Get an AD Object without RSAT and fast

In this article we’ll see the function I’ve built to get an AD Object without RSAT and fast. I’ve been thinking for a while to write a new function, mainly because I wanted to pass multiple SamAccountNames without having to write a filter. However I recently had to go through a ton of users and fast, this is when I though that I could finally write my custom function, which leverages System.DirectoryServices.DirectorySearcher, so it doesn’t even require RSAT.

There are a lot of guides are out there how to use it, this article is meant to share with you the function I built around that.

The things I like the most about this:

  • It’s fast. The more objects you’re querying, the faster it’ll be compared to Get-ADObject/Get-ADUsers/Get-ADGroup.
  • You can use it to query any kind of Object.
  • You can pass multiple SamAccountNames (Sam1, Sam2, SamN), SIDs or DistinguishedNames.
    • You can also choose to pass a partial parameter with a wildcard, for example: MyUserSam*
  • You can also choose to write a plain LDAP Query instead of the SAM/SID/DN.
  • Filter down for an account status with -AccountStatus. By default you’ll get both Enabled and Disabled.

(more…)

Read More

Server has lost contact with failover partner server

If you see multiple events with ID 20255 “Server has lost contact with failover partner server“, this article may be able to help you.
I’ll concentrate on the actual network settings, specificially MTU settings.

Usually, when you see multiple events per minute stating that the Server has lost contact with failover partner server, followed by Server has established contact with failover partner server, the culprit is the MTU setting.

First of all, on both DHCP servers, make sure the network card’s MTU is set to 1500. You can do that by running the following command:

As you can see, the interface’s MTU in the screenshot is already set to 1500. In case yours isn’t, you can adjust it by running the following (where 12 is the Idx of your network card which you retrived earlier with netsh interface ipv4 show interfaces):

If the DHCP servers are virtualized, then make sure the virtual Switch’s MTU is also set to 1500. Here’s how it looks in the vSphere (HTML5)’s interface.

What if the DHCP servers are running on two separated hypervisors (as they should be..) and you’re still facing the same issue? It most likely is an issue related to the underlying network, so you may want your Network admin to check that, however you can still run a couple of tests.
First of all, try running a ping with 1500 bytes, in Windows you can do this with the option -l:

Try to ping from dhcp01 to dhcp02 and vice versa. Once I noticed that was that I was able to ping the DHCP servers with >1500bytes from a different network, but not within the same network and the DHCP servers weren’t able to ping each other with more than 1450ish bytes.

You can also test directly at the ESXi level with:

The other thing you can try, if these are virtualized servers, is to migrate them under the same hypervisor just to check it out and exclude an issue with the virtual network configuration.

Read More

Enable Multi-Factor Authentication on RDP with DUO for free

This article will show you how to Enable Multi-Factor Authentication on RDP with DUO, for free. This doesn’t apply only to RDP, in fact you can secure many other applications with DUO.
Based on DUO’s current pricing (20190523), this is free for the first 10 users. Here, you can have a look at the pricing section.

  • First of all, register for free on https://duo.com. The registration will also let you download and setup the DUO Mobile application on your mobile which will be used for accessing the DUO Admin panel. The same app/setup can be used to setup the first user of the application you want to protect.
  • In order to protect RDP with MFA, DUO has a pretty good and simple documentation which can be found here, you can also keep reading this post as I’ll go through the steps.

(more…)

Read More

Change a folder icon with Powershell

In this post we’ll see how to change a folder icon with Powershell, this method will work on shared folders too, as long as the filesystem of the shared network folder allows it.

The script is very simple, but first I want to go through it with an example, you can scroll down to the end of this article to checkout the script.

Let’s have a look at the difference between a local folder’s properties and a shared network folder’s properties.

A trick to allow us to change icon on a shared network folder, would be to move it on the desktop, change the icon and move it back. Totally ugly and useless if you have a large folder or multiple folders to customize.

If you change the icon of a local folder, you’ll notice that a Desktop.ini hidden file is created. When you copy that file to another folder though, nothing happens. The reason is because the folder attributes must be changed as well in order for Windows to read the Desktop.ini file.

Let’s work with an example and go through it. Say we have Folder1 and Folder2 in our local environment.

  • We change the icon for Folder1 manually.
  • This is how Folder1 and Folder2 will look like now.
  • Under \Folder1, there’ll be a desktop.ini file as well. Remember that it’s hidden. Let’s check its content out:
  • Let’s change the icon for Folder2, using the same desktop.ini file. You can just copy it from Folder1 and paste it in Folder2. Once done you’ll see that nothing happens as already explained above.
  • Let’s compare the attributes of both Folder1 and Folder2 and see what’s the difference.
    • (Get-Item “C:\Users\itdroplets\Desktop\tmp\Folder1“).attributes
    • (Get-Item “C:\Users\itdroplets\Desktop\tmp\Folder2“).attributes

By going through the above, we’ve identified the reason why the folder, even with a Desktop.ini file, isn’t changing its icon. We need to set its attributes to ReadOnly, Directory.

Right after running the above command, you’ll see Folder2 changing icon almost instantly.

The Script

I don’t like having files laying around in my script directories, unless I really have to. So, the script below is a quick way to get the icon changed, without needing to copy any Desktop.ini file. Instead, we’ll just create it based on a static content ($DesktopIni).

 

Read More

simpleSAMLphp on IIS from scratch (with AD FS)

With this article, I want to go through each step of the configuration to install simpleSAMLphp on IIS from scratch (with AD FS): this will work for multiple SPs!

This will allow you to set up single sign on on all your web applications, directing the users to login with your identity provider (AD FS for this guide).

The steps will be showing you how to deploy simpleSAMLphp in IIS and also how to link it to an existing AD FS environment, which will be used as the IdP.

Also, with this guide, you’ll be able to deploy multiple web applications on the same web server that will be able to leverage a single simpleSAMLphp installation.

(more…)

Read More