Category: Tips and Trix


Get Users based on LastLogOnTimeStamp x number of days


# ==============================================================================================
# NAME: Get active users that have not signes in for x amount of day
# 
# AUTHOR: Vincent Christiansen, vincent@sameie.com
# DATE  : 16/12/2019
# 
# COMMENT: This script will prompt you for what OU you want the members listed (OUs - distinguishedName), how many days you want it to list from and export them to a txt file
#          If you change the MD directory (bellow), don't forget to change the $location too. Good luck
#
# ==============================================================================================

MD C:\tmp\Scripts -ErrorAction SilentlyContinue

    Write-Host
    Write-host "From what OU (distinguishedName) do you want to list the users? :" -ForegroundColor Yellow -Nonewline
    $OU = Read-Host 

    Write-host  "What do you want to call the file? :" -ForegroundColor Yellow -NoNewLine         
    $File = Read-Host

    Write-host  "How many days? :" -ForegroundColor Yellow -NoNewLine         
    $Days = Read-Host

$tmp = "$OU.tmp"
$location = "c:\tmp\Scripts\"
$output = "$location\$tmp.txt"



Get-ADUser -Filter {Enabled -eq $TRUE} -SearchBase $OU -Properties Name,SamAccountName,LastLogonDate | Where {($_.LastLogonDate -lt (Get-Date).AddDays(-$days)) -and ($_.LastLogonDate -ne $NULL)}| Sort | Select Name,SamAccountName,LastLogonDate | Out-File "$location\$File.txt"

Add Azure CentOs server to Domain


Joining a Linux machine to a Windows domain is not straight forward.

You will need to connect to the server via an SSH app (f.eks Putty)

  1. Sign-in with the admin and password you created when deploying the server
  2. To do some of the commands you will need to be ROOT, but you don’t know this password, so run the following command: sudo -i
    enter the password for the adm account you created
  3. Install realm: yum install realm realmd -y
  4.  Add to domain: realm join yourdomain.com –user youradmin@yourdomain.com
     If you get error: realm: Couldn’t join realm: Necessary packages are not installed: oddjob, oddjob-mkhomedir, sssd, samba-common-tools, you need to install the missing packages.
    f.eks: yum install oddjob -y 

And now the machine is in the domain

 

 

 


How can I see what OS version my Azure VM is running?


I wanted to check what OS version I had deployed on a server in Azure, but I couldn’t remember if it was 2012 R2 or 2016.

I checked the server object in Azure and it gave me this

Hmmm…. that didn’t really answer my question (yes I could connect via RDP, but some times you can’t)

I know there are several scripts you can run to get information (that will need a connection, running scripts and so on, not everyone has this access, so they should be able to view this without scripts)

So I decided to check the disk connected to the server, and that gave me a better answer 🙂

There I can see it was a 2012 R2 DC based on the image 4.127….

 

So in the Resource group (or on VM) find the disk for the server, and you will see the Disk info in the Overview.

Enjoy

Get system uptime


We all have our own ways of finding a servers / computers uptime.
But I thought I’d share my favorite way:

 

function Get-SrvUptime
{
$operatingSystem = Get-WmiObject Win32_OperatingSystem
[Management.ManagementDateTimeConverter]::ToDateTime($operatingSystem.LastBootUpTime)
}


Restarting a service with Task Scheduler


Some times you need to scheduler a restart of services on servers or computers, and I used to do this via a batch job, that I called from Task Scheduler, but..

I found a much easier way of doing this,  just create a new task, and add the Actions like bellow.

NET as the program, and START/STOP “SERVICENAME” as the argument

and voila, there it is 🙂


HTTP 400 IIS Token Bloat


An old “friend” keeps keeps showing up in different environments. So since my old Blog is gone, I will add this again.
But this time I’ll just copy the info from Microsoft’s website.

Thank you Microsoft: https://support.microsoft.com/en-us/help/2020943/-http-400—bad-request-request-header-too-long-error-in-internet-info

 

HTTP 400 – Bad Request (Request Header too long)” error in Internet Information Services (IIS)

Symptoms

A domain user attempts to browse to a website hosted on Internet Information Services (IIS) 6.0 or higher by using Internet Explorer 6.0 or later.  The website is configured to use Kerberos authentication.  Instead of receiving the expected web page, the user is presented with an error message similar to the following:

HTTP 400 – Bad Request (Request header too long)

 

Cause

This issue may occur when the user is a member of many Active Directory user groups. When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size. The HTTP request that the user sends to the IIS server contains the Kerberos token in the WWW-Authenticate header, and the header size increases as the number of groups goes up.  If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.

 

Resolution

To work around this problem, choose one of the following options:

A) Decrease the number of Active Directory groups that the user is a member of.

OR

B) Modify the MaxFieldLength and the MaxRequestBytes registry settings on the IIS server so the user’s request headers are not considered too long.  To determine the appropriate settings for the MaxFieldLength and the MaxRequestBytes registry entries, use the following calculations:

    1. Calculate the size of the user’s Kerberos token using the formula described in the following article:

      New resolution for problems with Kerberos authentication when users belong to many groups
      http://support.microsoft.com/kb/327825

    2. Configure the MaxFieldLength and the MaxRequestBytes registry keys on the IIS server with a value of 4/3 * T, where is the user’s token size, in bytes.  HTTP encodes the Kerberos token using base64 encoding and therefore replaces every 3 bytes in the token with 4 base64 encoded bytes.  Changes that are made to the registry will not take effect until you restart the HTTP service. Additionally, you may have to restart any related IIS services.

