#
# Amadeus Request and Install Certificate for non windows computers
# Used for Cisco AnyConnect VPN
#
# Created   :    2015/04/21
# Updated   :   2015/04/27
#
# Authors   : jdalbera – system architecture
# Comments   : Amadeus Request and Install Computer Certificate on non-domain
#               computer – using CEP/CES and dedicated service account
# Certreq technet reference: https://technet.microsoft.com/library/cc725793.aspx
#
cls
Write-host “”
Write-host “———————————————————”
Write-host ” Request and Install Computer Certificate by JD ”
Write-host ”             Used for Cisco AnyConnect VPN                ”
Write-host “———————————————————”
Write-host “”

## VARIABLES
[string]$TemplateName = “VPNCertNonDomainWks”
[string]$CEPPolicyServer = “https://webca.mydomain.local/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP”
[string]$CESConfig = “https://webca.mydomain.local/AMACATECH2_CES_UsernamePassword/service.svc/CES”
[string]$DomUser = “mydomain\acctpkivpncert”
[string]$DomPass = “xxxxxxxxxxxxxxxxxxxxxxxxx”

do{
[string]$Email = Read-host “Please enter the requestor’s email address (ie. jdalbera@mydomain.local)”
$Email = $Email.Tolower()
if (!$Email) {Write-Host “Please enter requestor’s email address again!” -backgroundcolor red -foregroundcolor white}
} until ($Email.length -gt 0)
Write-host “”
Write-host “Mandatory: answers the questions below to prepare the certificate request” -backgroundcolor yellow -foregroundcolor black

do{
[string]$UID = Read-host “Please enter the Computer FQDN (ie. mycomputer.otherdomain.local)”
$UID = $UID.ToLower()
if (!$UID) {Write-host “Please enter the Computer FQDN again!” -backgroundcolor red -foregroundcolor white}
} until ($UID.length -gt 0)

do{
[string]$DEPT = Read-host “Please enter the department (ie: internal-IT)”
$DEPT = $DEPT.ToLower()
if (!$DEPT) {Write-host “Please enter the department again!” -backgroundcolor red -foregroundcolor white}
} until ($DEPT.length -gt 0)

do{
[string]$ORG = Read-host “Please enter the company (ie. mycompany)”
$ORG = $ORG.ToLower()
if (!$ORG) {Write-host “Please enter the company again!” -backgroundcolor red -foregroundcolor white}
} until ($ORG.length -gt 0)

do{
[string]$LOC = Read-host “Please enter the city (ie. Nice)”
$LOC = $LOC.ToLower()
if (!$LOC) {Write-host “Please enter the city again!” -backgroundcolor red -foregroundcolor white}
} until ($LOC.length -gt 0)

do{
[string]$STATE = Read-host “Please enter the state (ie. France)”
$STATE = $STATE.ToLower()
if (!$STATE) {Write-host “Please enter the state again!” -backgroundcolor red -foregroundcolor white}
} until ($STATE.length -gt 0)

do{
[string]$COUNTRY = Read-host “Please enter the country ISO code 2 digits (ie:FR,DE,ES)”
$COUNTRY = $COUNTRY.substring(0,2).ToLower()
if (!$COUNTRY) {Write-host “Please enter the country ISO code 2 digits!” -backgroundcolor red -foregroundcolor white}
} until ($COUNTRY.length -gt 0)

## FUNCTIONS
function Pause ($Message=”Appuyez sur une touche pour quitter…”)
{
Write-host -NoNewLine $Message
$null = $Host.UI.RawUI.ReadKey(“NoEcho,IncludeKeyDown”)
Write-host “”}

