Monday, May 30, 2016

Use Splatting, Proxy, and Metadata in Powershell

Use Splatting, Proxy, and Metadata in Powershell

  • Splatting is the ability to use a dictionary or a list to supply parameters to a command.

    Example:
    $MailMessage = @{
        To = “me@mycompany.com
        From = “me@mycompany.com
        Subject = “Hi”
        Body = “Hello”
        Smtpserver = “smtphost”
        ErrorAction = “SilentlyContinue”
    }
    Send-MailMessage @MailMessage
  • Proxy commands are wrappers of existing commands in Windows PowerShell, and to make this possible, a number of different things had to be enabled in the language that can have interesting other uses.
  • Metadata provides information about the command and parameters of different commands, and provides a structure that you can use to “write” a command without typing out the whole script.

https://blogs.technet.microsoft.com/heyscriptingguy/2010/10/18/use-splatting-to-simplify-your-powershell-scripts/
No comments:
Labels: ,

Tuesday, April 19, 2016

Running Windows Explorer with different "RUNAS" credentials



As part of securing access to Active Directory, and following the Least Privileges Principle, it has been a goal of mine to be able to run all Administrative Tasks on a Management workstation while only logging in to the workstation using a generic, minimum Privileges user account.


While most management consoles can be launched in a "RUNAS" mode, it has been an Achilles Heel that it has always been thought that you could not run Windows Explorer in a RUNAS.   This prevents you from doing File System Permission management.


Well, my genius friend (who is an absolute wizard at Google Searches) has found an answer.


Follow the step below to do it. 
  1. Start the Registry Editor as an Administrative User.
  2. Navigate to, take ownership of, and grant yourself Full Control permission to the key HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}
    (This is "Elevated-Unelevated Explorer Factory")
  3. Rename the value RunAs to _RunAs.
  4. Close Regedit.
  5. runas /user:domain\username "c:\windows\explorer.exe /separate"
     
OR another description:

  1. Start -> Run -> regedit
  2. Navigate to the registry key: HKEY_CLASSES_ROOT\AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}
  3. Right click on the registry key and click Permissions…
  4. Give Full Control permissions to the user logged in.
  5. Start -> Run -> dcomcnfg.exe -> Expand DCOM Config
  6. Right click and select properties of “Elevated-Unelevated Explorer Factory”, click the Identity tab and select “The launching user”

No comments:
Labels: , ,

Friday, April 15, 2016

Active Directory Last Logon. Lots of confusion

I am sure that everyone who administrates AD runs into this problem at some point.

Here is an article that thoroughly lays it all out.

http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

The summary of this article is, that if you want to find out the TRUE last logon activity for a user, it is best to use the command

Search-ADAccount -AccountInactive -DateTime ((get-date).adddays(-90)) -UsersOnly

If you are ONLY interested in dates that are more than 14 days ago, then you can safely use the "LASTLOGONDATE" attribute.  

Less than 14 days of viewing and you cannot rust this attribute.  You must get fancy and query all of the DC's individually. 
No comments:
Labels: , ,

Sunday, February 21, 2016

6 Tips for troublsheooting Active Directory (Link)

I found this article quite helpful.  It contains some excellent detailed information.

https://redmondmag.com/articles/2009/07/01/6-tips-for-troubleshooting-active-directory.aspx

Especially detailed is the AD Diagnostics Registry settings:




No comments:
Labels: , ,
Subscribe to: Posts (Atom)