diff --git a/Active Directory/Reset-KrbTgt/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 b/Active Directory/Reset-KrbTgt/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 new file mode 100644 index 0000000..d3b68d7 --- /dev/null +++ b/Active Directory/Reset-KrbTgt/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 @@ -0,0 +1,8325 @@ +### +# Parameters Used By Script +### +Param ( + [switch]$noInfo, + [ValidateSet("infoMode", "simulModeCanaryObject", "simulModeKrbTgtTestAccountsWhatIf", "resetModeKrbTgtTestAccountsResetOnce", "simulModeKrbTgtProdAccountsWhatIf", "resetModeKrbTgtProdAccountsResetOnce")] + [string]$modeOfOperation, + [string]$targetedADforestFQDN, + [string]$targetedADdomainFQDN, + [ValidateSet("allRWDCs", "allRODCs", "specificRODCs")] + [string]$targetKrbTgtAccountScope, + [string[]]$targetRODCFQDNList, + [switch]$continueOps, + [switch]$sendMailWithLogFile +) + +### +# Version Of Script +### +$version = "v3.4, 2023-03-04" + +<# + AUTHOR + Written By....................: Jorge de Almeida Pinto [MVP Enterprise Mobility And Security, EMS / Lead Identity/Security Architect] + Re-Written By.................: N.A. + Company.......................: IAMTEC >> Identity | Security | Recovery [https://www.iamtec.eu/] + Blog..........................: Jorge's Quest For Knowledge [http://jorgequestforknowledge.wordpress.com/] + For Feedback/Questions........: scripts.gallery@iamtec.eu + --> Please Describe Your Scenario As Best As Possible With As Much Detail As Possible. + --> If Applicable Describe What Does and/Or Does Not Work. + --> If Applicable Describe What Should Be/Work Different And Explain Why/How. + --> Please Add Screendumps. + + ORIGINAL SOURCES + - https://github.com/zjorz/Public-AD-Scripts/blob/master/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 + - https://jorgequestforknowledge.wordpress.com/category/active-directory-domain-services-adds/krbtgt-account/ + + DISCLAIMER + - The script is FREEWARE, you are free to distribute/update it, but always refer to the original source(s) as the location where you got it + - This script is furnished "AS IS". NO warranty is expressed or implied! + - I HAVE NOT tested it in every scenario or environment + - ALWAYS TEST FIRST in lab environment to see if it meets your needs! + - Use this script at YOUR OWN RISK! YOU ARE RESPONSIBLE FOR ANY OUTCOME/RESULT BY USING THIS SCRIPT! + - I DO NOT warrant this script to be fit for any purpose, use or environment! + - I have tried to check everything that needed to be checked, but I DO NOT guarantee the script does not have bugs! + - I DO NOT guarantee the script will not damage or destroy your system(s), environment or anything else due to improper use or bugs! + - I DO NOT accept liability in any way when making mistakes, use the script wrong or in any other way where damage is caused to your environment/systems! + - If you do not accept these terms DO NOT use the script in any way and delete it immediately! + + TODO + - N.A. + + KNOWN ISSUES/BUGS + - When targeting a remote AD forest for which no trust exist with the AD forest the running account belongs to, the public profile of WinRM may be + used. In that case the PSSession for 'Get-GPOReport' may fail due to the default firewall exception only allowing access from remote computers + on the same local subnet. In that case the default 'MaxTicketAge' (default 10 hours) and 'MaxClockSkew' (default 5 minutes) is used instead. + You may see the following error: + [] Connecting to remote server failed with the following error message : WinRM cannot complete the operation. + Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM + service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote + computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic. + + CategoryInfo : OpenError: (:String) [], PSRemotingTransportException + + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken + - Although this script can be used in an environment with Windows Server 2000/2003 RWDCs, it is NOT supported to do this. Windows Server + 2000/2003 RWDCs cannot do KDC PAC validation using the previous (N-1) krbtgt password. Those RWDCs only attempt that with the current + (N) password. That means that in the subset of KRB AP exchanges where KDC PAC validation is performed, authentication issues could be + experienced because the target server gets a PAC validation error when asking the KDC (domain controller) to validate the KDC signature + of the PAC that is inside the service ticket that was presented by the client to the server. This problem would potentially persist + for the lifetime of the service ticket(s). It is also highly recommended NOT to use products that have reached their end support. + Please upgrade as soon as possible. + - This is not related to this script. When increasing the DFL from Windows Server 2003 to any higher level, the password of the KrbTgt + Account will be reset automatically due to the introduction of AES encryption for Kerberos and the requirement to regenerate new keys + for DES, RC4, AES128, AES256! + + RELEASE NOTES + v3.4, 2023-03-04, Jorge de Almeida Pinto [MVP-EMS]: + - Bug Fix: The PowerShell CMDlets from the ActiveDirectory module DO recognize the 2016 FFL and DFL. The script DOES NOT use those anymore, but instead uses S.DS.P.. The issue appears to be that MSFT did update the + ActiveDirectory module to recognize the 2016 FFL/DFl, but they apparently did not update the S.DS.P. DLLs to do the same. The script itself now detects this and reports the correct FFL/DFL when it is 2016 + + v3.3, 2022-12-20, Jorge de Almeida Pinto [MVP-EMS]: + - Bug Fix: updated the attribute type when specifying the number of the AD domain instead of the actual FQDN of the AD domain + + v3.2, 2022-11-05, Jorge de Almeida Pinto [MVP-EMS]: + - New Feature: Adding support for scheduled/automated password reset of KrbTgt account password for either all RWDCs, all individual RODCs or specific RODCs + - New Feature: Added mail function and parameter to mail the log file for review after execution with results + - New Feature: Adding support for signed mail + - New Feature: Adding support for encrypted mail + - Bug Fix: Minor textual fixes + - Bug Fix: fix an issue where one confirmation of continueOrStop would be inherited by the next + - Bug Fix: fix an issue where the forest root domain would always be chosen as the source for replication and GPOs instead of the chosen AD domain when using custom credentials. + This caused replicate single object to fail and for the determination of the Kerberos settings in the resultant GPO + - Code Improvement: Added function getServerNames to retrieve server related names/FQDNs + - Code Improvement: Added support for disjoint namespace, e.g. AD domain FQDN = ADDOMAIN.COM and DCs FQDN for that AD domain = .SOMEDNSDOMAIN.COM + - Code Improvement: Removed ALL dependencies for the ActiveDirectory PoSH module and replaced those with alternatives + - Code Improvement: Redefinition of tables holding data for processing + - Code Improvement: Upgraded to S.DS.P PowerShell Module v2.1.5 (2022-09-20) + - Improved User Experience: Added the NetBIOS name of the AD domain to the list of AD domains in an AD forest + - Improved User Experience: Added the option to the function to install required PoSH modules when not available + - Improved User Experience: Added support to specify the number of an AD domain in the list instead of its FQDN + + v3.1, 2022-06-06, Jorge de Almeida Pinto [MVP-EMS]: + - Improved User Experience: The S.DS.P PowerShell Module v2.1.4 has been included into this script (with permission and under GPL license) to remove the dependency of the AD PowerShell Module when querying objects in AD. The + ActiveDirectory PowerShell module is still used to get forest, domain, and domaincontroller information. + - Improved User Experience: Removed dependency for port 135 (RPC Endpoint Mapper) and 9389 (AD Web Service) + - Bug Fix: Getting the description of the Test KrbTgt accounts in remote AD forest with explicit credentials to compare and fix later + - Code Improvement: In addition to check for the correct description, also check if the test KrbTgt accounts are member of the correct groups + - Code Improvement: Updated function createTestKrbTgtADAccount + - Bug Fix: Minor textual fixes + + v3.0, 2022-05-27, Jorge de Almeida Pinto [MVP-EMS]: + - Bug Fix: Changed variable from $pwd to $passwd + - Bug Fix: Variable used in single-quoted string. Wrapped in double-quote to fix + - Bug Fix: Fix missing conditions and eventually credentials when connecting to a remote untrusted AD forest + - Code Improvement: Minor improvements through scripts + - Code Improvement: Changed variable from $passwordNrChars to $passwdNrChars + - Code Improvement: Updated function confirmPasswordIsComplex + - Code Improvement: Instead of assuming the "Max Tgt Lifetime In Hours" And the "Max Clock Skew In Minutes" is configured in the Default Domain GPO policy (the default) + It now performs an RSoP to determine which GPO provides the authoritative values, and then uses the values from that GPO + - Code Improvement: Added check for required PowerShell module on remote RWDC when running Invoke-Command CMDlet + - Code Improvement: Added function 'requestForAdminCreds' to request for admin credentials + - Improved User Experience: Specifically mentioned the requirement for the ADDS PoSH CMDlets and the GP PoSH CMDlets + - Improved User Experience: Checking AD forest existence through RootDse connection in addition to DNS resolution + - Code Improvement: Added a variable for connectionTimeout and changed the default of 500ms to 2000ms + + v2.9, 2021-05-04, Jorge de Almeida Pinto [MVP-EMS]: + - Improved User Experience: Added additional info and recommendations + - New Feature: Added function to check UAC elevation status, and if not elevated to start the script automatically using an elevated PowerShell Command Prompt + + v2.8, 2020-04-02, Jorge de Almeida Pinto [MVP-EMS]: + - Bug fix: Fixed an issue when the RODC itself is not reachable/available, whereas in that case, the source should be the RWDC with the PDC FSMO + - Improved User Experience: Checks to make sure both the RWDC with the PDC FSMO role and the nearest RWDC are available. If either one is not available, the script will abort + + v2.7, 2020-04-02, Jorge de Almeida Pinto [MVP-EMS]: + - Code Improvement: Added DNS name resolution check to the portConnectionCheck function + - Code Improvement: Removed usage of $remoteADforest variable and only use the $localADforest variable + - Code Improvement: Removed usage of $remoteCredsUsed variable and only use the $adminCrds variable (Was $adminCreds) + - Code Improvement: Sections with '#XXX' have been removed + - Code Improvement: Calls using the CMDlet 'Get-ADReplicationAttributeMetadata' (W2K12 and higher) have been replaced with .NET calls to support older OS'es such as W2K8 and W2K8R2. A function has been created to retrieve metadata + - Code Improvement: Some parts were rewritten/optimized + - Improved User Experience: To test membership of the administrators group in a remote AD forest the "title" attribute is now used instead of the "displayName" attribute to try to write to it + - Improved User Experience: Added a warning if the special purpose krbtgt account 'Krbtgt_AzureAD' is discovered in the AD domain + - Improved User Experience: If the number of RODCs in the AD domain is 0, then it will not present the options for RODCs + - Improved User Experience: If the number of RODCs in the AD domain is 1 of more, and you chose to manually specify the FQDN of RODCs to process, it will present a list of RODCs to choose from + - Improved User Experience: Operational modes have been changed (WARNING: pay attention to what you choose!). The following modes are the new modes + - 1 - Informational Mode (No Changes At All) + - 2 - Simulation Mode | Temporary Canary Object Created To Test Replication Convergence! + - 3 - Simulation Mode | Use KrbTgt TEST/BOGUS Accounts - No Password Reset/WhatIf Mode! + - 4 - Real Reset Mode | Use KrbTgt TEST/BOGUS Accounts - Password Will Be Reset Once! + - 5 - Simulation Mode | Use KrbTgt PROD/REAL Accounts - No Password Reset/WhatIf Mode! + - 6 - Real Reset Mode | Use KrbTgt PROD/REAL Accounts - Password Will Be Reset Once! + - Improved User Experience: When choosing RODC Krb Tgt Account scope the following will now occur: + - If the RODC is not reachable, the real source RWDC of the RODC cannot be determined. In that case, the RWDC with the PDC FSMO role is used as the source for the change and replication + - If the RODC is reachable, but the real source RWDC of the RODC is not reachable it cannot be used as the source for the change and replication. In that case, the RWDC with the PDC FSMO role is used as the source for the change and replication + + v2.6, 2020-02-25, Jorge de Almeida Pinto [MVP-EMS]: + - Code Improvement: Removed code that was commented out + - Code Improvement: In addition to the port 135 (RPC Endpoint Mapper) and 389 (LDAP), the script will also check for port 9389 (AD Web Service) which is used by the ADDS PoSH CMDlets + - Code Improvement: Updated script to included more 'try/catch' and more (error) logging, incl. line where it fails, when things go wrong to make troubleshooting easier + - Improved User Experience: Logging where the script is being executed from + - Improved User Experience: Updated the function 'createTestKrbTgtADAccount' to also include the FQDN of the RODC for which the Test KrbTgt account is created for better recognition + + v2.5, 2020-02-17, Jorge de Almeida Pinto [MVP-EMS]: + - Code Improvement: To improve performance, for some actions the nearest RWDC is discovered instead of using the RWDC with the PDC FSMO Role + + v2.4, 2020-02-10, Jorge de Almeida Pinto [MVP-EMS]: + - Bug Fix: Fixed language specific issue with the groups 'Allowed RODC Password Replication Group' and 'Denied RODC Password Replication Group' + - Code Improvement: Checked script with Visual Studio Code and fixed all "problems" identified by Visual Studio Code + - Variable "$remoteCredsUsed" is ignored by me, as the problem is due to the part 'Creds' in the variable name + - Variable "$adminCreds" is ignored by me, as the problem is due to the part 'Creds' in the variable name + - New Feature: Added support to execute this script against a remote AD forest, either with or without a trust + + v2.3, 2019-02-25, Jorge de Almeida Pinto [MVP-EMS]: + - Code Improvement: Removed the language specific error checking. Has been replaced with another check. This solution also resolved another + issue when checking if a (RW/RO)DC was available or not + + v2.2, 2019-02-12, Jorge de Almeida Pinto [MVP-EMS]: + - Code Improvement: Instead of searching for "Domain Admins" or "Enterprise Admins" membership, it resolves the default RIDs of those + groups, combined with the corresponding domain SID, to the actual name of those domain groups. This helps in supporting non-english + names of those domain groups + + v2.1, 2019-02-11, Jorge de Almeida Pinto [MVP-EMS]: + - Code Improvement: Added a try catch when enumerating details about a specific AD domain that appears not to be available + - New Feature: Read and display metadata of the KrbTgt accounts before and after to assure it was only updated once! + + v2.0, 2018-12-30, Jorge de Almeida Pinto [MVP-EMS]: + - Code Improvement: Full rewrite and major release + - New Feature: Added possibility to also reset KrbTgt account in use by RODCs + - New Feature: Added possibility to try this procedure using a temp canary object (contact object) + - New Feature: Added possibility to try this procedure using a TEST krbtgt accounts and perform password reset on