Richard Siddaway's Blog

Removing smart card restrictions

richardsiddaway — Wed, 22 Feb 2012 19:27:39 +0000

If you have users who drop out of the group that need to use smart cards then you will need to remove the setting. This is the opposite to setting

$ou = "OU=England,DC=Manticore,DC=org"            

"`nMicrosoft"
$name = "UserA"
Get-ADUser -Identity $name |
Set-ADUser -SmartcardLogonRequired:$false            

"`nAD provider"
$name = "UserB"
$dn = "cn=$name,$ou"
$flag = (Get-ItemProperty -Path AD:\$dn  -Name useraccountcontrol).useraccountcontrol -bxor 262144
Set-ItemProperty -Path AD:\$dn  -Name useraccountcontrol -Value "$flag" -Confirm:$false            

"`nQuest"
$name = "UserC"
$user = Get-QADUser -Identity $name -IncludeAllProperties            

$flag = $user.userAccountControl -bxor 262144
$user.userAccountControl = $flag
Set-QADUser -Identity $name -ObjectAttributes @{userAccountControl = $flag}            

"`nScript"
$name = "UserD"
$dn = "cn=$name,$ou"
$user = [adsi]"LDAP://$dn"            

$flag = $user.userAccountControl.value -bxor 262144
$user.userAccountControl = $flag            

$user.SetInfo()

Microsoft supply a cmdlet – all other options are required to toggle the 262144 bit

Finding users who have to use smart cards

richardsiddaway — Wed, 22 Feb 2012 19:24:33 +0000

If you have users who have to use smart cards or if you think someone has had this set inadvertently you need to be able to find them

$ou = "OU=England,DC=Manticore,DC=org"            

"`nMicrosoft"
Get-ADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=262144))" |
Format-Table Name, DistinguishedName            

"`nAD provider"
Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=262144))" `
 -Path Ad:\"DC=Manticore,DC=org" -Recurse |
Format-Table Name, DistinguishedName            

"`nQuest"
Get-QADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=262144))" |
Format-Table Name, DN            

"`nScript"
$root = [ADSI]""
$search = [adsisearcher]$root
$search.Filter = "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=262144))"
$search.SizeLimit = 3000
$results = $search.FindAll()            

foreach ($result in $results){
    $result.Properties |
    select @{N="Name"; E={$_.name}}, @{N="DistinguishedName"; E={$_.distinguishedname}}
}

In all cases we use an LDAP filter that us searching for users with the 262144 bit set – (useraccountcontrol:1.2.840.113556.1.4.803:=262144)

Forcing users to use smart card for logon

richardsiddaway — Wed, 22 Feb 2012 19:19:44 +0000

In some organisations some or all of the users are required to use a smart card for logon. We need to tell AD this is so. In the GUI we select the “Smart card is required for interactive logon” but when scripting we set the useraccountcontrol attribute

$ou = "OU=England,DC=Manticore,DC=org"            

"`nMicrosoft"
$name = "UserA"
Get-ADUser -Identity $name |
Set-ADUser -SmartcardLogonRequired:$true            

"`nAD provider"
$name = "UserB"
$dn = "cn=$name,$ou"
$flag = (Get-ItemProperty -Path AD:\$dn  -Name useraccountcontrol).useraccountcontrol -bxor 262144
Set-ItemProperty -Path AD:\$dn  -Name useraccountcontrol -Value "$flag" -Confirm:$false            

"`nQuest"
$name = "UserC"
$user = Get-QADUser -Identity $name -IncludeAllProperties            

$flag = $user.userAccountControl -bxor 262144
$user.userAccountControl = $flag
Set-QADUser -Identity $name -ObjectAttributes @{userAccountControl = $flag}            

"`nScript"
$name = "UserD"
$dn = "cn=$name,$ou"
$user = [adsi]"LDAP://$dn"            

$flag = $user.userAccountControl.value -bxor 262144
$user.userAccountControl = $flag            

$user.SetInfo()

As with previous tasks involving the useraccount control attribute the Microsoft cmdlets have a cmdlet & parameter while everthing else has to work through toggling the 262144 bit

object vs value

richardsiddaway — Wed, 22 Feb 2012 19:13:18 +0000

An interesting question came up recently. A Powershell user was trying to access an AD attribute so they did something like this

$x = Get-ADUser -Identity usera -Properties * | select useraccountcontrol

When they tried to use $x it didn’t correctly in the rest of the script.

