Exporting password properties from Active Directory to file with PowerShell

This command exports password information of users from Active Directory and writes them to a csv file:

Get-ADUser -Filter * -Properties SamAccountName, PasswordLastSet, PasswordNeverExpires | Select SamAccountName, PasswordLastSet, PasswordNeverExpires | Sort SamAccountName | Export-CSV -Path ("{0}\Desktop\AD.User.Password.csv" -f $env:USERPROFILE) -NoClobber -Encoding UTF8 -NoTypeInformation -Force

 

Get Exchange mailboxes of disabled Active Directory accounts with PowerShell

Today a one liner:

I needed a list of Exchange mailboxes with disabled Active Directory accounts. Here is the command to display them in the PowerShell window:

Get-Mailbox | where {$_.ExchangeUserAccountControl -Match "AccountDisabled"} | fl DisplayName, Database, ExchangeUserAccountControl

If you want to create a csv file that lists all OWA enabled users but excludes all disabled accounts use the following command line (using Get-CASMailbox together with Get-Mailbox):

Get-Mailbox | where {$_.ExchangeUserAccountControl -ne "AccountDisabled"} | Get-CASMailbox | where {$_.OwaEnabled -eq "True"} | Select DisplayName, OwaEnabled | Export-Csv -Path ("{0}\Desktop\OWA.Users.csv" -f $env:USERPROFILE) -NoClobber -Encoding UTF8 -NoTypeInformation

This will create the list and save it as ‘OWA.Users.csv’ on the desktop of the executing account.

Change the Windows updates install time on Hyper-V Server

I needed to change the install time of Windows updates on a Hyper-V Server 2016 from the default of 03:00 to 01:00. There is an Option in sconfig (the blue menu box) to change the Windows update install behavior from manual to automatic but there is no option to change the time when the installation of the updates should happen so it defaults to 3:00 AM. It is also not possible to install the Windows update Cmdlets that would allow us to change the configuration of the Windows updates because that feature does not exist in Hyper-V Server.

So the solution is to directly edit the registy of the server. Open regedit and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Add a DWORD 32 bit value with the following Name:

ScheduledInstallTime

Set the entry to the full hour of the day you want the system to install updates. For example if you want the system to install the updates on 01:00 set the value to ‘1’. If you want the system to install updates on 23:00 set the value to 23. Don’t forget to change the base in the Regedit dialog to ‘Decimal’ if you want to set a value greater than 9.

It is only possible to set the time to the full hour.

After the Change restart the Windows update Service with the following commands:

net stop wuauserv
net start wuauserv

You can find a full list with registry options for Windows updates on the following website:

https://technet.microsoft.com/en-us/library/cc708449(v=ws.10)

Another Kerberos error in Cache.log on Squid server

During my configuration of an Squid Proxy Server on Ubuntu in conjunction with Kerberos and Active Directory I encountered another error in the cache.log of the Squid Server:

ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error; }}

The reason for this error was the loopback address (127.0.0.1) for the current host in the hosts file in /etc/hosts. The entry in the hosts file was like this:

127.0.0.1 squid.contoso.com

I changed the entry to the real IP address of the Ubuntu Server:

192.168.1.250 squid.contoso.com

After the chang I restarted the Server and the error was gone.

Kerberos authentication error in cache.log on Squid server

I configured Kerberos authentication for a Squid proxy server on Ubuntu in an Active Directory domain. During my tests I got the following error in the cache.log:

ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information. No key table entry found matching HTTP/squid@; }}

The reason for this error was a wrong entry in the hosts (/etc/hosts) file on the Ubuntu server. The entry for the server was missing the domain part. So the file contained

192.168.1.40 squid

instead of

192.168.1.250 squid.contoso.com

I added the domain part to the entry and restarted the server. After the reboot the error disappeared in the cache.log.

Kinit error on Ubuntu server

I configured Squid Proxy in conjunction with Kerberos authentication in an  Active Directory Domain. During my Tests I used kinit to check my Kerberos ticket on the Ubuntu Server and got the following error message:

kinit: Client not found in Kerberos database while getting initial credentials

The reason was two identical SPNs (Service Principal Names) in the Active Directory. To find them I checked the Active Directory for double SPNs with the setspn command and the -x parameter:

setspn -x

This command checks the Active Directory for identical SPNs and list them.

The command showed me two entries for my Squid Proxy account svcSquid. I deleted both of them with the setspn command and the -D Parameter:

setspn -D HTTP/squid.contoso.com contoso\svcSquid

Then I recreated the SPN with setspn and the -A Parameter:

setspn -A HTTP/squid.contoso.com contoso\svcSquid

I checked the SPNs once again with the setspn and the -x Parameter and it showed no results meaning there are no identical SPNs. After this modification I was able to use kinit command to receive a ticket on the Ubuntu server.

NTLM authentication error in Squid cache.log

Recently I configured Squid as Proxy Server with NTLM authentication in an Active Directory Domain. As I started to use the Proxy Server in conjunction with my browser an authentication pop up appeared all of the time and I was not able to Access the Internet. I checked the Cache.log of the Squid Server and found the following error message:

GENSEC login failed: NT_STATUS_UNSUCCESSFUL
 ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}

The cause of this Problem was a bug in the Samba version described in this bug Report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754339

The pipe of the winbind daemon was created in the wrong Directory so the permission were wrong. The solution was to fix the permissions on the pipe with the following command:

chown root:winbindd_priv /var/lib/samba/winbindd_privileged/