MakeITEasy

Active Directory Accidental Deletion - Prevention & Cure

2013-01-14T19:05:00Z

Accidental deletions in active directory can cause havoc and unfortunately in the past I was in the middle of one such catastrophic event. It resulted in 4000 odd servers and client machines part of an OU to be deleted and the cause was found to be some housekeeping software. Such accidental deletions can be most destructive in critical industries like banking, financial and public sector organizations. This may have been avoided and secondly could have been fixed in less than 10 % of the actual time spent if the environment was using one of the latest features that we included in Windows 2008 R2 ( Active Directory Recycle Bin ). Most critical situations arise due to accidental human /tool interference or configuration and it is important to be able to come out of such situations within minimal down time, Accidental Deletion in Active Directory is one such situation. Below are preventions and recovery methods caused due to accidental deletions in Active Directory. Some of the preventive measures are listed below and also links to recovery from such catastrophe with minimal downtime.

Prevention

Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory

http://blogs.technet.com/b/abizerh/archive/2009/06/09/preventing-unwanted-accidental-deletions-and-restore-deleted-objects-in-active-directory.aspx

Windows Server 2008 Protection from Accidental Deletion

http://blogs.technet.com/b/industry_insiders/archive/2007/10/31/windows-server-2008-protection-from-accidental-deletion.aspx

Recovery with minimal downtime

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting

http://blogs.technet.com/b/askds/archive/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting.aspx

Windows Server 2008 R2 Quick Look - Active Directory Recycle Bin ~ video

http://technet.microsoft.com/en-us/windowsserver/ee895053

(Please visit the site to view this video)

AD Recycle Bin – Step By Step Guide

http://technet.microsoft.com/en-us/library/dd392261(v=ws.10)

This is definitely a feature that can save you from nightmares.

P.S: IT Environments who are already on Windows 2008 R2 Forest Functional Level require the most minimal configuration changes to enable AD Recycle Bin. Once done you can use the Active Directory recycle bin UI in windows 8 /2012 by installing the RSAT tools on a domain joined windows 8 or windows 2012 server.

Its about time you had this feature enabled !

KDC_ERR_PREAUTH_REQUIRED vs. KDC_ERR_PREAUTH_FAILED

2013-01-14T16:44:00Z

I often seen network admins look at a network trace and say we have a lot of authentication failures and point to the error – KDC_ERR_PREAUTH_REQUIRED. I have spent time educating on why this is not an authentication failure but instead the default behavior. The KDC (Key Distribution Center) requires all accounts to use pre-authentication. However, pre-authentication can be disabled for individual accounts when necessary for compatibility with other implementations of the protocol.

How to disable pre-authentication?

If the box “Do not require Kerberos pre-authentication” was checked on the user account properties then we would never see the error “KDC_ERR_PREAUTH_REQUIRED” message in a trace.

Let us look at the initial user authentication process using network traces.

FRAME 1:

The above Frame shows you an AS_Request being sent to the domain controller - 192.168.1.25 from Client machine 192.168.1.25. As you observe there is nothing sent along with PaData.

As a result the DC replies with the below error in the below frame – KDC_ERR_PREAUTH_REQUIRED.

FRAME 2:

So the client then sends the AS_REQUEST again with the pre-authentication data as show in the below frame. – KrbEncTimestamp: Encrypted Time Stamp Pre-Authentication.

FRAME 3:

FRAME 4:

As see above the KDC_ERR_PREAUTH_REQUIRED is not exactly an authentication failure. If the Kerberos authentication fails (for example bad password) then you would see “KDC_ERR_PREAUTH_FAILED” in the trace as shown below.

FRAME 5:

Below is the error you will see in a trace when Authentication fails for the user – Now it’s time you investigate. J

Enable Auditing, and Kerberos logging if required.

I hope its better understood now and there is enough clarity now when you look at network captures that shows KDC_ERR_PREAUTH_REQUIRED & KDC_ERR_PREAUTH_FAILED frames in network traces.

