zjorz / public-ad-scripts Goto Github PK
View Code? Open in Web Editor NEWAD Scripts
License: GNU General Public License v3.0
public-ad-scripts's People
Contributors
Stargazers
Watchers
Forkers
tinojr mwarth pandacai twyrch brittadams davidedg shantanu561993 jlrousselon pdeforge maro13 aps-support n4gu4l devwmsau br-ashlin felincasbin paulhey k0xak phong1337 efek34 john-ansell alexkreydin intrudr-sec jbqbo dia-ngo yugashi busterg5 rapidhands olliedawson carlblance absoblogginlutely poolmanjim herrhozi quickbeam1 cvlabsio sudozk hamidradja-15 kadir2525y isimse b-bagley maxbertho shacks12 petah69 narpatsunny7 bowamba llma-dot jacky34 crezne erawor michalwalentowicz ouritres nal001 akaino hzo ruffwise vwu-sysadmin kaydaskalakis pbarrette zha0 derekschartung a1ta-core jalos2 ziggymsft fabtje 5l1v3r1 xiuwenchen blicuss mcpinc dongepi iv7777 sportcast-de dfelzkepublic-ad-scripts's Issues
Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1: Script errors displayed
After upgrading to v3.4 I experienced some script errors just before listing the found DCs for the domain.
I wasn't sure if significant or not, so I had to figure out what caused it.
It turned out the problem started in line 6933:
$listOfRODCsInADDomain = $dcsInADDomain | Where-Object{$_."msDS-isRODC" -eq $true -Or $_.primaryGroupID -eq "521"} | ForEach-Object{$_.dnsHostName}
Besides some regular RODCs, it returned CN=AzureADKerberos,OU=Domain Controllers,... as member of the Read-only Domain Controllers group. However, it does not have a DNS name and it causes some problems in the following loop.
The temporary fix I made was just to change -or to -and.
Timeout period expired error, but password still reset
I'm running v2.8 of the kerberos password reset script. I run this for a handful of clients and haven't found a pattern to this error, though I believe it always errors on the same customer environments. Can be a 2008R2 (I know) domain, all the way up through a 2016 domain, and can have one or multiple DCs in the domain.
Exact error is below and am happy to provide additional output if helpful. I've looked through the script, but no ideas. Password shows as having been successfully updated despite this error. Just takes a good two minutes to time out.
[2022-04-25 15:41:26] : --> RWDC To Reset Password On.............: 'DC002.domain.local'
[2022-04-25 15:41:26] : --> sAMAccountName Of KrbTgt Account......: 'krbtgt'
[2022-04-25 15:41:26] : --> Distinguished Name Of KrbTgt Account..: 'CN=krbtgt,CN=Users,DC=domain,DC=local'
[2022-04-25 15:41:26] : --> Number Of Chars For Pwd Generation....: '64'
[2022-04-25 15:43:25] :
[2022-04-25 15:43:25] : --> Setting the new password for [CN=krbtgt,CN=Users,DC=domain,DC=local] FAILED on RWDC [DC002.domain.local]!...
[2022-04-25 15:43:25] :
[2022-04-25 15:43:25] : Exception Type......: Microsoft.ActiveDirectory.Management.ADException
[2022-04-25 15:43:25] :
[2022-04-25 15:43:25] : Exception Message...: This operation returned because the timeout period expired
[2022-04-25 15:43:25] :
[2022-04-25 15:43:25] : Error On Script Line: 626
[2022-04-25 15:43:25] :
[2022-04-25 15:43:25] :
[2022-04-25 15:43:25] : --> Previous Password Set Date/Time.......: '2021-12-15 08:43:27'
[2022-04-25 15:43:25] : --> New Password Set Date/Time............: '2022-04-25 15:41:26'
Some minor issues with Reset KrbTgt Password script
In the process of auditing this script for use in our environment I found I couple of issues that I've submitted fixes for in #3
One is just using the automatic variable $PWD during password generation, which could lead to some rather bizarre results.
The other is just a typo in using a variable in a single-quoted string instead of a double-quoted string.