Select-object is used to filter down the attributes that are left on the object as it passes on the pipeline

PS> Get-ADUser -Identity usera -Properties * | select useraccountcontrol

useraccountcontrol
——————
512

If you just want the value rather than an object (I know that its still an object but in reality we work directly with the value) then use –expandproperty. On a property with a single value it returns that value

PS> Get-ADUser -Identity usera -Properties * | select -expandproperty useraccountcontrol
512

System Center engineering blogs

richardsiddaway — Tue, 21 Feb 2012 22:17:37 +0000

The System Center family of products is getting a big make over in the 2012 release. The team blogs have just been rebranded to reflect this

System Center: Service Manager

System Center: Operations Manager

System Center: Virtual Machine Manager

System Center: Orchestrator

System Center: Data Protection Manager

Removing AES key length setting

richardsiddaway — Tue, 21 Feb 2012 19:03:34 +0000

It may become necessary to remove these settings

$ou = "OU=England,DC=Manticore,DC=org"            

"`nMicrosoft"
$name = "UserA"
Get-ADUser -Identity $name |
Set-ADUser -Replace @{"msDS-SupportedEncryptionTypes" = 0}            

"`nAD provider"
$name = "UserB"
$dn = "cn=$name,$ou"
Set-ItemProperty -Path AD:\$dn  -Name "msDS-SupportedEncryptionTypes" -Value "0" -Confirm:$false            

"`nQuest"
$name = "UserC"
Get-QADUser -Identity $name -IncludeAllProperties |
Set-QADUser -ObjectAttributes @{"msDS-SupportedEncryptionTypes" = 0}            

"`nScript"
$name = "UserD"
$dn = "cn=$name,$ou"
$user = [adsi]"LDAP://$dn"            

$user."msDS-SupportedEncryptionTypes" = 0
$user.SetInfo()

Set the msDS-SupportedEncryptionTypes attribute to 0

Get AES key length

richardsiddaway — Tue, 21 Feb 2012 19:00:48 +0000

Finding out users that have an AES key length set is fun

function resolve-AESKey {
 param (
  [int]$key
 )
  if ($key -eq 8){$length = "128 bits"}
  else {$length = "256 bits"}
  $length
}            

$ou = "OU=England,DC=Manticore,DC=org"            

"`nMicrosoft"
Get-ADUser -Properties * -LdapFilter "(&(objectclass=user)(objectcategory=user)(msDS-SupportedEncryptionTypes=*)(!msDS-SupportedEncryptionTypes=0))" |
Format-Table Name, DistinguishedName,
@{N="AESKey"; E={resolve-AESKey $($_."msDS-SupportedEncryptionTypes")}} -AutoSize            

"`nAD provider"
Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(msDS-SupportedEncryptionTypes=*)(!msDS-SupportedEncryptionTypes=0))" `
 -Path Ad:\"DC=Manticore,DC=org" -Recurse | foreach {
$set = Get-ItemProperty -Path ad:\"$($_.DistinguishedName)" -name msDS-SupportedEncryptionTypes |
 select -ExpandProperty msDS-SupportedEncryptionTypes
 New-Object -TypeName PSObject -Property @{
   Name = $($_.Name)
   DistinguishedName = $($_.DistinguishedName)
   AESKey = resolve-AESKey $set
 }
 } | Format-Table Name, DistinguishedName, AESKey -AutoSize            

"`nQuest"
Get-QADUser -IncludeAllProperties -LdapFilter "(&(objectclass=user)(objectcategory=user)(msDS-SupportedEncryptionTypes=*)(!msDS-SupportedEncryptionTypes=0))" |
Format-Table Name, DN,
@{N="AESKey"; E={resolve-AESKey $($_."msDS-SupportedEncryptionTypes")}} -AutoSize            

"`nScript"
$root = [ADSI]""
$search = [adsisearcher]$root
$search.Filter = "(&(objectclass=user)(objectcategory=user)(msDS-SupportedEncryptionTypes=*)(!msDS-SupportedEncryptionTypes=0))"
$search.SizeLimit = 3000
$search.PropertiesToLoad.Add("name") | Out-Null
$search.PropertiesToLoad.Add("distinguishedname") | Out-Null
$search.PropertiesToLoad.Add("msDS-SupportedEncryptionTypes") | Out-Null
$results = $search.FindAll()            

foreach ($result in $results){
    $result.Properties |
    select @{N="Name"; E={$_.name}}, @{N="DistinguishedName"; E={$_.distinguishedname}},
    @{N="AESKey"; E={resolve-AESKey $($_."msds-supportedencryptiontypes")}}
}