Auto-Mail Expiring Domain Accounts

2012-11-23T13:51:00Z

I was looking online for automating the task of domain account expiry notification for one my customers to provide as a reference and found a few which were using quest based PowerShell scripts. The customer required this due to a large number of outsourced business partners in their ecosystem. At the moment the domain accounts given to partner employees working at their different branch offices were valid only for 6 months after which it was to be renewed after approval from the business leads and HR. They wanted a process in which the end user ( partner employees ) were notified via an automated email mentioning the date when their account was to expire and a brief summary of the process to have it extended.

Here is when I thought I could use the power of PowerShell. Many online resources took me through using Quest based cmd-lets and then I used the same ideas but with built-in cmd-lets to do the same job.

There are 2 phases I planned to tackle this

1. Build a PowerShell script to find all domain accounts expiring within a specified time ( no. of days ).

2. Schedule a task to run the Power Shell script once every x no. of days based on the requirement.

Phase 1 : Power Shell script

######Script Begins Here

#####Author: Jithesh Raj

import-module Activedirectory

#If you are using Windows 8 or server 2012 you do not require to import-modules as PS 3.0 will do that for you automatically.

Search-ADAccount -AccountExpiring -TimeSpan 30.00:00:00 | Export-csv "C:\scripts\users.csv"

#Please change the no. of days in -TimeSpan switch to find all users whose account will expiry in that many days

import-csv "C:\Scripts\users.csv" | Get-ADUser -Identity {$_.Samaccountname} -Properties displayname,mail,samaccountname,userprincipalname,AccountExpirationDate | Select-Object Name,Samaccountname,Mail,displayname,AccountExpirationDate |ForEach-Object {

# Variables defined below must be changed in your environment accordingly.

$smtp= "mail.contoso.com" # Enter your smtp server

$from= "IThelpdesk@contoso.com" # Enter your from address

$subject= "Account Expiry Notification" # Enter your email subject

$email= $_.mail

$name= $_.displayname

$date= $_.AccountExpirationDate

Function GetMsgBody {

Write-Output @"

Dear $name,

Your windows account is going to expire on $date.

Kindly contact your business lead to request for extension.

Kind Regards,

IT Helpdesk

}

[string]$body= GetMsgBody

# Please change the body of the mail accordingly

#Execute PowerShell's Send-MailMessage Function

Send-MailMessage -BodyAsHtml:$true -Body $body -To $email -From $from -SmtpServer $smtp -Subject $subject

}

Send-MailMessage -To DomainsHelpdesk@contoso.com -From IThelpdesk@contoso.com -Smtpserver $smtp -attachment "C:\Scripts\users.csv" -subject $Subject

# Last line sends an additional email to the domains helpdesk team to track the accounts that are expiring for hosusekeeping purposes.

##################################Script Ends Here

The above lines of script starting can be copied to a notepad and saved as Email-Expiring-Accounts.ps1 to the machine from where the script is to be run.

Phase 2: Scheduling the script

How to Schedule the script to run using Task Scheduler

1.       Logon to machine to schedule the task from.

2.       Create a Folder by name C:\scripts since it is used in the script. If you chose to use an alternate location please change it in the script as well. The script obtained from above steps must be copied to this folder.

3.       Start Task Scheduler

4.       Right Click Task Scheduler Library and create a New Folder by Email-Expiring-Accounts.

5. You may also create an additional folder by name Active Directory to simply the script based on technology if you may have additional script in the future.

6. Right click to create a new task

7. The task will look as below. Additional details can be populated in the description field.

8. Click on the Triggers tab and configure accordingly. This task is configured to run every week on Sunday at 7 AM local time on the server.

9. The Action of the Scheduled Task is to run the following command:

Program/script:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Add arguments:

-command "& ' C:\Scripts\Email-Expiring-Accounts.ps1'"

Now the script is ready to run and will automatically send an email using the account specified in the script to individual users whose account is set to expire in the next 30 days. The schedule task can be run using a local administrator account on the machine it is being run from and does not need any domain wide elevated privileges.

Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.