Certificate Authority: Certification issuing in the Enterprise

A quick bit of memory Refresh regarding Certificate Template best practice:

  • Do not change any of the default certificate used but create copies with a company prefix. These are easy to fine from the Corporate repository
  • Only issue Certificate the you need
  •  Control Access requests (I like to use Security Groups to control what server/users can request certs.)

I’m starting this from the point where an administrator requests a certificate and send you the request.

When you receive a Certificate Request,vfirst check the template requested. This can be done with the following command:

there will be a page or two of information and somewhere in that information there should be a line of information

We need to ensure this matches there template names that the CA issues. If it is the standard WebServer… either they haven’t requested the right cert… or the CA is issuing the standard Template.

Next we issue the request to the Certificate Authority. we need to add the CertificateTemplate to the request that we are making. This is done by adding an attribute as below then submitting the filename:

Here you must remember the requestID, the requestId is used to complete the certificate request and

next approve the request in the Certificate Authority Console

 

Kerberos tickets of the system account for Computer Group membership

When changing the group membership of a computer account the group will not be added to the computer account until the computer account is re-authenitcated. Just as when you add new permission or User Object the person need to logout and back in to get the new permissions.

The easiest way to accomplish this is to reboot the server… however we all know that is not alway posable. A handy little tool to get the computer to renew the Ticket is

klist -li 0x3e7

you get a list of the system account’s ticket

klist -li 0x3e7 purge

you can delete all tickets and force the system to get new ones with updated group membership information without rebooting at all

 

(732) 637-3181

The other day I came across a curious function. I had a requirement in a script to send an email. Now, when I wrote the script and tested everything was working fine. However when I ran the script from the test schedule, the script executed fine but no email was sent!

After a few hours of searching the system of the exchange host.

Hold the phone! under my account it worked perfectly but under the service account running the task scheduler it failed.

after a few failed attempts I noticed that if I mistyped the username and password while passing the credentials to the using the -Credentials $Creds argument.. it actually work… WFT

so I quickly worked out that if I passed “dummy” credentials the script worked.

To c create a dummy credential I first had to create a secure string. Then I could pass this script type into a new credential object… as so:

in just included this at the top of the script when declaring variables.

WORKS!

 

Powershell Query Services on Remote Computer

Get Services on remote computer and save to file

Loads a list of computes and looks who is in the admin group

* get-localGroupMembers is a function:

Found Here

/gallery.technet.microsoft.com/scriptcenter/List-local-group-members-c25dbcc4

 

Event log Flitering

Sometimes the standard event log filtering just isn’t enough, you need and more refined search criteria.

I find the best way to do this it Is to select the current event log category that you wish to search then filter current log.

This adds all the search criteria and selection criteria that you need. You can then begin to edit the query using XML tab. You will see something such as the following:

In that list you will see a select statement between the two >< you will see an *. Here is where you enter your select query.

Individual queries are formed by Square parentheses below you will see some examples:

The above example will give a list of events where a group change has been made to domain Admins.

* if you wish to target specific data viewing an event in the event log and check the XML data Will give you the information.

AD Dir Sync

All Credit for this article goes HERE Thanks to Stephanie Kahlam

Hey DirSync  where is my DirSyncConfigShell.psc1?

In previous versions of Dirsync (latest version 1.0.6862.0000) there was a nifty little shell that could be found in

I liked to create a shortcut on my desktop along with the ever so ambiguously named DirSync GUI, miisclient.exe.  When I logged into my server I had quick access to launch DirSync GUI and also quick access to Force a Synchronization if required.

image

image

Today the DirSyncConfigShell.psc1 is no more.  In order to enable the ability to “start” a quick synchronization you will now need to open a PS shell in Admin mode, enter “import-module DirSync” then run “start-onlinecoexistencesync”

308-245-5503

What DirSync Version am I Running?

If you need to check what version of DirSync you currently have installed, simply run the following PowerShell cmdlet:

(GP “hklm:SOFTWAREMicrosoftWindowsCurrentVersionUninstallMicrosoft Online Directory Sync”).DisplayVersion

How to Change DirSync “synchronization interval”

By default DirSync (Windows Azure Active Directory Sync) will synchronize every 3 hours.  This interval can be changed by editing the Microsoft.Online.DirSync.Scheduler.exe config file found in C:Program FilesWindows Azure Active Directory Sync

  • Open the Microsoft.Online.DirSync.Scheduler.exe config file with notepad
  • Look for the entry <add key=”SyncTimeInterval” value=”3:0:0″ /> which specifies Hours:minutes:seconds  Change the value to an interval you desire IE> “0:10:0” for ten minutes and save the file
  • Open Start –> Run –> Services.msc and restart Windows Azure Active Directory Sync Service

image

This window shows a sync interval of 5 mins after the config file has been edited

DirSync Set Up Credentials

During setup of the Windows Azure Active Directory Sync tool Configuration Wizard you will be asked for two sets of credentials; Azure Office 365 Company Administrator and On-Premises AD domain administrator.

The account specified for Windows Azure is not required to be licensed in Office 365

image

This account should however, be configured with a NON expiring password as DirSync will cease to run if the password changes in Office 365.  The password can be changed at the DirSync GUI should this occur but it is probably easier to set it to NON expiring and avoid service disruption to your Synchronization process.

To set a user to a non expiring password run the following PowerShell command:

set-msoluser -Userprincipalname <userID> -PasswordNeverExpires $true

If you need to change the password in DirSync GUI perform the following:

Open miisclient.exe

8283482314

Click on Management Agents

(716) 284-5451

Right click Windows Azure Active Directory Connector and choose properties

226-479-8266

Click on Conncetivity then update the password

323-937-5781