Error while Triggering Replicate Single Object on ....
Hello,
during our preparation for the krbtgt password change, we run the tests using the script Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 V2.8.
Test#2 (Simulation) on Scope #1 (all RWDC) ran without issues over our 5 RWDCs.
But Test#2 on Scope #3 fails on about 27 of 32 RODCs with the message
[2022-03-15 17:32:49] : Exception Type......: System.Management.Automation.MethodInvocationException
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] : Exception Message...: Exception calling "SetInfo" with "0" argument(s): "An operations error occurred.
"
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] : Error On Script Line: 797
[2022-03-15 17:32:49] :
Logfile Excerpt:
[2022-03-15 17:32:48] : --> Chosen: continue
[2022-03-15 17:32:48] :
[2022-03-15 17:32:48] : +++++
[2022-03-15 17:32:48] : +++ Processing KrbTgt Account....: 'krbtgt_12345' | 'CN=krbtgt_12345,CN=Users,DC=ourdomain,DC=net' +++
[2022-03-15 17:32:48] : +++ Used By RODC.................: 'ABC-DC.ourdomain.net' (Site: Branch) +++
[2022-03-15 17:32:48] : +++++
[2022-03-15 17:32:48] :
[2022-03-15 17:32:48] : --> RWDC To Create Object On..............: 'our-pdc.ourdomain.net'
[2022-03-15 17:32:48] : --> Full Name Temp Canary Object..........: '_adReplTempObject_krbtgt_12345_20220315173132'
[2022-03-15 17:32:48] : --> Description...........................: '...!!!.TEMP OBJECT TO CHECK AD REPLICATION IMPACT.!!!...'
[2022-03-15 17:32:48] : --> Container For Temp Canary Object......: 'CN=Users,DC=ourdomain,DC=net'
[2022-03-15 17:32:48] :
[2022-03-15 17:32:48] : --> Temp Canary Object [CN=_adReplTempObject_krbtgt_12345_20220315173132,CN=Users,DC=ourdomain,DC=net] CREATED on RWDC [our-pdc.ourdomain.net]!...
[2022-03-15 17:32:48] :
[2022-03-15 17:32:48] :
[2022-03-15 17:32:48] : =================================================================== CHECK 1 ===================================================================
[2022-03-15 17:32:48] :
[2022-03-15 17:32:48] : - Contacting DC in AD domain ...[our-pdc.ourdomain.NET]...(SOURCE RWDC)
[2022-03-15 17:32:48] : * DC is Reachable...
[2022-03-15 17:32:48] : * Object [CN=_adReplTempObject_krbtgt_12345_20220315173132,CN=Users,DC=ourdomain,DC=net] exists in the AD database
[2022-03-15 17:32:48] :
[2022-03-15 17:32:48] : - Contacting DC in AD domain ...[ABC-DC.ourdomain.NET]...
[2022-03-15 17:32:48] : * DC is Reachable...
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] : Triggering Replicate Single Object On 'ABC-DC.ourdomain.net' From 'CN=NTDS Settings,CN=Backup-DC,CN=Servers,CN=Headquarter,CN=Sites,CN=Configuration,DC=ourdomain,DC=net' Failed For Object 'CN=_adReplTempObject_krbtgt_12345_20220315173132,CN=Users,DC=ourdomain,DC=net' Using The 'Full' Scope...
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] : Exception Type......: System.Management.Automation.MethodInvocationException
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] : Exception Message...: Exception calling "SetInfo" with "0" argument(s): "An operations error occurred.
"
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] : Error On Script Line: 797
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] : * Object [CN=_adReplTempObject_krbtgt_12345_20220315173132,CN=Users,DC=ourdomain,DC=net] now does exist in the AD database
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] : --> Start Time......: 2022-03-15 17:32:48
[2022-03-15 17:32:49] : --> End Time........: 2022-03-15 17:32:49
[2022-03-15 17:32:49] : --> Duration........: 0,47 Seconds
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] : --> Temp Canary Object [CN=_adReplTempObject_krbtgt_12345_20220315173132,CN=Users,DC=ourdomain,DC=net] DELETED on RWDC [our-pdc.ourdomain.net]!...