## MAIN
Write-host “”
Write-host “————————————————————————————————”
Write-host “”
$startscript = Get-Date

###################################
# Generate Request File
###################################
#Subject = `”CN=$UID`”`r
Write-host “”
Write-host “Preparing Request File…” -Backgroundcolor Yellow -ForegroundColor Black
Write-host “Removing existing files…”
Remove-item .\cert.inf -ErrorAction silentlycontinue
Remove-item .\cert.req -ErrorAction silentlycontinue
Write-host “Preparing Template…”
Write-host “”
Add-content .\cert.inf “[NewRequest] `r
Subject = `”CN=$UID,EMAIL=$EMAIL,OU=$DEPT,O=$ORG,L=$LOC,S=$STATE,C=$COUNTRY`”`r
KeySpec = 1 `r
KeyLength = 2048 `r
Exportable = FALSE `r
MachineKeySet = TRUE `r
SMIME = False `r
PrivateKeyArchive = FALSE `r
UserProtected = FALSE `r
UseExistingKeySet = FALSE `r
ProviderName = `”Microsoft RSA SChannel Cryptographic Provider`” `r
ProviderType = 12 `r
RequestType = PKCS10 `r
KeyUsage = 0xa0 `r
[EnhancedKeyUsageExtension] `r
OID=1.3.6.1.5.5.7.3.2 ; this is for Computer Authentication `r
[RequestAttributes]`r
CertificateTemplate = `”$TemplateName`”`r”

$FileExists = Test-Path .\cert.inf
If ($FileExists -eq $True) {
Write-Host “Template file .\cert.inf found…” -backgroundcolor green -foregroundcolor black ;
Write-Host “” ;
} Else {
Write-Host “No template file .\cert.inf found. End of the script…” -backgroundcolor red -foregroundcolor white ;
Write-Host “” ;
exit ;
}

Pause
###################################
# Create the Request
###################################
Write-host “Generating Request File…” -Backgroundcolor Yellow -ForegroundColor Black
Invoke-Expression “c:\Windows\System32\certreq.exe -new .\cert.inf .\cert.req”
Write-host “”

$FileExists = Test-Path .\cert.req
If ($FileExists -eq $True) {
Write-Host “Request file .\cert.req found…” -backgroundcolor green -foregroundcolor black ;
Write-Host “” ;
} Else {
Write-Host “No request file .\cert.req found. End of the script…” -backgroundcolor red -foregroundcolor white ;
Write-Host “” ;
exit ;
}

###################################
# Send Request
###################################
Write-host “Sending Certificate Request…” -Backgroundcolor Yellow -ForegroundColor Black
#Invoke-Expression “c:\Windows\System32\certreq.exe -submit -config $CAName .\cert.req .\$UID.cer”
Invoke-Expression “c:\Windows\System32\certreq.exe -submit -Username $DomUser -p $DomPass -PolicyServer $CEPPolicyServer -config $CESConfig .\cert.req .\$UID.cer”
Write-host “”

$FileExists = Test-Path .\$UID.cer
If ($FileExists -eq $True) {
Write-Host “Certificate file .\$UID.cer found…” -backgroundcolor green -foregroundcolor black ;
Write-Host “” ;
} Else {
Write-Host “No certificate file .\$UID.cer found. End of the script…” -backgroundcolor red -foregroundcolor white ;
Write-Host “” ;
exit ;
}

###################################
# Install Certificate
###################################
Write-host “Installing Certificate…” -Backgroundcolor Yellow -ForegroundColor Black
Invoke-Expression “c:\Windows\System32\certreq.exe -accept .\$UID.cer”
Write-host “”

#Start-Sleep 5
Write-host “——————-”
Write-host “– End of Script –”
Write-host “——————-”
Write-host “”
$stopscript = Get-Date
Write-host “Has started at” $startscript -BackgroundColor Gray -ForegroundColor Black
Write-host “Had finished at” $stopscript -BackgroundColor Gray -ForegroundColor Black
Write-host “TIME SPENT:” (New-TimeSpan -Start $startscript -End $stopscript).hours “Hours” (New-TimeSpan -Start $startscript -End $stopscript).minutes “Minutes” (New-TimeSpan -Start $startscript -End $stopscript).seconds “Seconds” -BackgroundColor Green -ForegroundColor Black
Write-host “”
Write-host “”

↧

Understanding SAML protocol

May 18, 2015, 1:44 pm

≫ Next: Converting .cer to .pem etc…

≪ Previous: Powershell certificate request and install

If you’re doing research on protocols that enable single sign-on, a typical question is, “How does SAML work?” (credits: http://www.gluu.org/blog/how-does-saml-work-idps-sps/)

” SAML, or Security Assertion Markup Language, is the leading SSO protocol today and is a valuable standard to understand in order to fully comprehend how single sign-on works.

