) { $_ | Select Issuer, Subject, NotAfter, @{Label=“Expires In (Days)”;Expression={($_.NotAfter - (Get-Date)).Days}} }
}

How to check expired user certificates on AD?

If your company is using certificates for user authentication or encryption (ie. s/mime certificates), these expire every now and then Your Enterprise CA in that case appends new certificates to users’ userCertificate attribute, while leaving expired certs there as well Over time these increasingly clutter your AD, making administration more difficult and negatively affecting AD replication traffic.

 Get-QADUser username | Remove-QADCertificate -Valid:$false

To clean-up the entire domain, just do: Get-QADUser | Remove-QADCertificate -Valid:$false


AD CS (PKI): how to renew root and issuing CA certificates?

October 28, 2014, 2:25 pm
Viewing all 302 articles
Browse latest View live
Search