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] : List Of DCs In AD Domain 'ourdomain.net' And Their Timing...
[2022-03-15 17:32:49] :
[2022-03-15 17:32:49] :
Host Name PDC Site Name DS Type IP Address Reachable Source RWDC FQDN Time
--------- --- --------- ------- ---------- --------- ---------------- ----
our-pdc.ourdomain.net True Headquarter Read/Write 10.10.1.14 True N.A. 0
ABC-DC.ourdomain.net False Branch Read-Only 10.10.13.20 True our-pdc.ourdomain.net 0,45
This happens to about 27 of 32 RODC and - interestingly - after repeating Test#2 scoped on a random "good" RODC again, the formerly "good" RODC failed again (we tested multiple times) also using Master Domain Administrator.
And ideas on this?
Thanks in advance, T
Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 does not send email
I could not get krbtgt password reset script to send e-mail. I don't use ssl or smime signature and encryption. They also seemed to be optional if I looked at xml file. If I looked at the sendMailMessage function then as I understood it only sends email if <mailsign> or <mailencrypt> are ON or if <sslType> is defined IMPLICIT or EXPLICIT. If smime options are off and ssltype is defined then it does not honor <useSSLForSMTP> option which is set to FALSE and tries to send email with SSL. If <sslType> is not defined then it does not send email at all. If it is intentional then documentation should be updated that you can send e-mail only with SSL or with smime options.
After some testing script sent email when useSSLForSMTP was FALSE, ssltype was EXPLICIT and smtpCredsUserName and smtpCredsPassword had value LEAVE_EMPTY_OR_LEAVE_AS_IS_OR_SPECIFY. If they were empty then script sent the email but error message was displayed:
ConvertTo-SecureString : Cannot bind argument to parameter 'String' because it is an empty string.
At C:\apps\scripts\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1:4994 char:110
+ ... mtpCredsUserName, $(ConvertTo-SecureString $smtpCredsPassword -AsPlai ...
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
After looking at it little more the last problem is because if smtpCreds... sections are empty then variable is not $null but empty string. If I added emptry string check to the if clause - "" -ne $smtpCreds... -And ... - then error message went away.
AD-Exp-Notify Not working
I am trying to setup the AD-Exp-Notify.ps1 script but it looks like I am unable to. I have attached the errors that I am getting from PowerShell and the config xml file. Domain name has been replaced with domain.com or domain.root.
OS is Windows Server 2019, I am running the script on a Domain Controller with an Administrator PowerShell.
What exactly am I doing wrong here?
"The operation was aborted because the client side timeout limit was exceeded. " Error on Script Line 3513
Running version 3.4 of the Reset-KrbTgt script. No longer getting the 2 minutes timeout issue as noted in issue #8. But now getting the following -
***[2023-04-14 17:15:04] : --> Setting the new password for [CN=krbtgt,CN=Users,DC=domain,DC=local] FAILED on RWDC [DC101.domain.local]!…
***[2023-04-14 17:15:04] :
***[2023-04-14 17:15:04] : Exception Type……: System.Management.Automation.MethodInvocationException
***[2023-04-14 17:15:04] :
***[2023-04-14 17:15:04] : Exception Message…: Exception calling "SendRequest" with "1" argument(s): "The operation was aborted because the client side timeout limit was exceeded. "
***[2023-04-14 17:15:04] :
***[2023-04-14 17:15:04] : Error On Script Line: 3513
Still seems to be changing the password though. Getting this on every box we run the new script against.
please consider using Set-StrictMode to detect/avoid any coding problems
Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 RSoP Fails intermittently
I ran into the problem that RSoP creation failed intermittently.
This has to do with the way the accountSID is selected from the userprofiles
If the selected SID belongs to a deleted account or an account that does not have interactive logon privileges, RSoP cannot be created.
In your code you choose to use the running user as a last resort in the else statement, why not use the running user by default?
Worst case scenario the running user does not have a profile (and RSoP loggin data) on the DC.