those TEST krbtgt accounts + - New Feature: Added possibility to create TEST krbtgt accounts if required + - New Feature: Added possibility to delete TEST krbtgt accounts if required + - New Feature: Check if an RODC account is indeed in use by a Windows RODC and not something simulating an RODC (e.g. Riverbed) + - New Feature: Removed dependency for REPADMIN.EXE + - New Feature: Removed dependency for RPCPING.EXE + - New Feature: Extensive logging to both screen and file + - New Feature: Added more checks, such as permissions check, etc. + - Script Improvement: Renamed script to Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 + + v1.7, Jared Poeppelman, Microsoft + - Code Improvement: Modified rpcping.exe call to use "-u 9 -a connect" parameters to accomodate tighter RPC security settings as specified in + DISA STIG ID: 5.124 Rule ID: SV-32395r1_rule , Vuln ID: V-14254 (thanks Adam Haynes) + + v1.6, Jared Poeppelman, Microsoft + - Code Improvement: Removed 'finally' block of Get-GPOReport error handling (not a bug, just not needed) + + v1.5, Jared Poeppelman, Microsoft + - Bug Fix: Fixed bug of attempting PDC to PDC replication + - Code Improvement: Added logic for GroupPolicy Powershell module dependency + - Code Improvement: Replaced function for password generation + - Code Improvement: Renamed functions to use appropriate Powershell verbs + - Code Improvement: Added error handling around Get-GpoReport for looking up MaxTicketAge and MaxClockSkew + - Script Improvement: Renamed script to New-CtmADKrbtgtKeys.ps1 + + v1.4, Jared Poeppelman, Microsoft + - First version published on TechNet Script Gallery +#> + +<# +.SYNOPSIS + This PoSH Script Resets The KrbTgt Password For RWDCs And RODCs In A Controlled Manner + +.DESCRIPTION + This PoSH script provides the following functions: + - Single Password Reset for the KrbTgt account in use by RWDCs in a specific AD domain, using either TEST or PROD KrbTgt accounts + - Single Password Reset for the KrbTgt account in use by an individual RODC in a specific AD domain, using either TEST or PROD KrbTgt accounts + * A single RODC in a specific AD domain + * A specific list of RODCs in a specific AD domain + * All RODCs in a specific AD domain + - Resetting the password/keys of the KrbTgt Account can be done for multiple reasons such as for example: + * From a security perspective as mentioned in https://cloudblogs.microsoft.com/microsoftsecure/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/ + * From an AD recovery perspective as mentioned in https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password + - For all scenarios, an informational mode, which is mode 1 with no changes + - For all scenarios, a simulation mode, which is mode 2 where replication is tested through the replication of a temporary canary + object that is created and deleted afterwards. No Password Resets involved here as the temporary canary object is a contact object + - For all scenarios, a simulation mode, which is mode 3 where NO password reset of the chosen TEST KrbTgt account occurs. Basically this + just checks the status of the objects on scoped DCs. NOTHING is changed. Can be scoped for RWDCs and RODCs (single, multiple, all) + - For all scenarios, a real reset mode, which is mode 4 where the password reset of the chosen TEST KrbTgt account is actually executed + and replication of it is monitored through the environment for its duration. Can be scoped for RWDCs and RODCs (single, multiple, all) + - For all scenarios, a simulation mode, which is mode 5 where NO password reset of the chosen PROD KrbTgt account occurs. Basically this + just checks the status of the objects on scoped DCs. NOTHING is changed. Can be scoped for RWDCs and RODCs (single, multiple, all) + - For all scenarios, a real reset mode, which is mode 6 where the password reset of the chosen PROD KrbTgt account is actually executed + and replication of it is monitored through the environment for its duration + - The creation of Test KrbTgt Accounts, which is mode 8 + - The deletion of Test KrbTgt Accounts, which is mode 9 + - It is possible to run the script in a scheduled and automated manner by specifying the correct parameters and the correct information + - When running in a scheduled and automated manner, it is possible to have the log file mailed to some defined mailbox + - When mailing it is possible to sign and/or encrypt the mail message, provided the correct certificates are available for signing and/or + encryption + - Certificates can either be in the User Store or in a PFX file with the password available (Signing and Encryption) or in a CER file + (Encryption Only) + - When mailing of the log file is needed in ANY way, a configuration XML file "Reset-KrbTgt-Password-For-RWDCs-And-RODCs.xml" is needed + with settings to control mailing behavior. The configuration XML file is expected to be in the same folder as the script itself. + See below in the NOTES for the structure + + Behavior: + - In this script a DC is reachable/available, if its name is resolvable and connectivity is possible for all of the following ports: + TCP:389 (LDAP) + - In mode 1 you will always get a list of all RWDCs, and alls RODCs if applicable, in the targeted AD domain that are available/reachable + or not + - In mode 2 it will create the temporary canary object and, depending on the scope, it will check if it exists in the AD database of the + remote DC(s) (RWDC/RODC) + - In mode 3, depending on the scope, it uses TEST/BOGUS krbtgt account(s). It just checks and compares the state of the pwdLastSet attribute + on the source RWDC with other scoped DCs. Nothing is changed/updated! + * For RWDCs it uses the TEST/BOGUS krbtgt account "krbtgt_TEST" (All RWDCs) (= Created when running mode 8) + * For RODCs it uses the TEST/BOGUS krbtgt account "krbtgt__TEST" (RODC Specific) (= Created when running mode 8) + - In mode 4, depending on the scope, it uses TEST/BOGUS krbtgt account(s) to reset the password on an originating RWDC. After that it + checks if pwdLastSet attribute value of the targeted TEST/BOGUS krbtgt account(s) on the remote DC(s) (RWDC/RODC) matches the + pwdLastSet attribute value of the same TEST/BOGUS krbtgt account on the originating RWDC + * For RWDCs it uses the TEST/BOGUS krbtgt account "krbtgt_TEST" (All RWDCs) (= Created when running mode 8) + * For RODCs it uses the TEST/BOGUS krbtgt account "krbtgt__TEST" (RODC Specific) (= Created when running mode 8) + - In mode 5, depending on the scope, it uses PROD/REAL krbtgt account(s). It just checks and compares the state of the pwdLastSet attribute + on the source RWDC with other scoped DCs. Nothing is changed/updated! + - In mode 6, depending on the scope, it uses PROD/REAL krbtgt account(s) to reset the password on an originating RWDC. After that it + checks if pwdLastSet attribute value of the targeted PROD/REAL krbtgt account(s) on the remote DC(s) (RWDC/RODC) matches the pwdLastSet + attribute value of the same PROD/REAL krbtgt account on the originating RWDC + * For RWDCs it uses the PROD/REAL krbtgt account "krbtgt" (All RWDCs) + * For RODCs it uses the PROD/REAL krbtgt account "krbtgt_" (RODC Specific) + - In mode 8, for RWDCs it creates (in disabled state!) the TEST/BOGUS krbtgt account "krbtgt_TEST" and adds it to the AD group + "Denied RODC Password Replication Group". If any RODC exists in the targeted AD domain, it reads the attribute "msDS-KrbTgtLink" of + each RODC computer account to determine the RODC specific krbtgt account and creates (in disabled state!) the TEST/BOGUS krbtgt + account "krbtgt__TEST" and adds it to the AD group "Allowed RODC Password Replication Group" + - In mode 9, for RWDCs it deletes the TEST/BOGUS krbtgt account "krbtgt_TEST" if it exists. If any RODC exists in the targeted AD domain, + it reads the attribute "msDS-KrbTgtLink" of each RODC computer account to determine the RODC specific krbtgt account and deletes the + TEST/BOGUS krbtgt account "krbtgt__TEST" if it exists. + - In mode 2, 3, 4, 5 or 6, if a remote DC (RWDC/RODC) is not available or cannot be reached, there will not be a check against its AD database + to determine if the change made reached it or not. + - In mode 2 when performing the "replicate single object" operation, it will always be for the full object, no matter if the remote DC + is an RWDC or an RODC + - In mode 3, 4, 5 or 6 when performing the "replicate single object" operation, it will always be for the full object, if the remote DC is an + RWDC. If the remote DC is an RODC it will always be for the partial object and more specifically "secrets only" + - When targeting the krbtgt account (TEST/BOGUS or PROD/REAL) in use by all the RWDCs, the originating RWDC is the RWDC with the PDC FSMO + and all other available/reachable RWDCs will be checked against to see if the change has reached them. No RODCs are involved as those + do not use the krbtg account in use by the RWDCs and also do not store/cache its password. + - When targeting the krbtgt account (TEST/BOGUS or PROD/REAL) in use by an RODC, the originating RWDC is the direct replication RWDC if + available/reachable and when not available the RWDC with the PDC FSMO is used as the originating RWDC. Only the RODC that uses the + specific krbtgt account is checked against to see if the change has reached them, but only if the RODCs is available/reachable. If the + RODC itself is not available, then the RWDC with the PDC FSMO is used as the originating RWDC and the change will eventually replicate + to the RODC + - If the operating system attribute of an RODC computer account does not have a value, it is determined to be unknown (not a real RODC), + and therefore something else. It could for example be a Riverbed appliance in "RODC mode". + - The only DC that knows what the real replication partner is of an RODC, is the RODC itself. Only the RODC manages a connection object + that only exists in the AD database of the RODC and does not replicate out to other DCs as RODCs do not support outbound replication. + Therefore, assuming the RODC is available, the CO is looked up in the RODC AD database and from that CO, the "source" server is + determined. In case the RODC is not available or its "source" server is not available, the RWDC with the PDC FSMO is used to reset + the password of the krbtgt account in use by that RODC. If the RODC is available a check will be done against its database, and if + not available the check is skipped + +.PARAMETER noInfo + With this parameter it is possible to skip the information at the beginning of the script when running the script in an automated manner such + as in a Scheduled Task + +.PARAMETER modeOfOperation + With this parameter it is possible to specify the mode of operation for the script. This should only be used in an automated manner such as in + a Scheduled Task, BUT ONLY after testing an getting confidence of what will happen! + Accepted values are: "infoMode", "simulModeCanaryObject", "simulModeKrbTgtTestAccountsWhatIf", "resetModeKrbTgtTestAccountsResetOnce", + "simulModeKrbTgtProdAccountsWhatIf", "resetModeKrbTgtProdAccountsResetOnce" + +.PARAMETER targetedADforestFQDN + With this parameter it is possible to specify the FQDN of an AD forest that will be targeted. This should only be used in an automated manner + such as in a Scheduled Task, BUT ONLY after testing an getting confidence of what will happen! + +.PARAMETER targetedADdomainFQDN + With this parameter it is possible to specify the FQDN of an AD domain that will be targeted within the specified AD forest. This should only + be used in an automated manner such as in a Scheduled Task, BUT ONLY after testing an getting confidence of what will happen! + +.PARAMETER targetKrbTgtAccountScope + With this parameter it is possible to specify the scope of the targeted KrbTgt account. This should only be used in an automated manner such + as in a Scheduled Task, BUT ONLY after testing an getting confidence of what will happen! + Accepted values are: "allRWDCs", "allRODCs", "specificRODCs" + +.PARAMETER targetRODCFQDNList + With this parameter it is possible to specify one or more RODCs through a comma-separated list. This parameter is ONLY needed when the + targetKrbTgtAccountScope is set to specificRODCs. This should only be used in an automated manner such as in a Scheduled Task, BUT ONLY after + testing an getting confidence of what will happen! + +.PARAMETER continueOps + With this parameter it is possible to specify the script should continue where it is needed to confirm the operation depending of whether there + is impact or not. If the script determines there is impact, the script will abort to prevent impact. Only when running ON-DEMAND without any + parameters will it be possible to continue and still have domain wide impact, in other words ignore there is impact. This should only be used + in an automated manner such as in a Scheduled Task, BUT ONLY after testing an getting confidence of what will happen! + +.PARAMETER sendMailWithLogFile + With this parameter it is possible to specify the script should mail the LOG file at any moment when the script stops running, whether it + finished succesfully or due to encountered issue(s). This should only be used in an automated manner such as in a Scheduled Task, BUT ONLY + after testing an getting confidence of what will happen! + +.EXAMPLE + Execute The Script - On-Demand + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 + +.EXAMPLE + Execute The Script - Automated Without Sending The Log File Through Mail - Mode 2 With All RWDCs As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation simulModeCanaryObject -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope allRWDCs -continueOps + +.EXAMPLE + Execute The Script - Automated And Sending The Log File Through Mail - Mode 2 With All RWDCs As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation simulModeCanaryObject -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope allRWDCs -continueOps -sendMailWithLogFile + +.EXAMPLE + Execute The Script - Automated And Sending The Log File Through Mail - Mode 3 With All RWDCs As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation simulModeKrbTgtTestAccountsWhatIf -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope allRWDCs -continueOps -sendMailWithLogFile + +.EXAMPLE + Execute The Script - Automated And Sending The Log File Through Mail - Mode 4 With All RWDCs As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation resetModeKrbTgtTestAccountsResetOnce -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope allRWDCs -continueOps -sendMailWithLogFile + +.EXAMPLE + Execute The Script - Automated And Sending The Log File Through Mail - Mode 5 With All RWDCs As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation simulModeKrbTgtProdAccountsWhatIf -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope allRWDCs -continueOps -sendMailWithLogFile + +.EXAMPLE + Execute The Script - Automated And Sending The Log File Through Mail - Mode 6 With All RWDCs As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation resetModeKrbTgtProdAccountsResetOnce -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope allRWDCs -continueOps -sendMailWithLogFile + +.EXAMPLE + Execute The Script - Automated And Sending The Log File Through Mail - Mode 3 With All RODCs As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation simulModeKrbTgtTestAccountsWhatIf -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope allRODCs -continueOps -sendMailWithLogFile + +.EXAMPLE + Execute The Script - Automated And Sending The Log File Through Mail - Mode 4 With All RODCs As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation resetModeKrbTgtTestAccountsResetOnce -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope allRODCs -continueOps -sendMailWithLogFile + +.EXAMPLE + Execute The Script - Automated And Sending The Log File Through Mail - Mode 5 With All RODCs As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation simulModeKrbTgtProdAccountsWhatIf -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope allRODCs -continueOps -sendMailWithLogFile + +.EXAMPLE + Execute The Script - Automated And Sending The Log File Through Mail - Mode 6 With All RODCs As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation resetModeKrbTgtProdAccountsResetOnce -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope allRODCs -continueOps -sendMailWithLogFile + +.EXAMPLE + Execute The Script - Automated And Sending The Log File Through Mail - Mode 6 With Specific RODCs (But Not All) As Scope + + .