Wednesday, 13 July 2016

whenCreated vs createTimeStamp

Both are Active Directory schema attributes which specifies the date and time of when an AD object was created. Both attributes return the same values, but the actual value is stored in whenCreated attribute alone, because createTimeStamp is a constructed attribute and it reads the data from whenCreated attribute.

WhenCreated attribute was implemented first, and to be complaint with LDAP standards the createTimeStamp was added later on as constructed attribute, the data is really stored only once in the Active Directory database.

Both attributes are replicated to all DC's, the createTimeStamp should not be replicated to the Global Catalog server since the isMemberOfPartialAttributeSet property of the attribute is not TRUE. However, you can also get a value from the GC.

Sources:

whenCreated vs createTimeStamp
Active directory attributes - createTimeStamp & whenCreated

Tuesday, 12 July 2016

UserAccountControl Attribute Flag Values - Active Directory

UserAccountControl attribute is bitwise attribute and it control the behavior of the AD user and computer account.

This attribute value can be zero or a combination of one or more of the following values.

Property flagValue in hexadecimalValue in decimal
SCRIPT0x00011
ACCOUNTDISABLE0x00022
HOMEDIR_REQUIRED0x00088
LOCKOUT0x001016
PASSWD_NOTREQD0x002032
PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.
0x004064
ENCRYPTED_TEXT_PWD_ALLOWED0x0080128
TEMP_DUPLICATE_ACCOUNT0x0100256
NORMAL_ACCOUNT0x0200512
INTERDOMAIN_TRUST_ACCOUNT0x08002048
WORKSTATION_TRUST_ACCOUNT0x10004096
SERVER_TRUST_ACCOUNT0x20008192
DONT_EXPIRE_PASSWORD0x1000065536
MNS_LOGON_ACCOUNT0x20000131072
SMARTCARD_REQUIRED0x40000262144
TRUSTED_FOR_DELEGATION0x80000524288
NOT_DELEGATED0x1000001048576
USE_DES_KEY_ONLY0x2000002097152
DONT_REQ_PREAUTH0x4000004194304
PASSWORD_EXPIRED0x8000008388608
TRUSTED_TO_AUTH_FOR_DELEGATION0x100000016777216
PARTIAL_SECRETS_ACCOUNT0x04000000  67108864

Note: In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information, check this article:https://msdn.microsoft.com/en-us/library/ms677840.aspx.

All the information available in Microsoft KB Article: https://support.microsoft.com/en-in/kb/305144

UserAccountControl flag descriptions:

  • SCRIPT - The logon script will be run.
  • ACCOUNTDISABLE - The user account is disabled.
  • HOMEDIR_REQUIRED - The home folder is required.
  • PASSWD_NOTREQD - No password is required.
  • PASSWD_CANT_CHANGE - The user cannot change the password. This is a permission on the user's object. For information about how to programmatically set this permission, visit the following Web site:
  • ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.
  • TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
  • NORMAL_ACCOUNT - This is a default account type that represents a typical user.
  • INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.
  • WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
  • SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.
  • DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.
  • MNS_LOGON_ACCOUNT - This is an MNS logon account.
  • SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.
  • TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
  • NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
  • USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
  • DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
  • PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The user's password has expired.
  • TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network. 
  • PARTIAL_SECRETS_ACCOUNT - (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.

Tuesday, 5 July 2016

How to call a function in a ps1 file from powershell

In Powershell world, the user defined function is one of the easiest way to reuse the set of powershell commands. In some scenarios, this function might be too big, so having functions in separate ps1 file and load a function by importing .ps1 file is a good choice. In this post, I am going to explain how to import a powershell function from ps1 file.

Load Powershell function from ps1 file:

You just imagine the ps1 file MyScript.ps1, and the file contains the following content:
Write-Host "Loading functions"
function MyFunc
{
    Write-Host "MyFunc is running!"
}
Write-Host "Done"
To register the function MyFunc, we need to run the .ps1 file with the dot(.) operator prefix.
 . C:\Scripts\MyScript.ps1
The dot operator is used to include script.
PS C:>  . C:\Scripts\MyScript.ps1
Loading functions
Done

PS C:\> MyFunc
MyFunc is running!

Import Powershell function from psm1 file:

We can also import a function from PSM1 file by using Import-Module command. The major advantage of using Import-Module is that you can unload them from the shell if you need to, and it keeps the variables in the functions from creeping into the shell. First, save the MyScript.ps1 as MyScript.psm1 and load the file by using below command.
Import-Module C:\Scripts\MyScript.psm1
PS C:\> Import-Module C:\Scripts\MyScript.psm1
Loading functions
Done
PS C:\> MyFunc
MyFunc is running!