Normally this attribute wouldn’t be set so we search for users with it set and where its not equal to zero. The way to unset the attribute is to give it a value of zero

A function has been written – resolve-aeskey to return a descriptive string based on the key length. Again I have gone for 128 or 256 bit key

The provider wouldn’t normally include the msDS-SupportedEncryptionTypes attribute so we create an object and add that as a aanother property using Get-Itemproperty

The script is similar in that msDS-SupportedEncryptionTypes isn’t normally included in the results so I used the PropertiesToLoad.Add() method to explicitly set the attributes I wanted returned – saves another trip back to AD

Setting AES key length

richardsiddaway — Tue, 21 Feb 2012 18:52:42 +0000

Staying with the account tab we also get options to set the account to support AES encryption using 128 or 256 bit keys. I have chose to make this an either/or deal but you could use both. Either loop through setting both explicitly or add another option

$keyboth = 24

$key128 = 8
$key256 = 16            

$ou = "OU=England,DC=Manticore,DC=org"            

"`nMicrosoft"
$name = "UserA"
Get-ADUser -Identity $name |
Set-ADUser -Replace @{"msDS-SupportedEncryptionTypes" = $key128}            

"`nAD provider"
$name = "UserB"
$dn = "cn=$name,$ou"
Set-ItemProperty -Path AD:\$dn  -Name "msDS-SupportedEncryptionTypes" -Value "$key256" -Confirm:$false            

"`nQuest"
$name = "UserC"
Get-QADUser -Identity $name -IncludeAllProperties |
Set-QADUser -ObjectAttributes @{"msDS-SupportedEncryptionTypes" = $key128}            

"`nScript"
$name = "UserD"
$dn = "cn=$name,$ou"
$user = [adsi]"LDAP://$dn"            

$user."msDS-SupportedEncryptionTypes" = $key256
$user.SetInfo()

This time we get to play with that well known attribute msDS-SupportedEncryptionTypes.

We have to put the name in quotes because of the “-“ in the name – you may have noticed it in earlier scripts. This attribute is a bitmask but only two bits are used at present

8 = 128 bit key length

16 =256 bit key length

In all cases we set the attribute to the chosen value.

UG meeting reminder

richardsiddaway — Mon, 20 Feb 2012 22:35:07 +0000

First reminder for the UG meeting on 28February – PowerShell and SQL Server

details from

http://msmvps.com/blogs/richardsiddaway/archive/2012/02/09/february-powershell-group-meeting-sql-server-and-powershell.aspx

Remove DES keys setting

richardsiddaway — Mon, 20 Feb 2012 11:32:48 +0000

If you find any user accounts configured to use DES encryption you probably want to remove the setting

$ou = "OU=England,DC=Manticore,DC=org"            

"`nMicrosoft"
$name = "UserA"
Get-ADUser -Identity $name |
Set-ADAccountControl -UseDESKeyOnly:$false            

"`nAD provider"
$name = "UserB"
$dn = "cn=$name,$ou"
$flag = (Get-ItemProperty -Path AD:\$dn  -Name useraccountcontrol).useraccountcontrol -bxor 2097152
Set-ItemProperty -Path AD:\$dn  -Name useraccountcontrol -Value "$flag" -Confirm:$false            

"`nQuest"
$name = "UserC"
$user = Get-QADUser -Identity $name -IncludeAllProperties            

$flag = $user.userAccountControl -bxor 2097152
$user.userAccountControl = $flag
Set-QADUser -Identity $name -ObjectAttributes @{userAccountControl = $flag}            

"`nScript"
$name = "UserD"
$dn = "cn=$name,$ou"
$user = [adsi]"LDAP://$dn"            

$flag = $user.userAccountControl.value -bxor 2097152
$user.userAccountControl = $flag            

$user.SetInfo()

We get a cmdlet/parameter approach with the Microsoft cmdlets – the others toggle the 2097152 bit on the userAccountControl attribute