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 -noInfo -modeOfOperation resetModeKrbTgtProdAccountsResetOnce -targetedADforestFQDN DOMAIN.COM -targetedADdomainFQDN CHILD.DOMAIN.COM -targetKrbTgtAccountScope specificRODCs -targetRODCFQDNList "RODC1.DOMAIN.COM","RODC2.DOMAIN.COM","RODC3.DOMAIN.COM" -continueOps -sendMailWithLogFile + +.NOTES + - Required PoSH CMDlets: GPMC PoSH CMDlets on all targeted RWDCs!!! (and the S.DS.P Posh CMDlets are INCLUDED in this script!) + - To execute this script, the account running the script MUST be a member of the "Domain Admins" or Administrators group in the + targeted AD domain. + - If the account used is from another AD domain in the same AD forest, then the account running the script MUST be a member of the + "Enterprise Admins" group in the AD forest or Administrators group in the targeted AD domain. For all AD domains in the same + AD forest, membership of the "Enterprise Admins" group is easier as by default it is a member of the Administrators group in + every AD domain in the AD forest + - If the account used is from another AD domain in another AD forest, then the account running the script MUST be a member of the + "Administrators" group in the targeted AD domain. This also applies to any other target AD domain in that same AD forest + - This is due to the reset of the password for the targeted KrbTgt account(s) and forcing (single object) replication between DCs + - Testing "Domain Admins" membership is done through "IsInRole" method as the group is domain specific + - Testing "Enterprise Admins" membership is done through "IsInRole" method as the group is forest specific + - Testing "Administrators" membership cannot be done through "IsInRole" method as the group exist in every AD domain with the same + SID. To still test for required permissions in that case, the value of the Description attribute of the KRBTGT account is copied + into the Title attribute and cleared afterwards. If both those actions succeed it is proven the required permissions are + in place! + - If User Account Control (UAC) is in effect (i.e. enabled) the script MUST be executed in an elevated Powershell Command Prompt Window! + - When running the script on-demand with an account that does have the correct permissions, the script will ask for credentials with the + correct permissions + - When running the script automated with an account that does have the correct permissions, the script will NOT ask for credentials with the + correct permissions. It will just stop. Therefore in an automated manner, the running account MUST have the correct permissions! + - When mailing of the log file is needed and the mail message must be signed and/or encrypted, then an external DLL is needed to + provide such functionality. The source code can be download from https://www.codeproject.com/Articles/41727/An-S-MIME-Library-for-Sending-Signed-and-Encrypted + and you must compile it yourself! I have NOT reviewed that source code in any way. You MUST review that source code yourself and + determine if you use it or not!. The path of the DLL must be specified in the configuration XML file so that the script can find + it and load it + - When there is a need to SIGN the mail message, then a certificate with a private key (PFX file or in the User Store) is needed for + the sender + - When there is a need to ENCRYPT the mail message, then a certificate (CER file or in the User Store) is needed for EVERY recipient! + In turn, every recipient must have the corresponding certificate with a private key (in the User Store) to be able to decrypt the mail + - When there is a need to SIGN and ENCRYPT the mail message, both of the previous requirements must be met + - To SIGN and/or ENCRYPT the mail message, the correct certificate must be issued and used, such as one with EKU "Secure Email (1.3.6.1.5.5.7.3.4)" + - Configuration XML file "Reset-KrbTgt-Password-For-RWDCs-And-RODCs.xml" structure +============ Configuration XML file ============ + + + + REPLACE_WITH_MAIL_SERVER_FQDN + + + REPLACE_WITH_MAIL_SERVER_SMTP_PORT_NUMERIC_VALUE + + + TRUE_OR_FALSE + + + LEAVE_EMPTY_OR_LEAVE_AS_IS_OR_REPLACE_WITH_USERNAME_IF_USED + LEAVE_EMPTY_OR_LEAVE_AS_IS_OR_REPLACE_WITH_PASSWORD_IF_USED + + + KrbTgt Password Reset Result + + + High + + + +<!DOCTYPE html> +<html> +<head> +<title>KrbTgt_Password_Reset</title> +<style type="text/css"> +</style> +</head> +<body> +<B><P align="center" style="font-size: 24pt; font-family: Arial Narrow, sans-serif; color: red">!!! ATTENTION | FYI - ACTION REQUIRED !!!</P></B> +<hr size=2 width="95%" align=center> +<BR> +<P style="font-size: 12pt; font-family: Arial Narrow, sans-serif;">Hello,</P> +<BR> +<P style="font-size: 12pt; font-family: Arial Narrow, sans-serif;">Please review the attached log file.</P> +<BR> +<P style="font-size: 12pt; font-family: Arial Narrow, sans-serif;">Best regards</P> +</body> +</html> + + + sender_Mail_Address@company.com + + + recipient_To_MailAddress@company.com + + + + + recipient_Cc_MailAddress_1@company.com + recipient_Cc_MailAddress_2@company.com + + + + OFF + OFF + + + + REPLACE_WITH_FULL_FOLDER_PATH_TO_COMPILED_DLL_FILE\Cpi.Net.SecureMail.dll + + + STORE_OR_PFX + STORE_OR_CER + + + LEAVE_EMPTY_OR_LEAVE_AS_IS_OR_REPLACE_WITH_THUMBPRINT_IF_USED + LEAVE_EMPTY_OR_LEAVE_AS_IS_OR_REPLACE_WITH_THUMBPRINT_IF_USED + + + REPLACE_WITH_FULL_FOLDER_PATH_TO_PFX_FILE\cert.pfx + REPLACE_WITH_FULL_FOLDER_PATH_TO_CER_FILE\cert.cer + + + LEAVE_EMPTY_OR_LEAVE_AS_IS_OR_REPLACE_WITH_PFX_PASSWORD_IF_USED + +============ Configuration XML file ============ +#> + +### +# External S.DS.P. PowerShell Module INCLUDED In This Script +### +######################### S.DS.P PowerShell Module v2.1.5 (2022-09-20): https://github.com/jformacek/S.DS.P ######################### +# vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv +# Github Repo: https://github.com/jformacek/S.DS.P +# Applicable License: https://github.com/jformacek/S.DS.P/blob/master/LICENSE.TXT +# Owner: Jiri Formacek +Function Find-LdapObject { + <# +.SYNOPSIS + Searches LDAP server in given search root and using given search filter + +.DESCRIPTION + Searches LDAP server identified by LDAP connection passed as parameter. + Attributes of returned objects are retrieved via ranged attribute retrieval by default. This allows to retrieve all attributes, including computed ones, but has impact on performace as each attribute generated own LDAP server query. Tu turn ranged attribute retrieval off, set parameter RangeSize to zero. + Optionally, attribute values can be transformed to complex types using transform registered for an attribute with 'Load' action. + +.OUTPUTS + Search results as PSCustomObjects with requested properties as strings, byte streams or complex types produced by transforms + +.EXAMPLE +Find-LdapObject -LdapConnection [string]::Empty -SearchFilter:"(&(sn=smith)(objectClass=user)(objectCategory=organizationalPerson))" -SearchBase:"cn=Users,dc=myDomain,dc=com" + +Description +----------- +This command connects to domain controller of caller's domain on port 389 and performs the search + +.EXAMPLE +$Ldap = Get-LdapConnection +Find-LdapObject -LdapConnection $Ldap -SearchFilter:'(&(cn=jsmith)(objectClass=user)(objectCategory=organizationalPerson))' -SearchBase:'ou=Users,dc=myDomain,dc=com' -PropertiesToLoad:@('sAMAccountName','objectSid') -BinaryProps:@('objectSid') + +Description +----------- +This command connects to to domain controller of caller's domain and performs the search, returning value of objectSid attribute as byte stream + +.EXAMPLE +$Ldap = Get-LdapConnection -LdapServer:mydc.mydomain.com -EncryptionType:SSL +Find-LdapObject -LdapConnection $Ldap -SearchFilter:"(&(sn=smith)(objectClass=user)(objectCategory=organizationalPerson))" -SearchBase:"ou=Users,dc=myDomain,dc=com" + +Description +----------- +This command connects to given LDAP server and performs the search via SSL + +.EXAMPLE +$Ldap = Get-LdapConnection -LdapServer "mydc.mydomain.com" + +Find-LdapObject -LdapConnection:$Ldap -SearchFilter:"(&(sn=smith)(objectClass=user)(objectCategory=organizationalPerson))" -SearchBase:"cn=Users,dc=myDomain,dc=com" + +Find-LdapObject -LdapConnection:$Ldap -SearchFilter:"(&(cn=myComputer)(objectClass=computer)(objectCategory=organizationalPerson))" -SearchBase:"ou=Computers,dc=myDomain,dc=com" -PropertiesToLoad:@("cn","managedBy") + +Description +----------- +This command creates the LDAP connection object and passes it as parameter. Connection remains open and ready for reuse in subsequent searches + +.EXAMPLE +Get-LdapConnection -LdapServer "mydc.mydomain.com" | Out-Null + +$Dse = Get-RootDse + +Find-LdapObject -SearchFilter:"(&(sn=smith)(objectClass=user)(objectCategory=organizationalPerson))" -SearchBase:"cn=Users,dc=myDomain,dc=com" + +Find-LdapObject -SearchFilter:"(&(cn=myComputer)(objectClass=computer)(objectCategory=organizationalPerson))" -SearchBase:"ou=Computers,dc=myDomain,dc=com" -PropertiesToLoad:@("cn","managedBy") + +Description +----------- +This command creates the LDAP connection object and stores it in session variable. Following commands take the connection information from session variable, so the connection object does not need to be passed from command line. + +.EXAMPLE +$Ldap = Get-LdapConnection -LdapServer "mydc.mydomain.com" +Find-LdapObject -LdapConnection:$Ldap -SearchFilter:"(&(cn=SEC_*)(objectClass=group)(objectCategory=group))" -SearchBase:"cn=Groups,dc=myDomain,dc=com" | ` +Find-LdapObject -LdapConnection:$Ldap -ASQ:"member" -SearchScope:"Base" -SearchFilter:"(&(objectClass=user)(objectCategory=organizationalPerson))" -propertiesToLoad:@("sAMAccountName","givenName","sn") | ` +Select-Object * -Unique + +Description +----------- +This one-liner lists sAMAccountName, first and last name, and DN of all users who are members of at least one group whose name starts with "SEC_" string + +.EXAMPLE +$Ldap = Get-LdapConnection -Credential (Get-Credential) +Find-LdapObject -LdapConnection $Ldap -SearchFilter:"(&(cn=myComputer)(objectClass=computer)(objectCategory=organizationalPerson))" -SearchBase:"ou=Computers,dc=myDomain,dc=com" -PropertiesToLoad:@("cn","managedBy") -RangeSize 0 + +Description +----------- +This command creates explicit credential and uses it to authenticate LDAP query. +Then command retrieves data without ranged attribute value retrieval. + +.EXAMPLE +$Users = Find-LdapObject -LdapConnection (Get-LdapConnection) -SearchFilter:"(&(sn=smith)(objectClass=user)(objectCategory=organizationalPerson))" -SearchBase:"cn=Users,dc=myDomain,dc=com" -AdditionalProperties:@("Result") +foreach($user in $Users) +{ + try + { + #do some processing + $user.Result="OK" + } + catch + { + #report processing error + $user.Result=$_.Exception.Message + } +} +#report users with results of processing for each of them +$Users + +Description +----------- +This command connects to domain controller of caller's domain on port 389 and performs the search. +For each user found, it also defines 'Result' property on returned object. Property is later used to store result of processing on user account + +.EXAMPLE +$Ldap = Get-LdapConnection -LdapServer:ldap.mycorp.com -AuthType:Anonymous +Find-LdapObject -LdapConnection $ldap -SearchFilter:"(&(sn=smith)(objectClass=user)(objectCategory=organizationalPerson))" -SearchBase:"ou=People,ou=mycorp,o=world" + +Description +----------- +This command connects to given LDAP server and performs the search anonymously. + +.EXAMPLE +$Ldap = Get-LdapConnection -LdapServer:ldap.mycorp.com +$dse = Get-RootDSE -LdapConnection $conn +Find-LdapObject -LdapConnection $ldap -SearchFilter:"(&(objectClass=user)(objectCategory=organizationalPerson))" -SearchBase:"ou=People,ou=mycorp,o=world" -PropertiesToLoad * + +Description +----------- +This command connects to given LDAP server and performs the direct search, retrieving all properties with value from objects found by search + +.EXAMPLE +$Ldap = Get-LdapConnection -LdapServer:ldap.mycorp.com +$dse = Get-RootDSE -LdapConnection $conn +Find-LdapObject -LdapConnection $ldap -SearchFilter:"(&(objectClass=group)(objectCategory=group)(cn=MyVeryLargeGroup))" -SearchBase:"ou=People,ou=mycorp,o=world" -PropertiesToLoad member -RangeSize 1000 + +Description +----------- +This command connects to given LDAP server on default port with Negotiate authentication +Next commands use the connection to get Root DSE object and list of all members of a group, using ranged retrieval ("paging support on LDAP attributes") + +.EXAMPLE +$creds=Get-Credential -UserName 'CN=MyUser,CN=Users,DC=mydomain,DC=com' -Message 'Enter password to user with this DN' -Title 'Password needed' +Get-LdapConnection -LdapServer dc.mydomain.com -Port 636 -AuthType Basic -Credential $creds | Out-Null +$dse = Get-RootDSE + +Description +----------- +This command connects to given LDAP server with simple bind over TLS (TLS needed for basic authentication), storing the connection in session variable. +Next command uses connection from session variable to get Root DSE object. +Usage of Basic authentication is typically way to go on client platforms that do not support other authentication schemes, such as Negotiate + +.EXAMPLE +Get-LdapConnection -LdapServer dc.mydomain.com | Out-Null +$dse = Get-RootDSE +#obtain initial sync cookie valid from now on +Find-LdapObject -searchBase $dse.defaultNamingContext -searchFilter '(objectClass=domainDns)' -PropertiesToLoad 'name' -DirSync Standard | Out-Null +$show the cookie +Get-LdapDirSyncCookie + +Description +----------- +This command connects to given LDAP server and obtains initial cookie that represents current time - output does not contain full sync. + +.LINK +More about System.DirectoryServices.Protocols: http://msdn.microsoft.com/en-us/library/bb332056.aspx +#> + Param ( + [parameter()] + [System.DirectoryServices.Protocols.LdapConnection] + #existing LDAPConnection object retrieved with cmdlet Get-LdapConnection + #When we perform many searches, it is more effective to use the same conbnection rather than create new connection for each search request. + $LdapConnection = $script:LdapConnection, + + [parameter(Mandatory = $true)] + [String] + #Search filter in LDAP syntax + $searchFilter, + + [parameter(Mandatory = $false, ValueFromPipeline=$true)] + [Object] + #DN of container where to search + $searchBase, + + [parameter(Mandatory = $false)] + [System.DirectoryServices.Protocols.SearchScope] + #Search scope + #Ignored for DirSync searches + #Default: Subtree + $searchScope='Subtree', + + [parameter(Mandatory = $false)] + [String[]] + #List of properties we want to return for objects we find. + #Default: empty array, meaning no properties are returned + $PropertiesToLoad=@(), + + [parameter(Mandatory = $false)] + [String] + #Name of attribute for ASQ search. + #Ignored for DirSync searches + #Note: searchScope must be set to Base for this type of seach + #Default: empty string + $ASQ, + + [parameter(Mandatory = $false)] + [UInt32] + #Page size for paged search. Zero means that paging is disabled + #Ignored for DirSync searches + #Default: 500 + $PageSize=500, + + [parameter(Mandatory = $false)] + [Int32] + # Specification of attribute value retrieval mode + # Negative value means that attribute values are loaded directly with list of objects + # Zero means that ranged attribute value retrieval is disabled and attribute values are returned in single request. + # Positive value means that each attribute value is loaded in dedicated requests in batches of given size. Usable for loading of group members + # Ignored for DirSync searches + # Note: Default in query policy in AD is 1500; make sure that you do not use here higher value than allowed by LDAP server + # Default: -1 (means that ranged attribute retrieval is not used by default) + # IMPORTANT: default changed in v2.1.1 - previously it was 1000. Changed because it typically caused large perforrmance impact when using -PropsToLoad '*' + $RangeSize=-1, + + [parameter(Mandatory=$false)] + [Int32] + #Max number of results to return from the search + #Negative number means that all available results are returned + #Ignored for DirSync searches + $SizeLimit = -1, + [parameter(Mandatory = $false)] + [alias('BinaryProperties')] + [String[]] + #List of properties that we want to load as byte stream. + #Note: Those properties must also be present in PropertiesToLoad parameter. Properties not listed here are loaded as strings + #Note: When using transform for a property, then transform "knows" if it's binary or not, so no need to specify it in BinaryProps + #Default: empty list, which means that all properties are loaded as strings + $BinaryProps=@(), + + [parameter(Mandatory = $false)] + [String[]] + <# + List of properties that we want to be defined on output object, but we do not want to load them from AD. + Properties listed here must NOT occur in propertiesToLoad list + Command defines properties on output objects and sets the value to $null + Good for having output object with all props that we need for further processing, so we do not need to add them ourselves + Default: empty list, which means that we don't want any additional propertis defined on output object + #> + $AdditionalProperties=@(), + + [parameter(Mandatory = $false)] + [System.DirectoryServices.Protocols.DirectoryControl[]] + #additional controls that caller may need to add to request + $AdditionalControls=@(), + + [parameter(Mandatory = $false)] + [Timespan] + #Number of seconds before request times out. + #Default: [TimeSpan]::Zero, which means that no specific timeout provided + $Timeout = [TimeSpan]::Zero, + + [Parameter(Mandatory=$false)] + [ValidateSet('None','Standard','ObjectSecurity','StandardIncremental','ObjectSecurityIncremental')] + [string] + #whether to issue search with DirSync. Allowed options: + #None: Standard searxh without DirSync + #Standard: Dirsync search using standard permisions of caller. Requires Replicate Directory Changes permission + #ObjectSecurity: DirSync search using Replicate Direcory Changes permission that reveals object that caller normally does not have permission to see. Requires Requires Replicate Directory Changes All permission + #Note: When Standard or ObjectSecurity specified, searchBase must be set to root of directory partition + #For specs, see https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-ADTS/2213a7f2-0a36-483c-b2a4-8574d53aa1e3 + #Default: None, which means search without DirSync + $DirSync = 'None', + + [Switch] + #Whether to alphabetically sort attributes on returned objects + $SortAttributes + ) + + Begin + { + EnsureLdapConnection -LdapConnection $LdapConnection + Function PostProcess { + param + ( + [Parameter(ValueFromPipeline)] + [System.Collections.Hashtable]$data, + [bool]$Sort + ) + + process + { + #Flatten + $coll=@($data.Keys) + foreach($prop in $coll) { + $data[$prop] = [Flattener]::FlattenArray($data[$prop]) + <# + #support for DirSync struct for Add/Remove values of multival props + if($data[$prop] -is [System.Collections.Hashtable]) + { + $data[$prop] = [pscustomobject]$data[$prop] + } + #> + } + if($Sort) + { + #flatten and sort attributes + $coll=@($coll | Sort-Object) + $sortedData=[ordered]@{} + foreach($prop in $coll) {$sortedData[$prop] = $data[$prop]} + #return result to pipeline + [PSCustomObject]$sortedData + } + else { + [PSCustomObject]$data + } + } + } + + #remove unwanted props + $PropertiesToLoad=@($propertiesToLoad | where-object {$_ -notin @('distinguishedName','1.1')}) + #if asterisk in list of props to load, load all props available on object despite of required list + if($propertiesToLoad.Count -eq 0) {$NoAttributes=$true} else {$NoAttributes=$false} + if('*' -in $PropertiesToLoad) {$PropertiesToLoad=@()} + + #configure LDAP connection + #preserve original value of referral chasing + $referralChasing = $LdapConnection.SessionOptions.ReferralChasing + if($pageSize -gt 0) { + #paged search silently fails in AD when chasing referrals + $LdapConnection.SessionOptions.ReferralChasing="None" + } + } + + Process { + #build request + $rq=new-object System.DirectoryServices.Protocols.SearchRequest + + #search base + #we support passing $null as SearchBase - used for Global Catalog searches + if($null -ne $searchBase) + { + #we support pipelining of strings, or objects containing distinguishedName property + switch($searchBase.GetType().Name) { + "String" + { + $rq.DistinguishedName=$searchBase + } + default + { + if($null -ne $searchBase.distinguishedName) + { + $rq.DistinguishedName=$searchBase.distinguishedName + } + } + } + } + + #search filter in LDAP syntax + $rq.Filter=$searchFilter + + + if($DirSync -eq 'None') + { + #paged search control for paged search + #for DirSync searches, paging is not used + if($pageSize -gt 0) { + [System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.DirectoryServices.Protocols.PageResultRequestControl($pageSize) + #asking server for best effort with paging + $pagedRqc.IsCritical=$false + $rq.Controls.Add($pagedRqc) | Out-Null + } + + #Attribute scoped query + #Not supported for DirSync + if(-not [String]::IsNullOrEmpty($asq)) { + [System.DirectoryServices.Protocols.AsqRequestControl]$asqRqc=new-object System.DirectoryServices.Protocols.AsqRequestControl($ASQ) + $rq.Controls.Add($asqRqc) | Out-Null + } + + #search scope + $rq.Scope=$searchScope + + #size limit + if($SizeLimit -gt 0) + { + $rq.SizeLimit = $SizeLimit + } + } + else { + #specifics for DirSync searches + + #only supported scope is subtree + $rq.Scope = 'Subtree' + + #Windows AD/LDS server always returns objectGuid for DirSync. + #We do not want to hide it, we just make sure it is returned in proper format + if('objectGuid' -notin $BinaryProps) + { + $BinaryProps+='objectGuid' + } + } + + #add additional controls that caller may have passed + foreach($ctrl in $AdditionalControls) {$rq.Controls.Add($ctrl) | Out-Null} + + if($Timeout -ne [timespan]::Zero) + { + #server side timeout + $rq.TimeLimit=$Timeout + } + + switch($DirSync) + { + 'None' { + #standard search + if($NoAttributes) + { + #just run as fast as possible when not loading any attribs + GetResultsDirectlyInternal -rq $rq -conn $LdapConnection -PropertiesToLoad $PropertiesToLoad -AdditionalProperties $AdditionalProperties -BinaryProperties $BinaryProps -Timeout $Timeout -NoAttributes | PostProcess + } + else { + #load attributes according to desired strategy + switch($RangeSize) + { + {$_ -lt 0} { + #directly via single ldap call + #some attribs may not be loaded (e.g. computed) + GetResultsDirectlyInternal -rq $rq -conn $LdapConnection -PropertiesToLoad $PropertiesToLoad -AdditionalProperties $AdditionalProperties -BinaryProperties $BinaryProps -Timeout $Timeout | PostProcess -Sort $SortAttributes + break + } + 0 { + #query attributes for each object returned using base search + #but not using ranged retrieval, so multivalued attributes with many values may not be returned completely + GetResultsIndirectlyInternal -rq $rq -conn $LdapConnection -PropertiesToLoad $PropertiesToLoad -AdditionalProperties $AdditionalProperties -AdditionalControls $AdditionalControls -BinaryProperties $BinaryProps -Timeout $Timeout | PostProcess -Sort $SortAttributes + break + } + {$_ -gt 0} { + #query attributes for each object returned using base search and each attribute value with ranged retrieval + #so even multivalued attributes with many values are returned completely + GetResultsIndirectlyRangedInternal -rq $rq -conn $LdapConnection -PropertiesToLoad $PropertiesToLoad -AdditionalProperties $AdditionalProperties -AdditionalControls $AdditionalControls -BinaryProperties $BinaryProps -Timeout $Timeout -RangeSize $RangeSize | PostProcess -Sort $SortAttributes + break + } + } + } + break; + } + 'Standard' { + GetResultsDirSyncInternal -rq $rq -conn $LdapConnection -PropertiesToLoad $PropertiesToLoad -AdditionalProperties $AdditionalProperties -BinaryProperties $BinaryProps -Timeout $Timeout | PostProcess -Sort $SortAttributes + break; + } + 'ObjectSecurity' { + GetResultsDirSyncInternal -rq $rq -conn $LdapConnection -PropertiesToLoad $PropertiesToLoad -AdditionalProperties $AdditionalProperties -BinaryProperties $BinaryProps -Timeout $Timeout -ObjectSecurity | PostProcess -Sort $SortAttributes + break; + } + 'StandardIncremental' { + GetResultsDirSyncInternal -rq $rq -conn $LdapConnection -PropertiesToLoad $PropertiesToLoad -AdditionalProperties $AdditionalProperties -BinaryProperties $BinaryProps -Timeout $Timeout -Incremental | PostProcess -Sort $SortAttributes + break; + } + 'ObjectSecurityIncremental' { + GetResultsDirSyncInternal -rq $rq -conn $LdapConnection -PropertiesToLoad $PropertiesToLoad -AdditionalProperties $AdditionalProperties -BinaryProperties $BinaryProps -Timeout $Timeout -ObjectSecurity -Incremental | PostProcess -Sort $SortAttributes + break; + } + } + } + + End + { + if(($pageSize -gt 0) -and ($null -ne $ReferralChasing)) { + #revert to original value of referral chasing on connection + $LdapConnection.SessionOptions.ReferralChasing=$ReferralChasing + } + } +} + +Function Get-RootDSE { +<# +.SYNOPSIS + Connects to LDAP server and retrieves metadata + +.DESCRIPTION + Retrieves LDAP server metadata from Root DSE object + Current implementation is specialized to metadata foung on Windows LDAP server, so on other platforms, some metadata may be empty. + Or other platforms may publish interesting metadata not available on Windwos LDAP - feel free to add here + +.OUTPUTS + Custom object containing information about LDAP server + +.EXAMPLE +Get-LdapConnection | Get-RootDSE + +Description +----------- +This command connects to closest domain controller of caller's domain on port 389 and returns metadata about the server + +.EXAMPLE +#connect to server and authenticate with client certificate +$thumb = '059d5318118e61fe54fd361ae07baf4644a67347' +cert = (dir Cert:\CurrentUser\my).Where{$_.Thumbprint -eq $Thumb}[0] +Get-LdapConnection -LdapServer "mydc.mydomain.com" ` + -Port 636 ` + -ClientCertificate $cert ` + -CertificateValidationFlags [System.Security.Cryptography.X509Certificates.X509VerificationFlags]::IgnoreRootRevocationUnknown + +Description +----------- +Gets Ldap connection authenticated by client certificate authentication and allowing server certificate from CA with unavailable CRL. + +.LINK +More about System.DirectoryServices.Protocols: http://msdn.microsoft.com/en-us/library/bb332056.aspx +#> + + Param ( + [parameter(ValueFromPipeline = $true)] + [System.DirectoryServices.Protocols.LdapConnection] + #existing LDAPConnection object retrieved via Get-LdapConnection + #When we perform many searches, it is more effective to use the same connection rather than create new connection for each search request. + $LdapConnection = $script:LdapConnection + ) + Begin + { + EnsureLdapConnection -LdapConnection $LdapConnection + + #initialize output objects via hashtable --> faster than add-member + #create default initializer beforehand + $propDef=[ordered]@{` + rootDomainNamingContext=$null; configurationNamingContext=$null; schemaNamingContext=$null; ` + 'defaultNamingContext'=$null; 'namingContexts'=$null; ` + 'dnsHostName'=$null; 'ldapServiceName'=$null; 'dsServiceName'=$null; 'serverName'=$null;` + 'supportedLdapPolicies'=$null; 'supportedSASLMechanisms'=$null; 'supportedControl'=$null; 'supportedConfigurableSettings'=$null; ` + 'currentTime'=$null; 'highestCommittedUSN' = $null; 'approximateHighestInternalObjectID'=$null; ` + 'dsSchemaAttrCount'=$null; 'dsSchemaClassCount'=$null; 'dsSchemaPrefixCount'=$null; ` + 'isGlobalCatalogReady'=$null; 'isSynchronized'=$null; 'pendingPropagations'=$null; ` + 'domainControllerFunctionality' = $null; 'domainFunctionality'=$null; 'forestFunctionality'=$null; ` + 'subSchemaSubEntry'=$null; ` + 'msDS-ReplAllInboundNeighbors'=$null; 'msDS-ReplConnectionFailures'=$null; 'msDS-ReplLinkFailures'=$null; 'msDS-ReplPendingOps'=$null; ` + 'dsaVersionString'=$null; 'serviceAccountInfo'=$null; 'LDAPPoliciesEffective'=$null ` + } + } + Process { + + #build request + $rq=new-object System.DirectoryServices.Protocols.SearchRequest + $rq.Scope = [System.DirectoryServices.Protocols.SearchScope]::Base + $rq.Attributes.AddRange($propDef.Keys) | Out-Null + + #try to get extra information with ExtendedDNControl + #RFC4511: Server MUST ignore unsupported controls marked as not critical + [System.DirectoryServices.Protocols.ExtendedDNControl]$exRqc = new-object System.DirectoryServices.Protocols.ExtendedDNControl('StandardString') + $exRqc.IsCritical=$false + $rq.Controls.Add($exRqc) | Out-Null + + try { + $rsp=$LdapConnection.SendRequest($rq) + } + catch { + throw $_.Exception + return + } + #if there was error, let the exception go to caller and do not continue + + #sometimes server does not return anything if we ask for property that is not supported by protocol + if($rsp.Entries.Count -eq 0) { + return; + } + + $data=[PSCustomObject]$propDef + + if ($rsp.Entries[0].Attributes['configurationNamingContext']) { + $data.configurationNamingContext = [NamingContext]::Parse($rsp.Entries[0].Attributes['configurationNamingContext'].GetValues([string])[0]) + } + if ($rsp.Entries[0].Attributes['schemaNamingContext']) { + $data.schemaNamingContext = [NamingContext]::Parse(($rsp.Entries[0].Attributes['schemaNamingContext'].GetValues([string]))[0]) + } + if ($rsp.Entries[0].Attributes['rootDomainNamingContext']) { + $data.rootDomainNamingContext = [NamingContext]::Parse($rsp.Entries[0].Attributes['rootDomainNamingContext'].GetValues([string])[0]) + } + if ($rsp.Entries[0].Attributes['defaultNamingContext']) { + $data.defaultNamingContext = [NamingContext]::Parse($rsp.Entries[0].Attributes['defaultNamingContext'].GetValues([string])[0]) + } + if($null -ne $rsp.Entries[0].Attributes['approximateHighestInternalObjectID']) { + try { + $data.approximateHighestInternalObjectID=[long]::Parse($rsp.Entries[0].Attributes['approximateHighestInternalObjectID'].GetValues([string])) + } + catch { + #it isn't a numeric, just return what's stored without parsing + $data.approximateHighestInternalObjectID=$rsp.Entries[0].Attributes['approximateHighestInternalObjectID'].GetValues([string]) + } + } + if($null -ne $rsp.Entries[0].Attributes['highestCommittedUSN']) { + try { + $data.highestCommittedUSN=[long]::Parse($rsp.Entries[0].Attributes['highestCommittedUSN'].GetValues([string])) + } + catch { + #it isn't a numeric, just return what's stored without parsing + $data.highestCommittedUSN=$rsp.Entries[0].Attributes['highestCommittedUSN'].GetValues([string]) + } + } + if($null -ne $rsp.Entries[0].Attributes['currentTime']) { + $val = ($rsp.Entries[0].Attributes['currentTime'].GetValues([string]))[0] + try { + $data.currentTime = [DateTime]::ParseExact($val,'yyyyMMddHHmmss.fZ',[CultureInfo]::InvariantCulture,[System.Globalization.DateTimeStyles]::None) + } + catch { + $data.currentTime=$val + } + } + if($null -ne $rsp.Entries[0].Attributes['dnsHostName']) { + $data.dnsHostName = ($rsp.Entries[0].Attributes['dnsHostName'].GetValues([string]))[0] + } + if($null -ne $rsp.Entries[0].Attributes['ldapServiceName']) { + $data.ldapServiceName = ($rsp.Entries[0].Attributes['ldapServiceName'].GetValues([string]))[0] + } + if($null -ne $rsp.Entries[0].Attributes['dsServiceName']) { + $val = ($rsp.Entries[0].Attributes['dsServiceName'].GetValues([string]))[0] + if($val.Contains(';')) + { + $data.dsServiceName = $val.Split(';') + } + else { + $data.dsServiceName=$val + } + } + if($null -ne $rsp.Entries[0].Attributes['serverName']) { + $val = ($rsp.Entries[0].Attributes['serverName'].GetValues([string]))[0] + if($val.Contains(';')) + { + $data.serverName = $val.Split(';') + } + else { + $data.serverName=$val + } + } + if($null -ne $rsp.Entries[0].Attributes['supportedControl']) { + $data.supportedControl = ( ($rsp.Entries[0].Attributes['supportedControl'].GetValues([string])) | Sort-Object ) + } + if($null -ne $rsp.Entries[0].Attributes['supportedLdapPolicies']) { + $data.supportedLdapPolicies = ( ($rsp.Entries[0].Attributes['supportedLdapPolicies'].GetValues([string])) | Sort-Object ) + } + if($null -ne $rsp.Entries[0].Attributes['supportedSASLMechanisms']) { + $data.supportedSASLMechanisms = ( ($rsp.Entries[0].Attributes['supportedSASLMechanisms'].GetValues([string])) | Sort-Object ) + } + if($null -ne $rsp.Entries[0].Attributes['supportedConfigurableSettings']) { + $data.supportedConfigurableSettings = ( ($rsp.Entries[0].Attributes['supportedConfigurableSettings'].GetValues([string])) | Sort-Object ) + } + if($null -ne $rsp.Entries[0].Attributes['namingContexts']) { + $data.namingContexts = @() + foreach($ctxDef in ($rsp.Entries[0].Attributes['namingContexts'].GetValues([string]))) { + $data.namingContexts+=[NamingContext]::Parse($ctxDef) + } + } + if($null -ne $rsp.Entries[0].Attributes['dsSchemaAttrCount']) { + [long]$outVal=-1 + [long]::TryParse($rsp.Entries[0].Attributes['dsSchemaAttrCount'].GetValues([string]),[ref]$outVal) | Out-Null + $data.dsSchemaAttrCount=$outVal + } + if($null -ne $rsp.Entries[0].Attributes['dsSchemaClassCount']) { + [long]$outVal=-1 + [long]::TryParse($rsp.Entries[0].Attributes['dsSchemaClassCount'].GetValues([string]),[ref]$outVal) | Out-Null + $data.dsSchemaClassCount=$outVal + } + if($null -ne $rsp.Entries[0].Attributes['dsSchemaPrefixCount']) { + [long]$outVal=-1 + [long]::TryParse($rsp.Entries[0].Attributes['dsSchemaPrefixCount'].GetValues([string]),[ref]$outVal) | Out-Null + $data.dsSchemaPrefixCount=$outVal + } + if($null -ne $rsp.Entries[0].Attributes['isGlobalCatalogReady']) { + $data.isGlobalCatalogReady=[bool]$rsp.Entries[0].Attributes['isGlobalCatalogReady'].GetValues([string]) + } + if($null -ne $rsp.Entries[0].Attributes['isSynchronized']) { + $data.isSynchronized=[bool]$rsp.Entries[0].Attributes['isSynchronized'].GetValues([string]) + } + if($null -ne $rsp.Entries[0].Attributes['pendingPropagations']) { + $data.pendingPropagations=$rsp.Entries[0].Attributes['pendingPropagations'].GetValues([string]) + } + if($null -ne $rsp.Entries[0].Attributes['subSchemaSubEntry']) { + $data.subSchemaSubEntry=$rsp.Entries[0].Attributes['subSchemaSubEntry'].GetValues([string])[0] + } + if($null -ne $rsp.Entries[0].Attributes['domainControllerFunctionality']) { + $data.domainControllerFunctionality=[int]$rsp.Entries[0].Attributes['domainControllerFunctionality'].GetValues([string])[0] + } + if($null -ne $rsp.Entries[0].Attributes['domainFunctionality']) { + $data.domainFunctionality=[int]$rsp.Entries[0].Attributes['domainFunctionality'].GetValues([string])[0] + } + if($null -ne $rsp.Entries[0].Attributes['forestFunctionality']) { + $data.forestFunctionality=[int]$rsp.Entries[0].Attributes['forestFunctionality'].GetValues([string])[0] + } + if($null -ne $rsp.Entries[0].Attributes['msDS-ReplAllInboundNeighbors']) { + $data.'msDS-ReplAllInboundNeighbors'=@() + foreach($val in $rsp.Entries[0].Attributes['msDS-ReplAllInboundNeighbors'].GetValues([string])) { + $data.'msDS-ReplAllInboundNeighbors'+=[xml]$Val.SubString(0,$Val.Length-2) + } + } + if($null -ne $rsp.Entries[0].Attributes['msDS-ReplConnectionFailures']) { + $data.'msDS-ReplConnectionFailures'=@() + foreach($val in $rsp.Entries[0].Attributes['msDS-ReplConnectionFailures'].GetValues([string])) { + $data.'msDS-ReplConnectionFailures'+=[xml]$Val.SubString(0,$Val.Length-2) + } + } + if($null -ne $rsp.Entries[0].Attributes['msDS-ReplLinkFailures']) { + $data.'msDS-ReplLinkFailures'=@() + foreach($val in $rsp.Entries[0].Attributes['msDS-ReplLinkFailures'].GetValues([string])) { + $data.'msDS-ReplLinkFailures'+=[xml]$Val.SubString(0,$Val.Length-2) + } + } + if($null -ne $rsp.Entries[0].Attributes['msDS-ReplPendingOps']) { + $data.'msDS-ReplPendingOps'=@() + foreach($val in $rsp.Entries[0].Attributes['msDS-ReplPendingOps'].GetValues([string])) { + $data.'msDS-ReplPendingOps'+=[xml]$Val.SubString(0,$Val.Length-2) + } + } + if($null -ne $rsp.Entries[0].Attributes['dsaVersionString']) { + $data.dsaVersionString=$rsp.Entries[0].Attributes['dsaVersionString'].GetValues([string])[0] + } + if($null -ne $rsp.Entries[0].Attributes['serviceAccountInfo']) { + $data.serviceAccountInfo=$rsp.Entries[0].Attributes['serviceAccountInfo'].GetValues([string]) + } + if($null -ne $rsp.Entries[0].Attributes['LDAPPoliciesEffective']) { + $data.LDAPPoliciesEffective=@{} + foreach($val in $rsp.Entries[0].Attributes['LDAPPoliciesEffective'].GetValues([string])) + { + $vals=$val.Split(':') + if($vals.Length -gt 1) { + $data.LDAPPoliciesEffective[$vals[0]]=$vals[1] + } + } + } + $data + } +} + +Function Get-LdapConnection +{ +<# +.SYNOPSIS + Connects to LDAP server and returns LdapConnection object + +.DESCRIPTION + Creates connection to LDAP server according to parameters passed. +.OUTPUTS + LdapConnection object + +.EXAMPLE +Get-LdapConnection -LdapServer "mydc.mydomain.com" -EncryptionType Kerberos + +Description +----------- +Returns LdapConnection for caller's domain controller, with active Kerberos Encryption for data transfer security + +.EXAMPLE +Get-LdapConnection -LdapServer "mydc.mydomain.com" -EncryptionType Kerberos -Credential (Get-AdmPwdCredential) + +Description +----------- +Returns LdapConnection for caller's domain controller, with active Kerberos Encryption for data transfer security, authenticated by automatically retrieved password from AdmPwd.E client + +.EXAMPLE +$thumb = '059d5318118e61fe54fd361ae07baf4644a67347' +$cert = (dir Cert:\CurrentUser\my).Where{$_.Thumbprint -eq $Thumb}[0] +Get-LdapConnection -LdapServer "mydc.mydomain.com" -Port 636 -CertificateValidationFlags ([System.Security.Cryptography.X509Certificates.X509VerificationFlags]::AllowUnknownCertificateAuthority) -ClientCertificate $cert + +Description +----------- +Returns LdapConnection over SSL for given LDAP server, authenticated by a client certificate and allowing LDAP server to use self-signed certificate +.LINK +More about System.DirectoryServices.Protocols: http://msdn.microsoft.com/en-us/library/bb332056.aspx +#> + Param + ( + [parameter(Mandatory = $false)] + [String[]] + #LDAP server name + #Default: default server given by environment + $LdapServer=[String]::Empty, + + [parameter(Mandatory = $false)] + [Int32] + #LDAP server port + #Default: 389 + $Port=389, + + [parameter(Mandatory = $false)] + [PSCredential] + #Use different credentials when connecting + $Credential=$null, + + [parameter(Mandatory = $false)] + [ValidateSet('None','TLS','SSL','Kerberos')] + [string] + #Type of encryption to use. + $EncryptionType='None', + + [Switch] + #enable support for Fast Concurrent Bind + $FastConcurrentBind, + + [Switch] + #enable support for UDP transport + $ConnectionLess, + + [parameter(Mandatory = $false)] + [Timespan] + #Time before connection times out. + #Default: 120 seconds + $Timeout = [TimeSpan]::Zero, + + [Parameter(Mandatory = $false)] + [System.DirectoryServices.Protocols.AuthType] + #The type of authentication to use with the LdapConnection + $AuthType, + + [Parameter(Mandatory = $false)] + [int] + #Requested LDAP protocol version + $ProtocolVersion = 3, + + [Parameter(Mandatory = $false)] + [System.Security.Cryptography.X509Certificates.X509VerificationFlags] + #Requested LDAP protocol version + $CertificateValidationFlags = 'NoFlag', + + [Parameter(Mandatory = $false)] + [System.Security.Cryptography.X509Certificates.X509Certificate2] + #Client certificate used for authenticcation instead of credentials + #See https://docs.microsoft.com/en-us/windows/win32/api/winldap/nc-winldap-queryclientcert + $ClientCertificate + ) + + Begin + { + if($null -eq $script:ConnectionParams) + { + $script:ConnectionParams=@{} + } + } + Process + { + + $FullyQualifiedDomainName=$false; + [System.DirectoryServices.Protocols.LdapDirectoryIdentifier]$di=new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($LdapServer, $Port, $FullyQualifiedDomainName, $ConnectionLess) + + if($null -ne $Credential) + { + $LdapConnection=new-object System.DirectoryServices.Protocols.LdapConnection($di, $Credential.GetNetworkCredential()) + } + else + { + $LdapConnection=new-object System.DirectoryServices.Protocols.LdapConnection($di) + } + $LdapConnection.SessionOptions.ProtocolVersion=$ProtocolVersion + + + #store connection params for each server in global variable, so as it is reachable from callback scriptblocks + $connectionParams=@{} + foreach($server in $LdapServer) {$script:ConnectionParams[$server]=$connectionParams} + if($CertificateValidationFlags -ne 'NoFlag') + { + $connectionParams['ServerCertificateValidationFlags'] = $CertificateValidationFlags + #server certificate validation callback + $LdapConnection.SessionOptions.VerifyServerCertificate = { + param( + [Parameter(Mandatory)][DirectoryServices.Protocols.LdapConnection]$LdapConnection, + [Parameter(Mandatory)][Security.Cryptography.X509Certificates.X509Certificate2]$Certificate + ) + [System.Security.Cryptography.X509Certificates.X509Chain] $chain = new-object System.Security.Cryptography.X509Certificates.X509Chain + foreach($server in $LdapConnection.Directory.Servers) + { + if($server -in $script:ConnectionParams.Keys) + { + $connectionParam=$script:ConnectionParams[$server] + if($null -ne $connectionParam['ServerCertificateValidationFlags']) + { + $chain.ChainPolicy.VerificationFlags = $connectionParam['ServerCertificateValidationFlags'] + break; + } + } + } + $result = $chain.Build($Certificate) + return $result + } + } + + if($null -ne $ClientCertificate) + { + $connectionParams['ClientCertificate'] = $ClientCertificate + #client certificate retrieval callback + #we just support explicit certificate now + $LdapConnection.SessionOptions.QueryClientCertificate = { param( + [Parameter(Mandatory)][DirectoryServices.Protocols.LdapConnection]$LdapConnection, + [Parameter(Mandatory)][byte[][]]$TrustedCAs + ) + $clientCert = $null + foreach($server in $LdapConnection.Directory.Servers) + { + if($server -in $script:ConnectionParams.Keys) + { + $connectionParam=$script:ConnectionParams[$server] + if($null -ne $connectionParam['ClientCertificate']) + { + $clientCert = $connectionParam['ClientCertificate'] + break; + } + } + } + return $clientCert + } + } + + if ($null -ne $AuthType) { + $LdapConnection.AuthType = $AuthType + } + + + switch($EncryptionType) { + 'None' {break} + 'TLS' { + $LdapConnection.SessionOptions.StartTransportLayerSecurity($null) + break + } + 'Kerberos' { + $LdapConnection.SessionOptions.Sealing=$true + $LdapConnection.SessionOptions.Signing=$true + break + } + 'SSL' { + $LdapConnection.SessionOptions.SecureSocketLayer=$true + break + } + } + if($Timeout -ne [TimeSpan]::Zero) + { + $LdapConnection.Timeout = $Timeout + } + + if($FastConcurrentBind) { + $LdapConnection.SessionOptions.FastConcurrentBind() + } + $script:LdapConnection = $LdapConnection + $LdapConnection + } +} + + +Function Add-LdapObject +{ +<# +.SYNOPSIS + Creates a new object in LDAP server + +.DESCRIPTION + Creates a new object in LDAP server. + Optionally performs attribute transforms registered for Save action before saving changes + +.OUTPUTS + Nothing + +.EXAMPLE +$obj = [PSCustomObject]@{distinguishedName=$null; objectClass=$null; sAMAccountName=$null; unicodePwd=$null; userAccountControl=0} +$obj.DistinguishedName = "cn=user1,cn=users,dc=mydomain,dc=com" +$obj.sAMAccountName = "User1" +$obj.ObjectClass = "User" +$obj.unicodePwd = "P@ssw0rd" +$obj.userAccountControl = "512" + +$Ldap = Get-LdapConnection -LdapServer "mydc.mydomain.com" -EncryptionType Kerberos +Register-LdapAttributeTransform -name UnicodePwd -AttributeName unicodePwd +Add-LdapObject -LdapConnection $Ldap -Object $obj -BinaryProps unicodePwd + +Description +----------- +Creates new user account in domain. +Password is transformed to format expected by LDAP services by registered attribute transform + +.LINK +More about System.DirectoryServices.Protocols: http://msdn.microsoft.com/en-us/library/bb332056.aspx + +#> + Param ( + [parameter(Mandatory = $true, ValueFromPipeline=$true)] + [PSObject] + #Source object to copy properties from + $Object, + + [parameter()] + [String[]] + #Properties to ignore on source object + $IgnoredProps=@(), + + [parameter(Mandatory = $false)] + [String[]] + #List of properties that we want to handle as byte stream. + #Note: Properties not listed here are handled as strings + #Default: empty list, which means that all properties are handled as strings + $BinaryProps=@(), + + [parameter()] + [System.DirectoryServices.Protocols.LdapConnection] + #Existing LDAPConnection object. + $LdapConnection = $script:LdapConnection, + + [parameter(Mandatory = $false)] + [System.DirectoryServices.Protocols.DirectoryControl[]] + #Additional controls that caller may need to add to request + $AdditionalControls=@(), + + [parameter(Mandatory = $false)] + [Timespan] + #Time before connection times out. + #Default: [TimeSpan]::Zero, which means that no specific timeout provided + $Timeout = [TimeSpan]::Zero, + + [Switch] + #When turned on, command returns created object to pipeline + #This is useful when further processing needed on object + $Passthrough + ) + + begin + { + EnsureLdapConnection -LdapConnection $LdapConnection + } + + Process + { + if([string]::IsNullOrEmpty($Object.DistinguishedName)) { + throw (new-object System.ArgumentException("Input object missing DistinguishedName property")) + } + [System.DirectoryServices.Protocols.AddRequest]$rqAdd=new-object System.DirectoryServices.Protocols.AddRequest + $rqAdd.DistinguishedName=$Object.DistinguishedName + + #add additional controls that caller may have passed + foreach($ctrl in $AdditionalControls) {$rqAdd.Controls.Add($ctrl) | Out-Null} + + foreach($prop in (Get-Member -InputObject $Object -MemberType NoteProperty)) { + if($prop.Name -eq "distinguishedName") {continue} + if($IgnoredProps -contains $prop.Name) {continue} + [System.DirectoryServices.Protocols.DirectoryAttribute]$propAdd=new-object System.DirectoryServices.Protocols.DirectoryAttribute + $transform = $script:RegisteredTransforms[$prop.Name] + $binaryInput = ($null -ne $transform -and $transform.BinaryInput -eq $true) -or ($prop.Name -in $BinaryProps) + $propAdd.Name=$prop.Name + + if($null -ne $transform -and $null -ne $transform.OnSave) { + #transform defined -> transform to form accepted by directory + $attrVal = @(& $transform.OnSave -Values $Object.($prop.Name)) + } + else { + #no transform defined - take value as-is + $attrVal = $Object.