SAML boils down to attribute exchange through the creation of trust relationships between IdP’s and SP’s. A basic example is signing into your active directory to log on to your work computer in the morning, and automatically gaining access to your company gmail or salesforce.

The three main components of the SAML protocol:

Assertions – Most common are the following 2 SAML assertions:
- Authentication assertions are used to make people prove their identities.
- Attribute assertions are used to generate specific information about the person, for example their phone number or email address.

Protocol – This defines the way that SAML asks for and gets assertions, for example, using SOAP over HTTP.
Binding – This details exactly how SAML message exchanges are mapped into SOAP exchanges.

5 Benefits of using a SAML IdP:

There are many reasons to use a SAML IdP. Besides being the dominant single sign on protocol in use today, there are a host of reasons an organization should consider implementing a SAML IdP. Here are 5 reasons to use SAML for SSO:

1. User passwords never cross the ﬁrewall, since user authentication occurs inside of the ﬁrewall and multiple Web application passwords are no longer required.

2. Web applications with no passwords are virtually impossible to hack, as the user must authenticate against an enterprise-class IdM ﬁrst, which can include strong authentication mechanisms.

3. “SP-initiated” SAML SSO provides access to Web apps for users outside of the ﬁrewall. If an outside user requests access to a Web application, the SP can automatically redirect the user to an authentication portal located at the Identity Provider. After authenticating, the user is granted access to the application, while their login and password remains locked safely inside the ﬁrewall.

4. Centralized federation provides a single point of Web application access, control and auditing, which has security, risk and compliance beneﬁts.

5. A properly executed identity federation layer that satisﬁes all of the use cases described above and supports multiple protocols can provide an enterprise-wide, architecturally sound Internet SSO solution ”

For more on the SAML protocol and transaction steps, go to: http://en.wikipedia.org/wiki/SAML_2.0

SAML transaction steps (overview): Let’s take a real-life example. Say someone logs in and uses a Web service, is authenticated and then wants to go to a partner site. With SAML, he can be authenticated at the second site without having to sign on. The nearby figure shows each step of the process:

In Step 1 the user has authenticated himself with Site 1 and wants to visit Site 2. He clicks on a link to go to Site 2.

In Step 2, instead of being sent straight to Site 2, he is instead sent to the SAML service for Site 1.

In Step 3 the SAML service appends a partner ID and a special handle to Site 2’s URL in the user’s browser. For example, if the user wants to go to the site http://www.softprovider.com, after the SAML service appends the extra information, the URL might now be https://www.softprovider.com?SAMLart= . Note that the protocol has changed to the secure https instead of http. The user is redirected now to Site 2’s SAML service, which examines the URL with the appended information. Based on the information in the URL, Site 2’s SAML service communicates with Site 1’s, and Site 1 sends along the authenticated identity of the user, along with any rights that the user has.

In Step 4 the user is sent to Site 2, fully authenticated. The user can now perform transactions on the site just as if he had logged directly into the site.

↧

Converting .cer to .pem etc…

May 19, 2015, 7:10 am

≫ Next: Azure and Office 365 – guidelines to choose a Tenant!

≪ Previous: Understanding SAML protocol

Transforming .cer to .pem or vice-versa: https://www.sslshopper.com/ssl-converter.html

using openssl to convert a certificate format to another format: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

Exporting a private key: https://technet.microsoft.com/en-us/library/cc754329.aspx

↧

Azure and Office 365 – guidelines to choose a Tenant!

May 25, 2015, 12:46 pm

≫ Next: Azure and Office 365 – Delegations and Roles

≪ Previous: Converting .cer to .pem etc…

If you plan to use your trial tenant for production, be sure to choose a name for the tenant that is different from your planned production tenant name. It’s a common mistake to use a company name for the trial. The name of the tenant appears in Lync invites and SharePoint Online, but Microsoft does not currently have tools to rename a tenant or migrate data from one tenant to another. If you change your mind later, you have to create a new tenant and manually move your data and settings.