 

NOTE: Depending on your application environment, you could also consider configuring the web site to use NTLM instead of Kerberos to work around this problem.  Some application environments require Kerberos to be used for delegation purposes, and Kerberos is more secure than NTLM, so it is recommended that you do not disable Kerberos before considering the security and delegation ramifications of doing so.

 

More Information

By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size limit of each HTTP request header. The MaxRequestBytes registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. If the MaxRequestBytes value is lower than the MaxFieldLength value, the MaxFieldLength value is adjusted.  In large Active Directory environments, users may experience logon failures if the values for both these entries are not set to a sufficiently high value.

For Internet Information Services (IIS) 6.0 and later, the MaxFieldLength and MaxRequestBytes registry keys are located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.  Configure them as shown in the following table:

 

Name  Value Type  Value Data
 MaxFieldLength  DWORD  (4/3 * T bytes) + 200
 MaxRequestBytes  DWORD  (4/3 * T bytes) + 200

 

Alternatively you may set the registry keys to their maximum values shown below. The Administrator should consider all potential security ramifications if he makes any changes to the registry settings:

Name  Value Type Value Data
 MaxFieldLength  DWORD  65534
 MaxRequestBytes  DWORD  16777216

 

IMPORTANT: Changing these registry keys can be considered extremely dangerous. These keys allow larger HTTP packets to be sent to IIS, which in turn may cause Http.sys to use more memory and may increase vulnerability to malicious attacks.

 

NOTE: If MaxFieldLength is configured to its maximum value of 64KB, then the MaxTokenSize registry value should be set to 3/4 * 64 = 48KB.  For more information on the MaxTokenSize setting, please see the Microsoft knowledge base article KB327825 listed below.

 

Remove – AzureRmApplicationGateway


If you want to remove Azure Application Gateway Backend HTTP Settings / Probe configs / Backend Address Pools / HTTP Listeners or something else from the Azure Application Gateway, you might end up with the same Microsoft Doc’s as me.

https://docs.microsoft.com/en-us/powershell/module/azurerm.network/remove-azurermapplicationgatewaybackendhttpsettings?view=azurermps-4.4.1

As you see from the post it tells you what to do, but when you check the config in the Portal, it is not gone.

What is missing from the information feed here is that you get the Azure Application Gateway info, then you remove it, and get the code to define it, so the missing ingredient is:

Set-AzureRmApplicationGateway -ApplicationGateway $AppGw

That way you list out the current config, then get the new config, then SET the new config.

And now it is correct in the GUI too 🙂


Change the name of your new Azure subscription


​​This is not a straight forward thing, even do you would think so.

1. ​Open browser, enter the following: https://account.windowsazure.com/Subscriptions

  1. ​Sign inn with your Azure Subscription Owner ID
  2. Press the Subscription you want to change the name of
  3. On the right hand side, “Edit Subscription details”
    1. azure_rename_subscription_2.PNG
    2. Enter the new name bellow “ SUBSCRIPTION NAME”

Name is now changed, but you need to give access to the subscription, so that you can use it in your environment.​

2. Still in the account.windowsazure.com/subscriptions view

  1. ​​Press the Portal icon upper right
  2. Find the subscriptions icon on the left side menu
  3. Press the subscription you want to give access to
  4. Press the MSN icon, so you can choose Users
    azure_rename_subscription_access.PNG
  5. Press Add
  6. Choose the access level you want to delegate, and find the user.

Now you can utilize the new subscription in your Azure portal

Azure Admin Pages / URLs


There are so many different locations for Azure Subscription Management and what you can do where. So I have for my own sake made this list.

EA Management Portal​

  • View billing
  • Add and View Subscriptions

Manage Windows Azure

  • ​Add and View Subscriptions
  • Delegate the use of Subscription (so it shows up in the Azure Portal for the Administrators (that are to use it))
  • Manage most Azure stuff

Portal Azure​

  • View and Use Subscription

Account Windows Azure

  • Rename, Add and View Subscriptions

It is a pain in the ass to remember the different locations, but here have it (for now)

Create #HASHED password file for PowerShell use


If you want to automate some Powershell scripts to do a job for you, and you don’t want to (and you never should) add the password in the script, then this is a great ting.

You create an encrypted txt file based on the userID and PW you define in the prompt, the file is then created with the password (password only) information in the encrypted file. The export location must be the location you want the script to run, as you can not move/copy the file to a different location after export.
So now you can use the password file with the scripts you have created
#==============================================================================================
# NAME: Encrypt Password for use in Powershell
# AUTHOR: Vincent Christiansen, vincent@sameie.com
# DATE  : 21/01/2016
# COMMENT: Will prompt you for username and password, and will encrypt (to hash) the password to a txt file.
#          This will only be the password. And you must dump the file to the location where you are going to 
#          get it from in the other script
# ==============================================================================================
$credential = Get-Credential
$credential.Password | ConvertFrom-SecureString | Set-Content D:\Scripts\Azure_Encrypted_Password.txt