$sidOfProfilesOnDC = (Get-WmiObject Win32_UserProfile -ComputerName $targetedADdomainNearestRWDCFQDN).SID | Where-Object{$_ -match $targetedADdomainDomainSID}
If ($($sidOfProfilesOnDC | Measure-Object).Count -eq 1) {
$sidToChoose = $sidOfProfilesOnDC
} ElseIf ($($sidOfProfilesOnDC | Measure-Object).Count -gt 1) {
$sidToChoose = $sidOfProfilesOnDC[0]
} Else {
$sidToChoose = [Security.Principal.WindowsIdentity]::GetCurrent().User
}
$accountToChoose = $(New-Object System.Security.Principal.SecurityIdentifier($sidToChoose)).Translate([System.Security.Principal.NTAccount]).Value
I have replaced the above code with:
if ($sidOfProfilesOnDC -contains ([Security.Principal.WindowsIdentity]::GetCurrent()).User) {
$sidToChoose = ([Security.Principal.WindowsIdentity]::GetCurrent()).User
} else {
$sidToChoose = $sidOfProfilesOnDC | Get-Random
}
$accountToChoose = $(New-Object System.Security.Principal.SecurityIdentifier($sidToChoose)).Translate([System.Security.Principal.NTAccount]).Value
The Get-Random approach still holds the risk of selecting an account that cannot create a RSoP though....
And I have added a line to the logging to clarify which account was used for the RSoP:
...
Logging "DSA RWDC With PDC FSMO................: '$targetedADdomainRWDCFQDNWithPDCFSMONTDSSettingsObjectDN'"
Logging "Account used for RSoP.................: '$accountToChoose'"
Logging "Max TGT Lifetime (Hours)..............: '$targetedADdomainMaxTgtLifetimeHrs'"
....
Multiple languages in one OU - modify search base
We ran into problem that language is selected staticaly per search base - particular OU.
Our Active Directory organization infrastructure is multilingual so in one OU there are people with different language mixed up.
Is there a way to modify the script - search base - to filter the output group of users based on Language/Country?
I was tinkering with something like extending the search base with " -and Co -eq "Germany" but none worked.
Thank you
Script doesn't recognize that user is member or domain admins group
I'm running the script with an account that is a member of domain and enterprise admins groups but the it errors out stating that the account isn't a member of those groups.
Get-GpoReport issue
Found an issue where in a trusted domain, the Get-GpoReport gets the Max TGT LifeTime and Max Clock Skew as empty/Null. Which causes the second iteration of the script to reset the krbtgt password as the check for the last time password was set difference to currenttime succeeds and no warning is presented with "MAJOR Impact".
[2021-05-26 17:51:04] : Max TGT Lifetime (Hours)..............: ''
[2021-05-26 17:51:04] : Max Clock Skew (Minutes)..............: ''
[2021-05-26 17:51:04] : TGT Lifetime/Clock Skew Sourced From..: 'Default Domain GPO'
I was able to add an additional check to make sure the Max TGT LifeTime is not Null to ensure that is not missed and the second iteration just succeeds.
If ($targetedADdomainMaxTgtLifetimeHrs -eq $null)
{
Logging " --> Max TGT Lifetime (Hours)..............: 'This was determined to be null. Ensure to run the script from a computer joined to appropriate forest'" "WARNING"
Logging " --> EXITING SCRIPT "
Sleep 20
EXIT
}
...................
Interestingly later debugging, i was also able to see this peculiar behaviour with Get-GpoReport which seems to behave in a bad fashion.
the Fix was to use
[xml]$gpoObjXML = Get-GPOReport -Domain $targetedADdomainFQDN -Guid '{31B2F340-016D-11D2-945F-00C04FB984F9}' -ReportType Xml -Server $targetedADdomainFQDN
if i use a domain controller FQDN for the $targetedADdomainFQDN it seems to come up with empty for the MAXTgTLifetime and other values.
I also examined the XML and saw that it was coming as "BLOCKED" which was weird. Just wanted to apprise of this happening and i was able to add an additional roadblock if it reported as NULL.