For example, you may want to name your tenant differently when setting up trial account as opposed to a production account

https://technet.microsoft.com/en-us/library/hh852435.aspx#bk_Topdeploymentconsiderations

Please refer to : Get help with Office 365 domains

Please refer to this article in order to plan Network and Naming Services for Office 365

https://technet.microsoft.com/en-us/library/hh852551.aspx

Azure and Office 365 – Delegations and Roles

June 10, 2015, 6:27 am

≫ Next: Obtaining a ClientId and Client Secret for a Azure AD

≪ Previous: Azure and Office 365 – guidelines to choose a Tenant!

Assigning admin roles:
https://support.office.com/en-us/article/Assigning-admin-roles-eac4d046-1afd-4f1a-85fc-8219c79e1504?ui=en-US&rs=en-US&ad=US

There is different ways to achieve BUs delegation:
o Split to multiple tenants (other impacts)
o Use a packaged third party offer (for example http://delegate365.com/)
It should also be possible to use group management provided by Azure AD (Azure AD Premium subscription required), but that need to be confirmed in term of feasibility and supportability:
Azure AD Delegated Group Management: Feature walk through
http://blogs.technet.com/b/ad/archive/2014/04/07/azure-ad-delegated-group-management-feature-walk-through.aspx

Please note that Azure AD Premium currently offers (in Preview) a solution about delegation:

https://msdn.microsoft.com/en-us/library/azure/dn832057.aspx

↧

Obtaining a ClientId and Client Secret for a Azure AD

June 11, 2015, 1:48 pm

≫ Next: Using Azure AD for Linux logins

≪ Previous: Azure and Office 365 – Delegations and Roles

https://auth0.com/docs/connections/enterprise/azure-active-directory

↧

Using Azure AD for Linux logins

June 11, 2015, 1:55 pm

≫ Next: How to create a simple ADFS web application?

≪ Previous: Obtaining a ClientId and Client Secret for a Azure AD

http://www.opennessatcee.com/post/117201749175/microsoft-open-source-how-to-using-azure

↧

How to create a simple ADFS web application?

June 25, 2015, 8:37 am

≫ Next: How to determine if an account is disabled by examining useraccountcontrol?

≪ Previous: Using Azure AD for Linux logins

To test ADFS, create your own test web app:

http://blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx

http://syfuhs.net/2010/08/02/making-an-asp-net-website-claims-aware-with-the-windows-identity-foundation/

http://social.technet.microsoft.com/wiki/contents/articles/3665.windows-identity-foundation-wif-content-map.aspx

↧

How to determine if an account is disabled by examining useraccountcontrol?

July 10, 2015, 7:32 am

≫ Next: Be protect against “Pass the Hash” attacks

≪ Previous: How to create a simple ADFS web application?

Reference: https://knowledge.zomers.eu/PowerShell/Pages/How-to-control-UserAccountControl-Active-Directory-flags-with-PowerShell.aspx

For example to check if the user account is disabled (accountdisabled should be present, decimal value 2):

($user.UserAccountControl[0] -band 2) -ne 0

User account control values:

Possible values

An overview of the possible options and their equivalent numeric option are (source):

Property flag	Value in hexadecimal	Value in decimal
SCRIPT	0x0001	1
ACCOUNTDISABLE	0x0002	2
HOMEDIR_REQUIRED	0x0008	8
LOCKOUT	0x0010	16
PASSWD_NOTREQD	0x0020	32
PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the “Property flag descriptions” section.	0x0040	64
ENCRYPTED_TEXT_PWD_ALLOWED	0x0080	128
TEMP_DUPLICATE_ACCOUNT	0x0100	256
NORMAL_ACCOUNT	0x0200	512
INTERDOMAIN_TRUST_ACCOUNT	0x0800	2048
WORKSTATION_TRUST_ACCOUNT	0x1000	4096
SERVER_TRUST_ACCOUNT	0x2000	8192
DONT_EXPIRE_PASSWORD	0x10000	65536
MNS_LOGON_ACCOUNT	0x20000	131072
SMARTCARD_REQUIRED	0x40000	262144
TRUSTED_FOR_DELEGATION	0x80000	524288
NOT_DELEGATED	0x100000	1048576
USE_DES_KEY_ONLY	0x200000	2097152
DONT_REQ_PREAUTH	0x400000	4194304
PASSWORD_EXPIRED	0x800000	8388608
TRUSTED_TO_AUTH_FOR_DELEGATION	0x1000000	16777216
PARTIAL_SECRETS_ACCOUNT	0x04000000	67108864

↧

Be protect against “Pass the Hash” attacks

July 9, 2015, 12:09 am

≫ Next: Delegation right to authorize a new DHCP server?

