Wednesday, November 4, 2015

LDAP Queries for Users, Computers, Groups and Service Connection Points v2



Find attached a lot of ldap queries. An example how to use this queries using ADUC, see this post.

Computer accounts


Computer accounts starting with WS
(objectcategory=computer)(samaccountname=WS*)

Computer accounts with "COP" in the attribute "description"
(&(objectCategory=computer)(description=*COP*))
or
(&(objectCategory=computer)(description=*COP)) -->for only COP in the description

Computer accounts with MS-SQL installed
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))

Computer accounts with a Server OS
(&(objectCategory=computer)(operatingsystem=*server*))

Find all Computers that do not have a Description
(objectCategory=computer)(!description=*)

Find all computer accounts for whom a manager is specified
(&(&(objectCategory=computer)(objectClass=computer))
(managedBy=*))
Find All Workstations
(sAMAccountType=805306369)
or
(&(objectCategory=computer)(objectClass=computer))

Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

Find all 2008 Servers – DCs
(&(&(&(&(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))

Disabled Computer Acounts
(&(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2)))

Enabled Computer Acounts
(&(&(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))))

SQL Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))

Exchange Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))

Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Windows Vista SP1 computers
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))

Find all Windows Server 2008 Enterprise computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))

Find all Windows Server 2008 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))

Find all Windows 8.0 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows 8*)(operatingSystemVersion=6.2 (9200))) 

Find all Windows 8.1 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows 8.1*))

Find all Windows Server 2012 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*))

Find all Windows Server 2012 no R2 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*)
(operatingSystemVersion=6.2 (9200))) 

 Find all Windows Server 2012 R2 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012 R2*)) 

Find all Windows 10 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows 10*))

User accounts


Find all user accounts
(&(objectCategory=person)(objectClass=user))

Find all user accounts for whom a password is not required
(&(&(objectCategory=person)(objectClass=user))
(UserAccountControl:1.2.840.113556.1.4.803:=32))

Find all user accounts that do not require a SmartCard for logon
(&(&(objectCategory=person)(objectClass=user))
(!(UserAccountControl:1.2.840.113556.1.4.803:=262144)))

Find users that have non-expiring passwords
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

To find all user accounts that have the name “Mueller” in them
(objectcategory=person)(samaccountname=*Mueller*)

Locked out user accounts
(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))

Useraccounts starting with "A" in the Attribute "Common Name"
(&(objectCategory=user)(cn=A*))

Diabled user accounts
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Useraccounts without an value in Attribute "Mail"
(&(objectCategory=person)(objectClass=user)(!mail=*))

Useraccounts with Mail Enabled
(objectClass=user)(mail=*)

Useraccounts that have never logged on
(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))

Users that have been given dial-in permissions
(objectCategory=user)(msNPAllowDialin=TRUE)
Users find who have admin in description field
(objectcategory=person)(description=*admin*)

Find user accounts with no log on script
(objectcategory=person)(!scriptPath=*)

Find user accounts with no profile path
(objectcategory=person)(!profilepath=*)

Find non disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Find all Users that need to change password on next login
(&(objectCategory=user)(pwdLastSet=0))

Finds all locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Finds all Users with Email Address set
(objectcategory=person)(mail=*)

Finds all Users with no Email Address
(objectcategory=person)(!mail=*)

Find all Users with Dial-In permissions
(objectCategory=user)(msNPAllowDialin=TRUE)

Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)

Find all Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)

Find all mail-enabled groups hidden from the Global Address list (GAL)
(&(&(objectCategory=group)(objectClass=group))
(&(mailnickname=*)(msExchHideFromAddressLists=TRUE)))

Find all mail-enabled security groups
(&(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648))
(mailnickname=*))

Find all mailbox-enabled accounts
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))))

Find all mailbox-enabled accounts with Outlook Web Access (OWA) disabled
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))
(|(protocolSettings=*HTTP§0*)(protocolSettings=*OWA§0*))))

Find all users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

(&(&(objectCategory=person)(objectClass=user))(lastLogon>=129772445240000000))



Groups


To find all groups that have no members
(objectCategory=group)(!member=*)

Find Groups that contains the word admin
(objectcategory=group)(samaccountname=*admin*)

Find all Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)

Find all global security groups
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))

Finds Domain Local Groups
(groupType:1.2.840.113556.1.4.803:=4)

Find all distribution groups
(&(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2)))(objectCategory=ms-Exch-Dynamic-Distribution-List)(objectClass=msExchDynamicDistributionList)))

List all groups with sec- prefix convention
(&(objectCategory=group)(name=*sec-*))

Find all security groups with members
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648)(member=*))



Service connection Points


Find all service connection points
(objectCategory=serviceConnectionPoint)

Find all service connection points that do not have service bindings specified
(&(objectCategory=serviceConnectionPoint)(!(serviceBindingInformation=*)))

Find all service connection points that do not have a service DNS name specified
(&(objectCategory=serviceConnectionPoint)(!(serviceDNSName=*)))


Thursday, October 22, 2015

Replications problems between two DCs caused by faulty Schannel and wrong Kerberos ticket of the affected DCs Computer object

Problem:
•    Automatic and manual replication gives error:
Error Message "Target Principal Name is Incorrect"

•    AD Replication error 8452 remains:
"The naming context is in the process of being removed or is not replicated from the specified server."

•    KCC builds wrong NTDS partners

Directory Services Events:
•    EventID 36871  Schannel
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

•    Event  ID 36886 Schannel
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.




Solution:
•    Affected DC cannot communicate with the PDC
•    Renewal of the Schannel on the affected DC is required
•    New Kerberos ticket has to be requested from PDC
•    KCC has to be restarted to rebuild the replications partner(s)


Actions needed:
1.    Stop the KDC service:
C:\>net stop KDC
2.    Purge kerberos tickets using KLIST:
C:\>klist purge
3.    Find PDC Domain Controller in the domain of the affected DC
4.    Reset secure channel from Problem DC's to PDC:
C:\>netdom resetpwd /server:<PDC> /userd:<DOMAIN>\<Admin_account>
/passwordd:*
5. Access the PDC by FQDN to force the Problem DC's to request new kerberos
tickets:
C:\>net use \\<PDC FQDN>\IPC$
6. Force the DC to replicate from PDC: (from active directory sites and services)
7. Start the KDC service:
C:\>net start KDC

Delete existing NTDS connections and check replication topology.

Wednesday, March 25, 2015

Change AD Group membership for multiple Users using Powershell

You can download my script from technet.

- Requirements:
You have to create c:\ADUser.csv looking like this:


Also edit the marked groups in the script matching to your environment. You can extend this as needed.
# Add the specified users to the groups "Petun" and "Petun2" in AD
Add-ADGroupMember -Identity Petun -Member $User.username
Add-ADGroupMember -Identity Petun2 -Member $User.username

Windows Server 2012: The remote session was disconnected because there are no Terminal Server client access licenses available for this computer

If you try a RDP connection you get the following Error message.
 

It could be the case, that no license is available:
So you have to add the needed license to you RD Licensing Server!

If this server isn´t a terminal server you have to run the RDP console with the following parameter:
mstsc /admin

OR->

You can also disable "User Account Control: Run all administrators in Admin Approval Mode" by doing the following steps:

- Open "Search" and type in "secpol" and click on "Local Security Policy"
 

- In the "Local Security Policy" browse to "Local Policies/Security" options and set "User Account Control: Run all administrators in Admin Approval Mode" to "Disabled".



After this change restart the server.