Also joe says Hi, i work with him and i also follow your blogs :)
Issues when reseting the password.
I have tried this version and password reset fails fails Exception Message...: The password does not meet the length, complexity, or history requirement of the domain. It uses 64 characters for the new password. I can do all the other functions of resetting the password on the bogus krbtgt account. I can manually change it via ASAP or I use a older script https://gist.github.com/mubix/fd0c89ec021f70023695
KrbTgt reset continues when ADCs are unreachable
Script recognizes DCs being unreachable in same domain.
Script continues to reset ticket for reachable DCs instead of stopping. Is there an option for stopping yet?
! offline DC is not RODC!
Please understand that due to privacy reasons domain names were replaced with "xxx".
The functionality of the output should still be clear.
Current input:
.\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation "resetModeKrbTgtProdAccountsResetOnce" -targetedADforestFQDN "xxx" -targetedADDomainFQDN "xxx" -targetKrbTgtAccountScope "allRWDCs" -continueOps
Current output:
[2024-03-11 11:30:10] : Local Computer Name...................: xxx
[2024-03-11 11:30:10] : FQDN AD Domain Of Computer............: xxx
[2024-03-11 11:30:10] : FQDN Computer In AD Domain............: xxx
[2024-03-11 11:30:10] : FQDN Computer In DNS..................: xxx
[2024-03-11 11:30:10] : FQDN DNS Domain Of Computer...........: xxx
[2024-03-11 11:30:10] : Execution Mode........................: AUTOMATED
[2024-03-11 11:30:10] :
[2024-03-11 11:30:10] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:10] : CHECKING ELEVATION STATUS OF CURRENT PROCESS...
[2024-03-11 11:30:10] :
[2024-03-11 11:30:10] : Current Elevation Status...: ELEVATED
[2024-03-11 11:30:10] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:10] : INFORMATION REGARDING KRBTGT ACCOUNTS AND PASSWORD RESETS...
[2024-03-11 11:30:10] :
[2024-03-11 11:30:10] : Do you want to read information about the script, its functions, its behavior and the impact? [YES | NO]: NO
[2024-03-11 11:30:10] :
[2024-03-11 11:30:10] : --> Chosen: NO
[2024-03-11 11:30:10] :
[2024-03-11 11:30:10] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:10] : LOADING REQUIRED POWERSHELL MODULES...
[2024-03-11 11:30:10] :
[2024-03-11 11:30:28] : PoSH Module 'GroupPolicy' Has Been Loaded...
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:28] : SELECT THE MODE OF OPERATION...
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : Which mode of operation do you want to execute?
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : - 1 - Informational Mode (No Changes At All)
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : - 2 - Simulation Mode | Temporary Canary Object Created To Test Replication Convergence!
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : - 3 - Simulation Mode | Use KrbTgt TEST/BOGUS Accounts - No Password Reset/WhatIf Mode!
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : - 4 - Real Reset Mode | Use KrbTgt TEST/BOGUS Accounts - Password Will Be Reset Once!
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : - 5 - Simulation Mode | Use KrbTgt PROD/REAL Accounts - No Password Reset/WhatIf Mode!
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : - 6 - Real Reset Mode | Use KrbTgt PROD/REAL Accounts - Password Will Be Reset Once!
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : - 8 - Create TEST KrbTgt Accounts
[2024-03-11 11:30:28] : - 9 - Cleanup TEST KrbTgt Accounts
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : - 0 - Exit Script
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : Please specify the mode of operation: 6
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : --> Chosen Mode: Mode 6 - Real Reset Mode | Use KrbTgt PROD/REAL Accounts - Password Will Be Reset Once!...
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:28] : SPECIFY THE TARGET AD FOREST...
[2024-03-11 11:30:28] :
[2024-03-11 11:30:28] : For the AD forest to be targeted, please provide the FQDN or press [ENTER] for the current AD forest: EriksUndDanielsSchnuckeligeDomain.de
[2024-03-11 11:30:29] :
[2024-03-11 11:30:29] : --> Selected AD Forest: 'xxx'...