≪ Previous: How to determine if an account is disabled by examining useraccountcontrol?

Resources materials:

https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf

https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

http://www.gentilkiwi.com/mimikatz

Scripts:

https://github.com/iadgov/Pass-the-Hash-Guidance
https://github.com/iadgov/Event-Forwarding-Guidance

Microsoft resources:

http://www.microsoft.com/pth

http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf

http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx

Pass the Hash – isolation technique:

↧

Delegation right to authorize a new DHCP server?

July 22, 2015, 4:56 am

≫ Next: Integrating Mac OS X Yosemite in AD world

≪ Previous: Be protect against “Pass the Hash” attacks

To implement a delegation to allow a new DHCP server in AD:

Modify the permissions on the DHCP server container object in Active Directory:

Type adsiedit.msc from Start > Run…
Expand from:
Configuration Container[your DC FQDN]
CN=Configuration,DC=<your_domain>,DC=com
CN=Services
CN=NetServices

Under NetServices, there should be one object named CN=DhcpRoot

What we need to assign rights is the last two:

1. Right click CN=DhcpRoot and choose Properties.
2. Choose Security tab.
3. Add the user you want to grant permission to Authorize a DHCP Server.
4. Grant Allow Full Control right.

5. Right click the CN=NetServices node on the left pane.
6. Repeat the steps 2-4 for this node.

NOTE: You may also need to grant this user “Allow logon locally” rights to
that machine and put him into the server operators group to allow open DHCP
MMC on that machine locally or domain wide if the DHCP is on the DC.

↧

Integrating Mac OS X Yosemite in AD world

July 29, 2015, 9:45 am

≫ Next: How to access the disks mapped through RDP?

≪ Previous: Delegation right to authorize a new DHCP server?

http://training.apple.com/pdf/wp_integrating_active_directory_yosemite.pdf

↧

How to access the disks mapped through RDP?

August 3, 2015, 1:34 pm

≫ Next: How to display changes (change history) on Quest ARS in Powershell?

≪ Previous: Integrating Mac OS X Yosemite in AD world

Windows XP/2003/2012 and greater support drive mapping back to the client workstation during a Terminal Services (Remote Desktop) session. This means you can copy files from the server to the client and vice versa.

Each volume (removable, fixed or network) available on the client workstation is mapped (A for drive A:, C for drive C:, X for drive X: etc) and the remote Terminal Services session inherits the user’s permission. So if you are logged on to the workstation as user A and you log in to the Terminal Services server as user B, the session will have access to the drives according to A’s permissions.

Drives can also be mapped like a network drive. The client drives are accessible as \\TSCLIENT\C. Note the client workstation’s machine name is not used, it is always referenced with the generic name TSCLIENT.

So you can map a drive as follows:

NET USE Y: \\TSCLIENT\D

or simply use the Universal Naming Convention (UNC) syntax:

COPY \\TSCLIENT\C\MYDIR\*.XLS

example: ROBOCOPY \\PC\Share \\TSCLIENT\C *.* /S /Z /NP

To view the shared folders you can access on the client computer (the one running the Remote Desktop Client),

you can type NET VIEW \\TSCLIENT at the command prompt

Note: If you receive an “Attempt to access invalid address” error when using the UNC path \\tsclient\c, then the problem is on the client side.

Likely, the Windows firewall is turned on and blocking file shares, or “File and Printer Sharing For Microsoft Networks” is turned off in the NIC properties, the Server service is disabled, or simple file sharing is enabled on the client

↧

How to display changes (change history) on Quest ARS in Powershell?

August 7, 2015, 6:02 am

≫ Next: Hacking Active Directory for dummies!

≪ Previous: How to access the disks mapped through RDP?