[2024-03-11 11:30:29] :
[2024-03-11 11:30:29] : Checking Resolvability of the specified Local AD forest 'xxx' through DNS...
[2024-03-11 11:30:29] :
[2024-03-11 11:30:29] : The specified Local AD forest 'xxx' is either resolvable through DNS or reachable through RootDse!
[2024-03-11 11:30:29] :
[2024-03-11 11:30:29] : Continuing Script...
[2024-03-11 11:30:29] :
[2024-03-11 11:30:29] :
[2024-03-11 11:30:29] : Checking Accessibility of the specified AD forest 'xxx' By Trying To Retrieve AD Forest Data...
[2024-03-11 11:30:29] :
[2024-03-11 11:30:29] : The specified AD forest 'xxx' is accessible!
[2024-03-11 11:30:29] :
[2024-03-11 11:30:29] : Continuing Script...
[2024-03-11 11:30:29] :
[2024-03-11 11:30:29] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:29] : SELECT THE TARGET AD DOMAIN...
[2024-03-11 11:30:29] :
[2024-03-11 11:30:31] : Forest Mode/Level...: Windows2016Forest
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] : List Of AD Domains In AD Forest 'xxx'...
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] :
ListNr Name NetBIOS DomainSID IsRootDomain DomainMode IsCurr
entDom
ain
1 xxx xxx xxx True Windows2016 Domain True
[2024-03-11 11:30:31] : --> Found [1] AD Domain(s) in the AD forest 'xxx'...
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] : For the AD domain to be targeted, please provide the list nr or the FQDN or press [ENTER] for the current AD domain: xxx
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] : --> Selected AD Domain: 'xxx'...
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] : Checking existence of the specified AD domain 'xxx' in the AD forest 'xxx'...
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] : The specified AD domain 'xxx' exists in the AD forest 'xxx'!
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] : Continuing Script...
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:31] : TESTING IF REQUIRED PERMISSIONS ARE AVAILABLE (DOMAIN/ENTERPRISE ADMINS OR ADMINISTRATORS CREDENTIALS)...
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] : The user account 'xxx' is running with Domain Administrator equivalent permissions in the AD Domain 'xxx'!...
[2024-03-11 11:30:31] : The user account 'x\Admin' is a member of 'x\Domain Admins'!...
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] : Continuing Script...
[2024-03-11 11:30:31] :
[2024-03-11 11:30:31] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:31] : GATHERING TARGETED AD DOMAIN INFORMATION...
[2024-03-11 11:30:31] :
[2024-03-11 11:30:41] :
[2024-03-11 11:30:41] : Domain FQDN...........................: 'xxx'
[2024-03-11 11:30:41] : Domain Functional Mode................: 'Windows2016Domain'
[2024-03-11 11:30:41] : Domain Functional Mode Level..........: '7'
[2024-03-11 11:30:41] : FQDN RWDC With PDC FSMO...............: 'xxx'
[2024-03-11 11:30:41] : DSA RWDC With PDC FSMO................: 'CN=NTDS Settings,CN=x,CN=Servers,CN=First-Site,CN=Sites,CN=Configuration,DC=xxx,DC=x'
[2024-03-11 11:30:41] : Max TGT Lifetime (Hours)..............: '10'
[2024-03-11 11:30:41] : Max TGT Lifetime Sourced From.........: 'Default Domain Policy'
[2024-03-11 11:30:41] : Max Clock Skew (Minutes)..............: '5'
[2024-03-11 11:30:41] : Max Clock Skew Sourced From...........: 'Default Domain Policy'
[2024-03-11 11:30:41] :
[2024-03-11 11:30:41] : Checking Domain Functional Mode of targeted AD domain 'xxx' is high enough...
[2024-03-11 11:30:41] :
[2024-03-11 11:30:41] : The specified AD domain 'xxx' has a Domain Functional Mode of 'Windows2008Domain (3)' or higher!...
[2024-03-11 11:30:41] :
[2024-03-11 11:30:41] : Continuing Script...
[2024-03-11 11:30:41] :
[2024-03-11 11:30:41] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:41] : GATHERING DOMAIN CONTROLLER INFORMATION AND TESTING CONNECTIVITY...
[2024-03-11 11:30:41] :
[2024-03-11 11:30:44] :
[2024-03-11 11:30:44] : List Of Domain Controllers In AD Domain 'EriksUndDanielsSchnuckeligeDomain.de'...
[2024-03-11 11:30:44] :
[2024-03-11 11:30:44] :
Host Name PDC Site Name DS Type Krb Tgt Pwd Last Set Org RWDC Or
g
Ti
me
xxx True First-Site Read/Write krbtgt 2024-03-05 13:56:05 xxx 20
xxx False First-Site Read/Write krbtgt 2024-03-05 13:56:05 xxx 20
[2024-03-11 11:30:44] :
[2024-03-11 11:30:44] : REMARKS:
[2024-03-11 11:30:44] : - 'N.A.' in the columns 'Source RWDC FQDN' and 'Source RWDC DSA' means the RWDC is considered as the master for this script.
[2024-03-11 11:30:44] : - 'RODC Unreachable' in the columns 'Source RWDC FQDN' and 'Source RWDC DSA' means the RODC cannot be reached to determine its replicating source
[2024-03-11 11:30:44] : RWDC/DSA. The unavailability can be due to firewalls/networking or the RODC actually being down.
[2024-03-11 11:30:44] : - 'Unknown' in various columns means that an RODC was found that may not be a true Windows Server RODC. It may be an appliance acting as an RODC.
[2024-03-11 11:30:44] : - 'RWDC Demoted' in the column 'Org RWDC' means the RWDC existed once, but it does not exist anymore as it has been decommissioned in the past.
[2024-03-11 11:30:44] : This is normal.
[2024-03-11 11:30:44] : - 'No Such Object' in the columns 'Pwd Last Set', 'Org RWDC', 'Org Time' or 'Ver' means the targeted object was not found in the AD domain.
[2024-03-11 11:30:44] : Although this is possible for any targeted object, this is most likely the case when targeting the KrbTgt TEST/BOGUS accounts and if those
[2024-03-11 11:30:44] : do not exist yet. This may also occur for an appliance acting as an RODC as in that case no KrbTgt TEST/BOGUS account is created.
[2024-03-11 11:30:44] :
[2024-03-11 11:30:44] :
[2024-03-11 11:30:44] :
[2024-03-11 11:30:44] : --> Found [2] Real DC(s) In AD Domain...
[2024-03-11 11:30:44] :
[2024-03-11 11:30:44] : --> Found [2] RWDC(s) In AD Domain...
[2024-03-11 11:30:44] : --> Found [1] Reachable RWDC(s) In AD Domain...
[2024-03-11 11:30:45] : --> Found [1] UnReachable RWDC(s) In AD Domain...
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : --> Found [0] RODC(s) In AD Domain...
[2024-03-11 11:30:45] : --> Found [0] Reachable RODC(s) In AD Domain...
[2024-03-11 11:30:45] : --> Found [0] UnReachable RODC(s) In AD Domain...
[2024-03-11 11:30:45] : --> Found [0] Undetermined RODC(s) In AD Domain...
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:45] : SELECT THE SCOPE OF THE KRBTGT ACCOUNT(S) TO TARGET...
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : Which KrbTgt account do you want to target?
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : - 1 - Scope of KrbTgt in use by all RWDCs in the AD Domain
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : - 0 - Exit Script
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : Please specify the scope of KrbTgt Account to target: 1
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : --> Chosen Scope KrbTgt Account Target: 1 - Scope of KrbTgt in use by all RWDCs in the AD Domain...
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2024-03-11 11:30:45] : REAL RESET MODE (MODE 6) - RESETTING PASSWORD OF SCOPED PROD/REAL KRBTGT ACCOUNT(S)
[2024-03-11 11:30:45] : SCOPE: 1 - Scope of KrbTgt in use by all RWDCs in the AD Domain...