Quest Software\ActiveRoles Server\v6.9\Solutions\Free Tools\Management Shell for Active Directory\

Copy the ArPowershell.chm on your desktop and open it,

Get-QARSLastOperation cmdlet:

Get-QARSLastOperation [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-Proxy] [-Service <string>] [-UseGlobalCatalog] [<CommonParameters>]

Example:

C:\PS>Connect-QADService -Proxy

C:\PS>New-QADUser -ParentContainer ‘labdomain.local/Users’ -Name ‘dummy’

C:\PS>Get-QARSLastOperation

Get-QARSOperation cmdlet:

Get-QARSOperation [-TargetObject <IdentityParameter[]>] [-AttributesChanges <hashtable>] [-ChangedAttributes <string[]>] [-CompletedAfter <DateTimeParameter>] [-CompletedBefore <DateTimeParameter>] [-CompletedOn <DayParameter>] [-CompletedRecently <RelativeDateTimeParameter>] [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-InitiatedAfter <DateTimeParameter>] [-InitiatedBefore <DateTimeParameter>] [-InitiatedBy <IdentityParameter[]>] [-InitiatedByMe] [-InitiatedOn <DayParameter>] [-InitiatedRecently <RelativeDateTimeParameter>] [-OperationID <string[]>] [-OperationStatus <OperationStatus[]>] [-OperationType <OperationType[]>] [-ParentContainer <IdentityParameter[]>] [-Proxy] [-Service <string>] [-SizeLimit <int>] [-TargetObjectType <string[]>] [-UseGlobalCatalog] [<CommonParameters>]

Examples

Example 1

C:\PS>Get-QARSOperation -CompletedOn ‘Today’ -ParentContainer ‘test.domain.com/container’ -TargetObjectType ‘user’ -OperationType ‘Modify’ | %{$_.TargetObjectInfo.DN} | Group-Object | %{$_.Name}

List the user accounts from a particular container that were changed on the current date.

Example 2

C:\PS>Get-QARSOperation -CompletedOn (get-date -year 2008 -month 9 -day 1) -ParentContainer ‘test.domain.com/container’ -TargetObjectType ‘Group’ -OperationType ‘Create’ | %{$_.TargetObjectInfo.DN} | Group-Object | %{$_.Name}

List the groups that were created in a particular container on September 1, 2008.

Example 3

C:\PS>Get-QARSOperation -CompletedRecently ([TimeSpan]::FromDays(30)) -TargetObject ‘domainName\groupName’ -OperationType ‘GroupMembershipChange’ | %{$_.InitiatorInfo.NTAccountName} | Group-Object | %{$_.Name}

List the names of the security principals that added or removed members from a particular group during last month.

Example 4

C:\PS>Get-QARSOperation -TargetObject ‘domain\user’ -OperationType ‘Modify’ -ChangedAttributes ‘edsaPassword’ | %{$_.InitiatorInfo.NTAccountName} | Group-Object | select Name

List the names of the security principals that changed or reset the password of a particular user account.

Example 5

C:\PS>Get-QARSOperation -CompletedRecently ([TimeSpan]::FromDays(7)) -TargetObjectType user -ParentContainer ‘test.domain.com/container’ -InitiatedBy ‘MyDomain\JSmith’ | %{$_.TargetObjectInfo.DN}

List all user accounts from a particular container that were changed by the user ‘MyDomain\JSmith’ during last week.

Example 6

C:\PS>Get-QARSOperation -TargetObject ‘domain\user’ -ChangedAttributes l,streetAddress -CompletedOn ((get-date).AddDays(-1)) | %{$_.InitiatorInfo.NTAccountName} | Group-Object | select Name

List the names of the security principals that changed the City (l) or Street Address (streetAddress) attribute on the account of a particular user account yesterday.

Example 7

C:\PS>Get-QARSOperation -ParentContainer test.domain.com/container -TargetObjectType group -OperationType ‘GroupMembershipChange’ -CompletedAfter (get-date -year 2008 -month 9 -day 15 -hour 0 -minute 0 -second 0) -CompletedBefore (get-date -year 2008 -month 9 -day 30 -hour 23 -minute 59 -second 59) | %{$_.TargetObjectInfo.DN} | Group-Object | %{$_.Name}

List the groups from a particular container that had the membership list (Members attribute) changed during the time period from September 15, 2008 to September 30, 2008.