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : Do you really want to continue and execute 'Mode 6'? [CONTINUE | STOP]: CONTINUE
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : --> Chosen: CONTINUE
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : +++++
[2024-03-11 11:30:45] : +++ Processing KrbTgt Account....: 'krbtgt' | 'CN=krbtgt,CN=Users,DC=xxx,DC=x' +++
[2024-03-11 11:30:45] : +++ Used By RWDC.................: 'All RWDCs' +++
[2024-03-11 11:30:45] : +++++
[2024-03-11 11:30:45] :
[2024-03-11 11:30:45] : --> RWDC To Reset Password On.............: 'xxx'
[2024-03-11 11:30:45] : --> sAMAccountName Of KrbTgt Account......: 'krbtgt'
[2024-03-11 11:30:45] : --> Distinguished Name Of KrbTgt Account..: 'CN=krbtgt,CN=Users,DC=xxx,DC=x'
[2024-03-11 11:30:45] : --> Number Of Chars For Pwd Generation....: '64'
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] : --> Previous Password Set Date/Time.......: '2024-03-05 13:56:05'
[2024-03-11 11:30:46] : --> New Password Set Date/Time............: '2024-03-11 11:30:46'
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] : --> Previous Originating RWDC.............: 'xxx'
[2024-03-11 11:30:46] : --> New Originating RWDC..................: 'xxx'
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] : --> Previous Originating Time.............: '2024-03-05 13:56:05'
[2024-03-11 11:30:46] : --> New Originating Time..................: '2024-03-11 11:30:46'
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] : --> Previous Version Of Attribute Value...: '4'
[2024-03-11 11:30:46] : --> New Version Of Attribute Value........: '5'
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] : --> The new password for [CN=krbtgt,CN=Users,DC=xxx,DC=x] HAS BEEN SET on RWDC [xxx]!...
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] : =================================================================== CHECK 1 ===================================================================
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] : - Contacting DC in AD domain ...[xxx]...(SOURCE RWDC)
[2024-03-11 11:30:46] : * DC is Reachable...
[2024-03-11 11:30:46] : * The (new) password for Object [CN=krbtgt,CN=Users,DC=xxx,DC=x] exists in the AD database
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] : - Contacting DC in AD domain ...[xxx]...
[2024-03-11 11:30:46] : * DC is NOT reachable...
[2024-03-11 11:30:46] : * Unable to connect to DC and check for Object [CN=krbtgt,CN=Users,DC=xxx,DC=x]...
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] : --> Start Time......: 2024-03-11 11:30:46
[2024-03-11 11:30:46] : --> End Time........: 2024-03-11 11:30:46
[2024-03-11 11:30:46] : --> Duration........: 0.47 Seconds
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] : List Of DCs In AD Domain 'EriksUndDanielsSchnuckeligeDomain.de' And Their Timing...
[2024-03-11 11:30:46] :
[2024-03-11 11:30:46] :
Host Name PDC Site Name DS Type IP Address Reachable Source RWDC FQDN Time
xxx False First-Site Read/Write x False xxx
xxx True First-Site Read/Write x True N.A. 0
Not all DC's found?
I'm running this against our domain which has a PDC and 10 other GC DC's.. Single forest. Only the PDC is detected so no real replication checks are done when running option 2 to test rep. I've also noticed that it lists our PDC as RWDC Demoted? Just wanted to find out if this is all normal behaviour - i would have assumed that it would list and test rep to all DC's after creating the canary account.
Proposal for different mail subjects
Script sends e-mail for all activities with same subject and it is not configurable. Even the built-in differentiation would be OK. That means in the block
Switch ($targetKrbTgtAccountScope) {
"allRWDCs" {$targetKrbTgtAccountNr = 1}
"specificRODCs" { $targetKrbTgtAccountNr = 2}
"allRODCs" {$targetKrbTgtAccountNr = 3}
Default {$targetKrbTgtAccountNr = $null}
}
it would be for example
Switch ($targetKrbTgtAccountScope) {
"allRWDCs" {$targetKrbTgtAccountNr = 1 ; $mailSubject = $mailSubject + " allRWDCs"}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.