($prop.Name) + } + + if($null -ne $attrVal) #ignore empty props + { + if($binaryInput) { + foreach($val in $attrVal) { + $propAdd.Add([byte[]]$val) | Out-Null + } + } else { + $propAdd.AddRange([string[]]($attrVal)) + } + + if($propAdd.Count -gt 0) { + $rqAdd.Attributes.Add($propAdd) | Out-Null + } + } + } + if($rqAdd.Attributes.Count -gt 0) { + if($Timeout -ne [TimeSpan]::Zero) + { + $LdapConnection.SendRequest($rqAdd, $Timeout) -as [System.DirectoryServices.Protocols.AddResponse] | Out-Null + } + else { + $LdapConnection.SendRequest($rqAdd) -as [System.DirectoryServices.Protocols.AddResponse] | Out-Null + } + } + if($Passthrough) + { + $Object + } + } +} + +Function Edit-LdapObject +{ +<# +.SYNOPSIS + Modifies existing object in LDAP server + +.DESCRIPTION + Modifies existing object in LDAP server. + Optionally performs attribute transforms registered for Save action before saving changes + +.OUTPUTS + Nothing + +.EXAMPLE +$obj = [PSCustomObject]@{distinguishedName=$null; employeeNumber=$null} +$obj.DistinguishedName = "cn=user1,cn=users,dc=mydomain,dc=com" +$obj.employeeNumber = "12345" + +$Ldap = Get-LdapConnection -LdapServer "mydc.mydomain.com" -EncryptionType Kerberos +Edit-LdapObject -LdapConnection $Ldap -Object $obj + +Description +----------- +Modifies existing user account in domain. + +.EXAMPLE +$conn = Get-LdapConnection -LdapServer "mydc.mydomain.com" -EncryptionType Kerberos +$dse = Get-RootDSE -LdapConnection $conn +$User = Find-LdapObject -LdapConnection $conn -searchFilter '(&(objectClass=user)(objectCategory=organizationalPerson)(sAMAccountName=myUser1))' -searchBase $dse.defaultNamingContext +$Group = Find-LdapObject -LdapConnection $conn -searchFilter '(&(objectClass=group)(objectCategory=group)(cn=myGroup1))' -searchBase $dse.defaultNamingContext -AdditionalProperties @('member') +$Group.member=@($User.distinguishedName) +Edit-LdapObject -LdapConnection $conn -Object $Group -Mode Add + +Description +----------- +Finds user account in LDAP server and adds it to group + +.EXAMPLE +#get connection and sotre in session variable +Get-LdapConnection -LdapServer "mydc.mydomain.com" +#get root DSE object +$dse = Get-RootDse +#do work +Find-LdapObject ` + -searchFilter '(&(objeectClass=user)(objectCategory=organizationalPerson)(l=Prague))' ` + -searchBase $dse.defaultNamingContext ` + -PropertiesToLoad 'adminDescription' ` +| foreach-object{$_.adminDescription = 'Praguer'; $_} ` +| Edit-LdapObject -IncludedProps 'adminDescription' -Passthrough ` +| Find-LdapObject -searchFilter '(objectClass=*)' -searchScope Base -PropertiesToLoad 'adminDescription' + +Description +----------- +This sample demontrates pipeline capabilities of various commands by updating an attribute value on many objects and reading updated objects from server + +.LINK +More about System.DirectoryServices.Protocols: http://msdn.microsoft.com/en-us/library/bb332056.aspx + +#> + Param ( + [parameter(Mandatory = $true, ValueFromPipeline=$true)] + [PSObject] + #Source object to copy properties from + $Object, + + [parameter()] + [String[]] + #Properties to ignore on source object. If not specified, no props are ignored + $IgnoredProps=@(), + + [parameter()] + [String[]] + #Properties to include on source object. If not specified, all props are included + $IncludedProps=@(), + + [parameter(Mandatory = $false)] + [String[]] + #List of properties that we want to handle as byte stream. + #Note: Those properties must also be present in IncludedProps parameter. Properties not listed here are handled as strings + #Default: empty list, which means that all properties are handled as strings + $BinaryProps=@(), + + [parameter()] + [System.DirectoryServices.Protocols.LdapConnection] + #Existing LDAPConnection object. + $LdapConnection = $script:LdapConnection, + + [parameter(Mandatory=$false)] + [System.DirectoryServices.Protocols.DirectoryAttributeOperation] + #Mode of operation + #Replace: Replaces attribute values on target + #Add: Adds attribute values to existing values on target + #Delete: Removes atribute values from existing values on target + $Mode=[System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Replace, + + [parameter(Mandatory = $false)] + [System.DirectoryServices.Protocols.DirectoryControl[]] + #Additional controls that caller may need to add to request + $AdditionalControls=@(), + + [parameter(Mandatory = $false)] + [timespan] + #Time before request times out. + #Default: [TimeSpan]::Zero, which means that no specific timeout provided + $Timeout = [TimeSpan]::Zero, + + [Switch] + #When turned on, command returns modified object to pipeline + #This is useful when different types of modifications need to be done on single object + $Passthrough + ) + + begin + { + EnsureLdapConnection -LdapConnection $LdapConnection + } + + Process + { + if([string]::IsNullOrEmpty($Object.DistinguishedName)) { + throw (new-object System.ArgumentException("Input object missing DistinguishedName property")) + } + + [System.DirectoryServices.Protocols.ModifyRequest]$rqMod=new-object System.DirectoryServices.Protocols.ModifyRequest + $rqMod.DistinguishedName=$Object.DistinguishedName + $permissiveModifyRqc = new-object System.DirectoryServices.Protocols.PermissiveModifyControl + $permissiveModifyRqc.IsCritical = $false + $rqMod.Controls.Add($permissiveModifyRqc) | Out-Null + + #add additional controls that caller may have passed + foreach($ctrl in $AdditionalControls) {$rqMod.Controls.Add($ctrl) | Out-Null} + + foreach($prop in (Get-Member -InputObject $Object -MemberType NoteProperty)) { + if($prop.Name -eq "distinguishedName") {continue} #Dn is always ignored + if($IgnoredProps -contains $prop.Name) {continue} + if(($IncludedProps.Count -gt 0) -and ($IncludedProps -notcontains $prop.Name)) {continue} + [System.DirectoryServices.Protocols.DirectoryAttribute]$propMod=new-object System.DirectoryServices.Protocols.DirectoryAttributeModification + $transform = $script:RegisteredTransforms[$prop.Name] + $binaryInput = ($null -ne $transform -and $transform.BinaryInput -eq $true) -or ($prop.Name -in $BinaryProps) + $propMod.Name=$prop.Name + + if($null -ne $transform -and $null -ne $transform.OnSave) { + #transform defined -> transform to form accepted by directory + $attrVal = @(& $transform.OnSave -Values $Object.($prop.Name)) + } + else { + #no transform defined - take value as-is + $attrVal = $Object.($prop.Name) + } + + if($null -ne $attrVal) { + #we're modifying property + if($attrVal.Count -gt 0) { + $propMod.Operation=$Mode + if($binaryInput) { + foreach($val in $attrVal) { + $propMod.Add([byte[]]$val) | Out-Null + } + } else { + $propMod.AddRange([string[]]($attrVal)) + } + $rqMod.Modifications.Add($propMod) | Out-Null + } + } else { + #source object has no value for property - we're removing value on target + $propMod.Operation=[System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Delete + $rqMod.Modifications.Add($propMod) | Out-Null + } + } + if($rqMod.Modifications.Count -gt 0) { + if($Timeout -ne [TimeSpan]::Zero) + { + $LdapConnection.SendRequest($rqMod, $Timeout) -as [System.DirectoryServices.Protocols.ModifyResponse] | Out-Null + } + else + { + $LdapConnection.SendRequest($rqMod) -as [System.DirectoryServices.Protocols.ModifyResponse] | Out-Null + } + } + #if requested, pass the objeect to pipeline for further processing + if($Passthrough) {$Object} + } +} + +Function Remove-LdapObject +{ +<# +.SYNOPSIS + Removes existing object from LDAP server + +.DESCRIPTION + Removes an object from LDAP server. + All proprties of object are ignored and no transforms are performed; only distinguishedName property is used to locate the object. + +.OUTPUTS + Nothing + +.EXAMPLE +$Ldap = Get-LdapConnection -LdapServer "mydc.mydomain.com" -EncryptionType Kerberos +Remove-LdapObject -LdapConnection $Ldap -Object "cn=User1,cn=Users,dc=mydomain,dc=com" + +Description +----------- +Removes existing user account. + +.EXAMPLE +$Ldap = Get-LdapConnection +Find-LdapObject -LdapConnection (Get-LdapConnection) -SearchFilter:"(&(objectClass=organitationalUnit)(adminDescription=ToDelete))" -SearchBase:"dc=myDomain,dc=com" | Remove-LdapObject -UseTreeDelete + +Description +----------- +Removes existing subtree using TreeDeleteControl + +.LINK +More about System.DirectoryServices.Protocols: http://msdn.microsoft.com/en-us/library/bb332056.aspx + +#> + Param ( + [parameter(Mandatory = $true, ValueFromPipeline=$true)] + [Object] + #Either string containing distinguishedName or object with DistinguishedName property + $Object, + [parameter()] + [System.DirectoryServices.Protocols.LdapConnection] + #Existing LDAPConnection object. + $LdapConnection = $script:LdapConnection, + + [parameter(Mandatory = $false)] + [System.DirectoryServices.Protocols.DirectoryControl[]] + #Additional controls that caller may need to add to request + $AdditionalControls=@(), + + [parameter(Mandatory = $false)] + [Switch] + #Whether or not to use TreeDeleteControl. + $UseTreeDelete + ) + + begin + { + EnsureLdapConnection -LdapConnection $LdapConnection + } + + Process + { + [System.DirectoryServices.Protocols.DeleteRequest]$rqDel=new-object System.DirectoryServices.Protocols.DeleteRequest + #add additional controls that caller may have passed + foreach($ctrl in $AdditionalControls) {$rqDel.Controls.Add($ctrl) | Out-Null} + + switch($Object.GetType().Name) + { + "String" + { + $rqDel.DistinguishedName=$Object + } + default + { + if($null -ne $Object.distinguishedName) + { + $rqDel.DistinguishedName=$Object.distinguishedName + } + else + { + throw (new-object System.ArgumentException("DistinguishedName must be passed")) + } + } + } + if($UseTreeDelete) { + $rqDel.Controls.Add((new-object System.DirectoryServices.Protocols.TreeDeleteControl)) | Out-Null + } + $LdapConnection.SendRequest($rqDel) -as [System.DirectoryServices.Protocols.DeleteResponse] | Out-Null + } +} + +Function Rename-LdapObject +{ +<# +.SYNOPSIS + Changes RDN of existing object or moves the object to a different subtree (or both at the same time) + +.DESCRIPTION + Performs only rename of object. + All properties of object are ignored and no transforms are performed. + Only distinguishedName property is used to locate the object. + +.OUTPUTS + Nothing + +.EXAMPLE +$Ldap = Get-LdapConnection -LdapServer "mydc.mydomain.com" -EncryptionType Kerberos +Rename-LdapObject -LdapConnection $Ldap -Object "cn=User1,cn=Users,dc=mydomain,dc=com" -NewName 'cn=User2' + +Decription +---------- +This command changes CN of User1 object to User2. Notice that 'cn=' is part of new name. This is required by protocol, when you do not provide it, you will receive NamingViolation error. + +.EXAMPLE +$Ldap = Get-LdapConnection +Rename-LdapObject -LdapConnection $Ldap -Object "cn=User1,cn=Users,dc=mydomain,dc=com" -NewName "cn=User1" -NewParent "ou=CompanyUsers,dc=mydomain,dc=com" + +Description +----------- +This command Moves the User1 object to different OU. Notice the newName parameter - it's the same as old name as we do not rename the object a new name is required parameter for protocol. + +.LINK +More about System.DirectoryServices.Protocols: http://msdn.microsoft.com/en-us/library/bb332056.aspx + +#> + + Param ( + [parameter(Mandatory = $true, ValueFromPipeline=$true)] + [Object] + #Either string containing distinguishedName + #Or object with DistinguishedName property + $Object, + + [parameter()] + [System.DirectoryServices.Protocols.LdapConnection] + #Existing LDAPConnection object. + $LdapConnection = $script:LdapConnection, + + [parameter(Mandatory = $true)] + #New name of object + [String] + $NewName, + + [parameter(Mandatory = $false)] + #DN of new parent + [String] + $NewParent, + + #whether to delete original RDN + [Switch] + $KeepOldRdn, + + [parameter(Mandatory = $false)] + [System.DirectoryServices.Protocols.DirectoryControl[]] + #Additional controls that caller may need to add to request + $AdditionalControls=@() + ) + + begin + { + EnsureLdapConnection -LdapConnection $LdapConnection + } + Process + { + [System.DirectoryServices.Protocols.ModifyDNRequest]$rqModDN=new-object System.DirectoryServices.Protocols.ModifyDNRequest + switch($Object.GetType().Name) + { + "String" + { + $rqModDN.DistinguishedName=$Object + } + default + { + if($Object.distinguishedName) + { + $rqModDN.DistinguishedName=$Object.distinguishedName + } + else + { + throw (new-object System.ArgumentException("DistinguishedName must be passed")) + } + } + } + $rqModDn.NewName = $NewName + if(-not [string]::IsNullOrEmpty($NewParent)) {$rqModDN.NewParentDistinguishedName = $NewParent} + $rqModDN.DeleteOldRdn = (-not $KeepOldRdn) + $LdapConnection.SendRequest($rqModDN) -as [System.DirectoryServices.Protocols.ModifyDNResponse] | Out-Null + } +} + +#Transform registration handling support + +# Internal holder of registered transforms +$script:RegisteredTransforms = @{} + +Function Register-LdapAttributeTransform +{ +<# +.SYNOPSIS + Registers attribute transform logic + +.DESCRIPTION + Registered attribute transforms are used by various cmdlets to convert value to/from format used by LDAP server to/from more convenient format + Sample transforms can be found in GitHub repository, including template for creation of new transforms + +.OUTPUTS + Nothing + +.EXAMPLE +$Ldap = Get-LdapConnection -LdapServer "mydc.mydomain.com" -EncryptionType Kerberos +#get list of available transforms +Get-LdapAttributeTransform -ListAvailable + +#register transform for specific attributes only +Register-LdapAttributeTransform -Name Guid -AttributeName objectGuid +Register-LdapAttributeTransform -Name SecurityDescriptor -AttributeName ntSecurityDescriptor + +#register for all supported attributes +Register-LdapAttributeTransform -Name Certificate + +#find objects, applying registered transforms as necessary +# Notice that for attributes processed by a transform, there is no need to specify them in -BinaryProps parameter: transform 'knows' if it's binary or not +Find-LdapObject -LdapConnection $Ldap -SearchBase "cn=User1,cn=Users,dc=mydomain,dc=com" -SearchScope Base -PropertiesToLoad 'cn','ntSecurityDescriptor','userCert,'userCertificate' + +Decription +---------- +This example registers transform that converts raw byte array in ntSecurityDescriptor property into instance of System.DirectoryServices.ActiveDirectorySecurity +After command completes, returned object(s) will have instance of System.DirectoryServices.ActiveDirectorySecurity in ntSecurityDescriptor property + +.EXAMPLE +$Ldap = Get-LdapConnection -LdapServer "mydc.mydomain.com" -EncryptionType Kerberos +#register all available transforms +Get-LdapAttributeTransform -ListAvailable | Register-LdapAttributeTransform +#find objects, applying registered transforms as necessary +# Notice that for attributes processed by a transform, there is no need to specify them in -BinaryProps parameter: transform 'knows' if it's binary or not +Find-LdapObject -LdapConnection $Ldap -SearchBase "cn=User1,cn=Users,dc=mydomain,dc=com" -SearchScope Base -PropertiesToLoad 'cn','ntSecurityDescriptor','userCert,'userCertificate' + +.LINK +More about System.DirectoryServices.Protocols: http://msdn.microsoft.com/en-us/library/bb332056.aspx +More about attribute transforms and how to create them: https://github.com/jformacek/S.DS.P/tree/master/Transforms +Template for creation of new transforms: https://github.com/jformacek/S.DS.P/blob/master/TransformTemplate/_Template.ps1 +#> + + [CmdletBinding()] + param ( + [Parameter(Mandatory,ParameterSetName='Name', Position=0)] + [string] + #Name of the transform + $Name, + [Parameter()] + [string] + #Name of the attribute that will be processed by transform + #If not specified, transform will be registered on all supported attributes + $AttributeName, + [Parameter(Mandatory,ValueFromPipeline,ParameterSetName='TransformObject', Position=0)] + [PSCustomObject] + #Transform object produced by Get-LdapAttributeTRansform + $Transform + ) + + Process + { + switch($PSCmdlet.ParameterSetName) + { + 'TransformObject' { + $Name = $transform.TransformName + break; + } + } + + if(-not (Test-Path -Path "$PSScriptRoot\Transforms\$Name.ps1") ) + { + throw new-object System.ArgumentException "Transform $Name not found" + } + + $SupportedAttributes = (& "$PSScriptRoot\Transforms\$Name.ps1").SupportedAttributes + switch($PSCmdlet.ParameterSetName) + { + 'Name' { + if([string]::IsNullOrEmpty($AttributeName)) + { + $attribs = $SupportedAttributes + } + else + { + if($supportedAttributes -contains $AttributeName) + { + $attribs = @($AttributeName) + } + else { + throw new-object System.ArgumentException "Transform $Name does not support attribute $AttributeName" + } + } + break; + } + 'TransformObject' { + $attribs = $SupportedAttributes + break; + } + } + foreach($attr in $attribs) + { + $t = (. "$PSScriptRoot\Transforms\$Name.ps1" -FullLoad) + $t = $t | Add-Member -MemberType NoteProperty -Name 'Name' -Value $Name -PassThru + $script:RegisteredTransforms[$attr]= $t + } + } +} + +Function Unregister-LdapAttributeTransform +{ +<# +.SYNOPSIS + + Unregisters previously registered attribute transform logic + +.DESCRIPTION + + Unregisters attribute transform. Attribute transforms transform attributes from simple types provided by LDAP server to more complex types. Transforms work on attribute level and do not have acces to values of other attributes. + Transforms must be constructed using specific logic, see existing transforms and template on GitHub + +.EXAMPLE + +$Ldap = Get-LdapConnection -LdapServer "mydc.mydomain.com" -EncryptionType Kerberos +#get list of available transforms +Get-LdapAttributeTransform -ListAvailable +#register necessary transforms +Register-LdapAttributeTransform -Name Guid -AttributeName objectGuid +#Now objectGuid property on returned object is Guid rather than raw byte array +Find-LdapObject -LdapConnection $Ldap -SearchBase "cn=User1,cn=Users,dc=mydomain,dc=com" -SearchScope Base -PropertiesToLoad 'cn',objectGuid + +#we no longer need the transform, let's unregister +Unregister-LdapAttributeTransform -AttributeName objectGuid +Find-LdapObject -LdapConnection $Ldap -SearchBase "cn=User1,cn=Users,dc=mydomain,dc=com" -SearchScope Base -PropertiesToLoad 'cn',objectGuid -BinaryProperties 'objectGuid' +#now objectGuid property of returned object contains raw byte array + +Description +---------- +This example registers transform that converts raw byte array in objectGuid property into instance of System.Guid +After command completes, returned object(s) will have instance of System.Guid in objectGuid property +Then the transform is unregistered, so subsequent calls do not use it + +.LINK + +More about System.DirectoryServices.Protocols: http://msdn.microsoft.com/en-us/library/bb332056.aspx +More about attribute transforms and how to create them: https://github.com/jformacek/S.DS.P/tree/master/Transforms + +#> + + [CmdletBinding()] + param ( + [Parameter(Mandatory, ValueFromPipelineByPropertyName, Position=0)] + [string] + #Name of the attribute to unregister transform from + $AttributeName + ) + + Process + { + if($script:RegisteredTransforms.Keys -contains $AttributeName) + { + $script:RegisteredTransforms.Remove($AttributeName) + } + } +} + +Function Get-LdapAttributeTransform +{ +<# +.SYNOPSIS + Lists registered attribute transform logic + +.OUTPUTS + List of registered transforms + +.LINK +More about System.DirectoryServices.Protocols: http://msdn.microsoft.com/en-us/library/bb332056.aspx +More about attribute transforms and how to create them: https://github.com/jformacek/S.DS.P + +#> + [CmdletBinding()] + param ( + [Parameter()] + [Switch] + #Lists all tranforms available + $ListAvailable + ) + if($ListAvailable) + { + $TransformList = Get-ChildItem -Path "$PSScriptRoot\Transforms\*.ps1" -ErrorAction SilentlyContinue + foreach($transformFile in $TransformList) + { + $transform = (& $transformFile.FullName) + $transform = $transform | Add-Member -MemberType NoteProperty -Name 'TransformName' -Value ([System.IO.Path]::GetFileNameWithoutExtension($transformFile.FullName)) -PassThru + $transform | Select-Object TransformName,SupportedAttributes + } + } + else { + foreach($attrName in ($script:RegisteredTransforms.Keys | Sort-object)) + { + [PSCustomObject]([Ordered]@{ + AttributeName = $attrName + TransformName = $script:RegisteredTransforms[$attrName].Name + }) + } + } +} + +function New-LdapAttributeTransformDefinition +{ +<# +.SYNOPSIS + Creates definition of transform. Used by transform implementations. + +.OUTPUTS + Transform definition + +.LINK +More about attribute transforms and how to create them: https://github.com/jformacek/S.DS.P + +#> + [CmdletBinding()] + param + ( + [Parameter(Mandatory, Position=0)] + [string[]]$SupportedAttributes, + [switch] + #Whether supported attributes need to be loaded from/saved to LDAP as binary stream + $BinaryInput + ) + + process + { + [PSCustomObject][Ordered]@{ + BinaryInput=$BinaryInput + SupportedAttributes=$SupportedAttributes + OnLoad = $null + OnSave = $null + } + } +} + +#region DirSync support +Function Get-LdapDirSyncCookie +{ +<# +.SYNOPSIS + Returns DirSync cookie serialized as Base64 string. + Caller is responsible to save and call Set-LdapDirSyncCookie when continuing data retrieval via directory synchronization + +.OUTPUTS + DirSync cookie as Base64 string + +.EXAMPLE +Get-LdapConnection -LdapServer "mydc.mydomain.com" + +$dse = Get-RootDse +$cookie = Get-Content .\storedCookieFromPreviousIteration.txt +$cookie | Set-LdapDirSyncCookie +$dirUpdates=Find-LdapObject -SearchBase $dse.defaultNamingContext -searchFilter '(objectClass=group)' -PropertiesToLoad 'member' -DirSync StandardIncremental +#process updates +foreach($record in $dirUpdates) +{ + #... +} + +$cookie = Get-LdapDirSyncCookie +$cookie | Set-Content .\storedCookieFromPreviousIteration.txt + +Description +---------- +This example loads dirsync cookie stored in file and performs dirsync search for updates that happened after cookie was generated +Then it stores updated cookie back to file for usage in next iteration + +.EXAMPLE +Get-LdapConnection -LdapServer dc.mydomain.com | Out-Null +$dse = Get-RootDSE +#obtain initial sync cookie valid from now on +Find-LdapObject -searchBase $dse.defaultNamingContext -searchFilter '(objectClass=domainDns)' -PropertiesToLoad 'name' -DirSync Standard | Out-Null +$show the cookie +Get-LdapDirSyncCookie + +Description +----------- +This example connects to given LDAP server and obtains initial cookie that represents current time - output does not contain full sync data. + + +.LINK +More about DirSync: https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-ADTS/2213a7f2-0a36-483c-b2a4-8574d53aa1e3 + +#> +param() + + process + { + if($null -ne $script:DirSyncCookie) + { + [Convert]::ToBase64String($script:DirSyncCookie) + } + } +} + +Function Set-LdapDirSyncCookie +{ +<# +.SYNOPSIS + Returns DirSync cookie serialized as Base64 string. + Caller is responsible to save and call Set-LdapDirSyncCookie when continuing data retrieval via directory synchronization + +.OUTPUTS + DirSync cookie as Base64 string + +.EXAMPLE +Get-LdapConnection -LdapServer "mydc.mydomain.com" + +$dse = Get-RootDse +$cookie = Get-Content .\storedCookieFromPreviousIteration.txt +$cookie | Set-LdapDirSyncCookie +$dirUpdates=Find-LdapObject -SearchBase $dse.defaultNamingContext -searchFilter '(objectClass=group)' -PropertiesToLoad 'member' -DirSync Standard +#process updates +foreach($record in $dirUpdates) +{ + #... +} + +$cookie = Get-LdapDirSyncCookie +$cookie | Set-Content .\storedCookieFromPreviousIteration.txt + +Description +---------- +This example loads dirsync cookie stored in file and performs dirsync search for updates that happened after cookie was generated +Then it stores updated cookie back to file for usage in next iteration + +.LINK +More about DirSync: https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-ADTS/2213a7f2-0a36-483c-b2a4-8574d53aa1e3 + +#> + [CmdletBinding()] + param + ( + [Parameter(Mandatory,ValueFromPipeline)] + [string]$Cookie + ) + + process + { + [byte[]]$script:DirSyncCookie = [System.Convert]::FromBase64String($Cookie) + } +} +#endregion + +#region Helpers +Add-Type @' +public static class Flattener +{ + public static System.Object FlattenArray(System.Object[] arr) + { + if(arr==null) return null; + switch(arr.Length) + { + case 0: + return null; + case 1: + return arr[0]; + default: + return arr; + } + } +} +'@ + +$referencedAssemblies=@() +if($PSVersionTable.PSEdition -eq 'Core') {$referencedAssemblies+='System.Security.Principal.Windows'} +Add-Type @' +public class NamingContext +{ + public System.Security.Principal.SecurityIdentifier SID {get; set;} + public System.Guid GUID {get; set;} + public string distinguishedName {get; set;} + public override string ToString() {return distinguishedName;} + public static NamingContext Parse(string ctxDef) + { + NamingContext retVal = new NamingContext(); + var parts = ctxDef.Split(';'); + if(parts.Length == 1) + { + retVal.distinguishedName = parts[0]; + } + else + { + foreach(string part in parts) + { + if(part.StartsWith(" +Function InitializeItemTemplateInternal +{ + param + ( + [string[]]$props, + [string[]]$additionalProps + ) + + process + { + $template=@{} + foreach($prop in $additionalProps) {$template[$prop]= $null} + foreach($prop in $props) {$template[$prop]=$null} + $template + } +} + +<# + Process ragnged retrieval hints +#> +function GetTargetAttr +{ + param + ( + [Parameter(Mandatory)] + [string]$attr + ) + + process + { + $targetAttr = $attr + $m = [System.Text.RegularExpressions.Regex]::Match($attr,';range=.+'); #this is to skip range hints provided by DC + if($m.Success) + { + $targetAttr = $($attr.Substring(0,$m.Index)) + } + $targetAttr + } +} + +<# + Retrieves search results as single search request + Total # of search requests produced is 1 +#> +function GetResultsDirectlyInternal +{ + param + ( + [Parameter(Mandatory)] + [System.DirectoryServices.Protocols.SearchRequest] + $rq, + [parameter(Mandatory)] + [System.DirectoryServices.Protocols.LdapConnection] + $conn, + [parameter()] + [String[]] + $PropertiesToLoad=@(), + [parameter()] + [String[]] + $AdditionalProperties=@(), + [parameter()] + [String[]] + $BinaryProperties=@(), + [parameter()] + [Timespan] + $Timeout, + [switch]$NoAttributes + ) + begin + { + $template=InitializeItemTemplateInternal -props $PropertiesToLoad -additionalProps $AdditionalProperties + } + process + { + $pagedRqc=$rq.Controls | Where-Object{$_ -is [System.DirectoryServices.Protocols.PageResultRequestControl]} + if($NoAttributes) { + $rq.Attributes.Add('1.1') | Out-Null + } else { + $rq.Attributes.AddRange($propertiesToLoad) | Out-Null + } + while($true) + { + try + { + if($Timeout -ne [timespan]::Zero) + { + $rsp = $conn.SendRequest($rq, $Timeout) -as [System.DirectoryServices.Protocols.SearchResponse] + } + else + { + $rsp = $conn.SendRequest($rq) -as [System.DirectoryServices.Protocols.SearchResponse] + } + } + catch [System.DirectoryServices.Protocols.DirectoryOperationException] + { + if($null -ne $_.Exception.Response -and $_.Exception.Response.ResultCode -eq 'SizeLimitExceeded') + { + #size limit exceeded + $rsp = $_.Exception.Response + } + else + { + throw $_.Exception + } + } + + foreach ($sr in $rsp.Entries) + { + $data=$template.Clone() + + foreach($attrName in $sr.Attributes.AttributeNames) { + $targetAttrName = GetTargetAttr -attr $attrName + if($targetAttrName -ne $attrName) + { + Write-Warning "Value of attribute $targetAttrName not completely retrieved as it exceeds query policy. Use ranged retrieval. Range hint: $attrName" + } + else + { + if($data[$attrName].Count -gt 0) + { + #we may have already loaded partial results from ranged hint + continue + } + } + + $transform = $script:RegisteredTransforms[$targetAttrName] + $BinaryInput = ($null -ne $transform -and $transform.BinaryInput -eq $true) -or ($targetAttrName -in $BinaryProperties) + if($null -ne $transform -and $null -ne $transform.OnLoad) + { + if($BinaryInput -eq $true) { + $data[$targetAttrName] = (& $transform.OnLoad -Values ($sr.Attributes[$attrName].GetValues([byte[]]))) + } else { + $data[$targetAttrName] = (& $transform.OnLoad -Values ($sr.Attributes[$attrName].GetValues([string]))) + } + } else { + if($BinaryInput -eq $true) { + $data[$targetAttrName] = $sr.Attributes[$attrName].GetValues([byte[]]) + } else { + $data[$targetAttrName] = $sr.Attributes[$attrName].GetValues([string]) + } + } + } + + if($data['distinguishedName'].Count -eq 0) { + #dn has to be present on all objects + #having DN processed at the end gives chance to possible transforms on this attribute + $data['distinguishedName']=$sr.DistinguishedName + } + $data + } + #the response may contain paged search response. If so, we will need a cookie from it + [System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$rsp.Controls | Where-Object{$_ -is [System.DirectoryServices.Protocols.PageResultResponseControl]} + if($null -ne $prrc -and $prrc.Cookie.Length -ne 0 -and $null -ne $pagedRqc) { + #pass the search cookie back to server in next paged request + $pagedRqc.Cookie = $prrc.Cookie; + } else { + #either non paged search or we've processed last page + break; + } + } + } +} + +<# + Retrieves search results as dirsync request +#> +function GetResultsDirSyncInternal +{ + param + ( + [Parameter(Mandatory)] + [System.DirectoryServices.Protocols.SearchRequest] + $rq, + [parameter(Mandatory)] + [System.DirectoryServices.Protocols.LdapConnection] + $conn, + [parameter()] + [String[]] + $PropertiesToLoad=@(), + [parameter()] + [String[]] + $AdditionalProperties=@(), + [parameter()] + [String[]] + $BinaryProperties=@(), + [parameter()] + [Timespan] + $Timeout, + [Switch]$ObjectSecurity, + [switch]$Incremental + ) + begin + { + $template=InitializeItemTemplateInternal -props $PropertiesToLoad -additionalProps $AdditionalProperties + } + process + { + $DirSyncRqc= new-object System.DirectoryServices.Protocols.DirSyncRequestControl(,$script:DirSyncCookie) + $DirSyncRqc.Option = [System.DirectoryServices.Protocols.DirectorySynchronizationOptions]::ParentsFirst + if($ObjectSecurity) + { + $DirSyncRqc.Option = $DirSyncRqc.Option -bor [System.DirectoryServices.Protocols.DirectorySynchronizationOptions]::ObjectSecurity + } + if($Incremental) + { + $DirSyncRqc.Option = $DirSyncRqc.Option -bor [System.DirectoryServices.Protocols.DirectorySynchronizationOptions]::IncrementalValues + } + $rq.Controls.Add($DirSyncRqc) | Out-Null + $rq.Attributes.AddRange($propertiesToLoad) | Out-Null + + while($true) + { + try + { + if($Timeout -ne [timespan]::Zero) + { + $rsp = $conn.SendRequest($rq, $Timeout) -as [System.DirectoryServices.Protocols.SearchResponse] + } + else + { + $rsp = $conn.SendRequest($rq) -as [System.DirectoryServices.Protocols.SearchResponse] + } + } + catch [System.DirectoryServices.Protocols.DirectoryOperationException] + { + #just throw as we do not have need case for special handling now + throw $_.Exception + } + + foreach ($sr in $rsp.Entries) + { + $data=$template.Clone() + + foreach($attrName in $sr.Attributes.AttributeNames) { + $targetAttrName = GetTargetAttr -attr $attrName + if($attrName -ne $targetAttrName) + { + if($null -eq $data[$targetAttrName]) + { + $data[$targetAttrName] = [PSCustomObject]@{ + Add=@() + Remove=@() + } + } + #we have multival prop chnage --> need special handling + #Windows AD/LDS server returns attribute name as ';range=1-1' for added values and ';range=0-0' for removed values on forward-linked attributes + if($attrName -like '*;range=1-1') + { + $attributeContainer = {param($val) $data[$targetAttrName].Add=$val} + } + else { + $attributeContainer = {param($val) $data[$targetAttrName].Remove=$val} + } + } + else + { + $attributeContainer = {param($val) $data[$targetAttrName]=$val} + } + + $transform = $script:RegisteredTransforms[$targetAttrName] + $BinaryInput = ($null -ne $transform -and $transform.BinaryInput -eq $true) -or ($targetAttrName -in $BinaryProperties) + if($null -ne $transform -and $null -ne $transform.OnLoad) + { + if($BinaryInput -eq $true) { + &$attributeContainer (& $transform.OnLoad -Values ($sr.Attributes[$attrName].GetValues([byte[]]))) + } else { + &$attributeContainer (& $transform.OnLoad -Values ($sr.Attributes[$attrName].GetValues([string]))) + } + } else { + if($BinaryInput -eq $true) { + &$attributeContainer $sr.Attributes[$attrName].GetValues([byte[]]) + } else { + &$attributeContainer $sr.Attributes[$attrName].GetValues([string]) + } + } + } + + if($data['distinguishedName'].Count -eq 0) { + #dn has to be present on all objects + #having DN processed at the end gives chance to possible transforms on this attribute + $data['distinguishedName']=$sr.DistinguishedName + } + $data + } + #the response may contain dirsync response. If so, we will need a cookie from it + [System.DirectoryServices.Protocols.DirSyncResponseControl] $dsrc=$rsp.Controls | Where-Object{$_ -is [System.DirectoryServices.Protocols.DirSyncResponseControl]} + if($null -ne $dsrc -and $dsrc.Cookie.Length -ne 0 -and $null -ne $DirSyncRqc) { + #pass the search cookie back to server in next paged request + $DirSyncRqc.Cookie = $dsrc.Cookie; + $script:DirSyncCookie = $dsrc.Cookie + if(-not $dsrc.MoreData) + { + break; + } + } else { + #either non paged search or we've processed last page + break; + } + } + } +} + +<# + Retrieves search results as series of requests: first request just returns list of returned objects, and then each object's props are loaded by separate request. + Total # of search requests produced is N+1, where N is # of objects found +#> + +function GetResultsIndirectlyInternal +{ + param + ( + [Parameter(Mandatory)] + [System.DirectoryServices.Protocols.SearchRequest] + $rq, + + [parameter(Mandatory)] + [System.DirectoryServices.Protocols.LdapConnection] + $conn, + + [parameter()] + [String[]] + $PropertiesToLoad=@(), + + [parameter()] + [String[]] + $AdditionalProperties=@(), + + [parameter(Mandatory = $false)] + [System.DirectoryServices.Protocols.DirectoryControl[]] + #additional controls that caller may need to add to request + $AdditionalControls=@(), + + [parameter()] + [String[]] + $BinaryProperties=@(), + + [parameter()] + [Timespan] + $Timeout + ) + begin + { + $template=InitializeItemTemplateInternal -props $PropertiesToLoad -additionalProps $AdditionalProperties + } + process + { + $pagedRqc=$rq.Controls | Where-Object{$_ -is [System.DirectoryServices.Protocols.PageResultRequestControl]} + $rq.Attributes.AddRange($propertiesToLoad) | Out-Null + #load only attribute names now and attribute values later + $rq.TypesOnly=$true + while ($true) + { + try + { + if($Timeout -ne [timespan]::Zero) + { + $rsp = $conn.SendRequest($rq, $Timeout) -as [System.DirectoryServices.Protocols.SearchResponse] + } + else + { + $rsp = $conn.SendRequest($rq) -as [System.DirectoryServices.Protocols.SearchResponse] + } + } + catch [System.DirectoryServices.Protocols.DirectoryOperationException] + { + if($null -ne $_.Exception.Response -and $_.Exception.Response.ResultCode -eq 'SizeLimitExceeded') + { + #size limit exceeded + $rsp = $_.Exception.Response + } + else + { + throw $_.Exception + } + } + + #now process the returned list of distinguishedNames and fetch required properties directly from returned objects + foreach ($sr in $rsp.Entries) + { + $data=$template.Clone() + + $rqAttr=new-object System.DirectoryServices.Protocols.SearchRequest + $rqAttr.DistinguishedName=$sr.DistinguishedName + $rqAttr.Scope="Base" + $rqAttr.Controls.AddRange($AdditionalControls) + + #loading just attributes indicated as present in first search + $rqAttr.Attributes.AddRange($sr.Attributes.AttributeNames) | Out-Null + $rspAttr = $LdapConnection.SendRequest($rqAttr) + foreach ($srAttr in $rspAttr.Entries) { + foreach($attrName in $srAttr.Attributes.AttributeNames) { + $targetAttrName = GetTargetAttr -attr $attrName + if($targetAttrName -ne $attrName) + { + Write-Warning "Value of attribute $targetAttrName not completely retrieved as it exceeds query policy. Use ranged retrieval. Range hint: $attrName" + } + else + { + if($data[$attrName].Count -gt 0) + { + #we may have already loaded partial results from ranged hint + continue + } + } + + $transform = $script:RegisteredTransforms[$targetAttrName] + $BinaryInput = ($null -ne $transform -and $transform.BinaryInput -eq $true) -or ($attrName -in $BinaryProperties) + #protecting against LDAP servers who don't understand '1.1' prop + if($null -ne $transform -and $null -ne $transform.OnLoad) + { + if($BinaryInput -eq $true) { + $data[$targetAttrName] = (& $transform.OnLoad -Values ($srAttr.Attributes[$attrName].GetValues([byte[]]))) + } else { + $data[$targetAttrName] = (& $transform.OnLoad -Values ($srAttr.Attributes[$attrName].GetValues([string]))) + } + } else { + if($BinaryInput -eq $true) { + $data[$targetAttrName] = $srAttr.Attributes[$attrName].GetValues([byte[]]) + } else { + $data[$targetAttrName] = $srAttr.Attributes[$attrName].GetValues([string]) + } + } + } + } + if($data['distinguishedName'].Count -eq 0) { + #dn has to be present on all objects + $data['distinguishedName']=$sr.DistinguishedName + } + $data + } + #the response may contain paged search response. If so, we will need a cookie from it + [System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$rsp.Controls | Where-Object{$_ -is [System.DirectoryServices.Protocols.PageResultResponseControl]} + if($null -ne $prrc -and $prrc.Cookie.Length -ne 0 -and $null -ne $pagedRqc) { + #pass the search cookie back to server in next paged request + $pagedRqc.Cookie = $prrc.Cookie; + } else { + #either non paged search or we've processed last page + break; + } + } + } +} + +<# + Retrieves search results as series of requests: first request just returns list of returned objects, and then each property of each object is loaded by separate request. + When there is a lot of values in multivalued property (such as 'member' attribute of group), property may be loaded by multiple requests + Total # of search requests produced is at least (N x P) + 1, where N is # of objects found and P is # of properties loaded for each object +#> +function GetResultsIndirectlyRangedInternal +{ + param + ( + [Parameter(Mandatory)] + [System.DirectoryServices.Protocols.SearchRequest] + $rq, + + [parameter(Mandatory)] + [System.DirectoryServices.Protocols.LdapConnection] + $conn, + + [parameter()] + [String[]] + $PropertiesToLoad, + + [parameter()] + [String[]] + $AdditionalProperties=@(), + + [parameter()] + [System.DirectoryServices.Protocols.DirectoryControl[]] + #additional controls that caller may need to add to request + $AdditionalControls=@(), + + [parameter()] + [String[]] + $BinaryProperties=@(), + + [parameter()] + [Timespan] + $Timeout, + + [parameter()] + [Int32] + $RangeSize + ) + begin + { + $template=InitializeItemTemplateInternal -props $PropertiesToLoad -additionalProps $AdditionalProperties + } + process + { + $pagedRqc=$rq.Controls | Where-Object{$_ -is [System.DirectoryServices.Protocols.PageResultRequestControl]} + $rq.Attributes.AddRange($PropertiesToLoad) + #load only attribute names now and attribute values later + $rq.TypesOnly=$true + while ($true) + { + try + { + if($Timeout -ne [timespan]::Zero) + { + $rsp = $conn.SendRequest($rq, $Timeout) -as [System.DirectoryServices.Protocols.SearchResponse] + } + else + { + $rsp = $conn.SendRequest($rq) -as [System.DirectoryServices.Protocols.SearchResponse] + } + } + catch [System.DirectoryServices.Protocols.DirectoryOperationException] + { + if($null -ne $_.Exception.Response -and $_.Exception.Response.ResultCode -eq 'SizeLimitExceeded') + { + #size limit exceeded + $rsp = $_.Exception.Response + } + else + { + throw $_.Exception + } + } + + #now process the returned list of distinguishedNames and fetch required properties directly from returned objects + foreach ($sr in $rsp.Entries) + { + $data=$template.Clone() + + $rqAttr=new-object System.DirectoryServices.Protocols.SearchRequest + $rqAttr.DistinguishedName=$sr.DistinguishedName + $rqAttr.Scope="Base" + $rqAttr.Controls.AddRange($AdditionalControls) + + #loading just attributes indicated as present in first search + foreach($attrName in $sr.Attributes.AttributeNames) { + $transform = $script:RegisteredTransforms[$attrName] + $BinaryInput = ($null -ne $transform -and $transform.BinaryInput -eq $true) -or ($attrName -in $BinaryProperties) + $start=-$rangeSize + $lastRange=$false + while ($lastRange -eq $false) { + $start += $rangeSize + $rng = "$($attrName.ToLower());range=$start`-$($start+$rangeSize-1)" + $rqAttr.Attributes.Clear() | Out-Null + $rqAttr.Attributes.Add($rng) | Out-Null + $rspAttr = $LdapConnection.SendRequest($rqAttr) + foreach ($srAttr in $rspAttr.Entries) { + #LDAP server changes upper bound to * on last chunk + $returnedAttrName=$($srAttr.Attributes.AttributeNames) + #load binary properties as byte stream, other properties as strings + if($BinaryInput) { + $data[$attrName]+=$srAttr.Attributes[$returnedAttrName].GetValues([byte[]]) + } else { + $data[$attrName] += $srAttr.Attributes[$returnedAttrName].GetValues([string]) + } + if($returnedAttrName.EndsWith("-*") -or $returnedAttrName -eq $attrName) { + #last chunk arrived + $lastRange = $true + } + } + } + + #perform transform if registered + if($null -ne $transform -and $null -ne $transform.OnLoad) + { + $data[$attrName] = (& $transform.OnLoad -Values $data[$attrName]) + } + } + if($data['distinguishedName'].Count -eq 0) { + #dn has to be present on all objects + $data['distinguishedName']=$sr.DistinguishedName + } + $data + } + #the response may contain paged search response. If so, we will need a cookie from it + [System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$rsp.Controls | Where-Object{$_ -is [System.DirectoryServices.Protocols.PageResultResponseControl]} + if($null -ne $prrc -and $prrc.Cookie.Length -ne 0 -and $null -ne $pagedRqc) { + #pass the search cookie back to server in next paged request + $pagedRqc.Cookie = $prrc.Cookie; + } else { + #either non paged search or we've processed last page + break; + } + } + } +} +#endregion +# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +######################### S.DS.P PowerShell Module v2.1.5 (2022-09-20): https://github.com/jformacek/S.DS.P ######################### + +################### S.DS.P PowerShell Module TRANSFORMS v2.1.5: https://github.com/jformacek/S.DS.P #################### +$script:RegisteredTransforms = @{} +# vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv +# unicodePwd.ps1 +$codeBlock = New-LdapAttributeTransformDefinition -SupportedAttributes @('unicodePwd') -BinaryInput +$codeBlock.OnSave = { + param( + [string[]]$Values + ) + + Process { + foreach ($Value in $Values) { + , ([System.Text.Encoding]::Unicode.GetBytes("`"$Value`"") -as [byte[]]) + } + } +} +$codeBlock.SupportedAttributes | ForEach-Object { + $attributeToProcess = $_ + $codeBlock = $codeBlock | Add-Member -MemberType NoteProperty -Name 'Name' -Value $attributeToProcess -PassThru + $script:RegisteredTransforms[$attributeToProcess] = $codeBlock +} +# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +################### S.DS.P PowerShell Module TRANSFORMS v2.1.4: https://github.com/jformacek/S.DS.P #################### + +### +# Functions Used In Script +### +### FUNCTION: Logging Data To The Log File +Function Logging($dataToLog, $lineType, $ignoreRemote) { + $datetimeLogLine = "[" + $(Get-Date -format "yyyy-MM-dd HH:mm:ss") + "] : " + If ($ignoreRemote -ne $true) { + Out-File -filepath "$logFilePath" -append -inputObject "$datetimeLogLine$dataToLog" + } + If ($null -eq $lineType) { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor Yellow + } + If ($lineType -eq "SUCCESS") { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor Green + } + If ($lineType -eq "ERROR") { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor Red + } + If ($lineType -eq "WARNING") { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor Red + } + If ($lineType -eq "MAINHEADER") { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor Magenta + } + If ($lineType -eq "HEADER") { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor DarkCyan + } + If ($lineType -eq "REMARK") { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor Cyan + } + If ($lineType -eq "REMARK-IMPORTANT") { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor Green + } + If ($lineType -eq "REMARK-MORE-IMPORTANT") { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor Yellow + } + If ($lineType -eq "REMARK-MOST-IMPORTANT") { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor Red + } + If ($lineType -eq "ACTION") { + Write-Host "$datetimeLogLine$dataToLog" -ForeGroundColor White + } + If ($lineType -eq "ACTION-NO-NEW-LINE") { + Write-Host "$datetimeLogLine$dataToLog" -NoNewline -ForeGroundColor White + } +} +$LoggingDef = "function Logging{${function:Logging}}" + +### FUNCTION: Test The Port Connection +Function portConnectionCheck($fqdnServer, $port, $timeOut) { + # Test To See If The HostName Is Resolvable At All + Try { + [System.Net.Dns]::GetHostEntry($fqdnServer) | Out-Null + } Catch { + Return "ERROR" + } + + $tcpPortSocket = $null + $portConnect = $null + $tcpPortWait = $null + $tcpPortSocket = New-Object System.Net.Sockets.TcpClient + $portConnect = $tcpPortSocket.BeginConnect($fqdnServer, $port, $null, $null) + $tcpPortWait = $portConnect.AsyncWaitHandle.WaitOne($timeOut, $false) + If (!$tcpPortWait) { + $tcpPortSocket.Close() + Return "ERROR" + } Else { + $ErrorActionPreference = "SilentlyContinue" + $tcpPortSocket.EndConnect($portConnect) | Out-Null + If (!$?) { + Return "ERROR" + } Else { + Return "SUCCESS" + } + $tcpPortSocket.Close() + $ErrorActionPreference = "Continue" + } +} + +### FUNCTION: Load Required PowerShell Modules +Function loadPoSHModules($poshModule, $ignoreRemote) { + $retValue = $null + If (@(Get-Module | Where-Object{$_.Name -eq $poshModule}).count -eq 0) { + If (@(Get-Module -ListAvailable | Where-Object{$_.Name -eq $poshModule}).count -ne 0) { + Import-Module $poshModule + Logging "PoSH Module '$poshModule' Has Been Loaded..." "SUCCESS" $ignoreRemote + $retValue = "HasBeenLoaded" + } Else { + Logging "PoSH Module '$poshModule' Is Not Available To Load..." "ERROR" $ignoreRemote + Logging "The PoSH Module '$poshModule' Is Required For This Script To Work..." "REMARK" $ignoreRemote + $confirmInstallPoshModuleYESNO = $null + $confirmInstallPoshModuleYESNO = Read-Host "Would You Like To Install The PoSH Module '$poshModule' NOW? [Yes|No]" + If ($confirmInstallPoshModuleYESNO.ToUpper() -eq "YES" -Or $confirmInstallPoshModuleYESNO.ToUpper() -eq "Y") { + If ($poshModule -eq "GroupPolicy") { + Logging "Installing The Windows Feature 'GPMC' For The PoSH Module '$poshModule'..." "REMARK" $ignoreRemote + Add-WindowsFeature -Name "GPMC" -IncludeAllSubFeature | Out-Null + } + If (@(Get-Module -ListAvailable | Where-Object{$_.Name -eq $poshModule}).count -ne 0) { + Import-Module $poshModule + Logging "PoSH Module '$poshModule' Has Been Loaded..." "SUCCESS" $ignoreRemote + $retValue = "HasBeenLoaded" + } Else { + Logging "Aborting Script..." "ERROR" $ignoreRemote + $retValue = "NotAvailable" + } + } Else { + Logging "Aborting Script..." "ERROR" $ignoreRemote + $retValue = "NotAvailable" + } + } + } Else { + Logging "PoSH Module '$poshModule' Already Loaded..." "SUCCESS" $ignoreRemote + $retValue = "AlreadyLoaded" + } + Return $retValue +} +$loadPoSHModulesDef = "function loadPoSHModules{${function:loadPoSHModules}}" + +### FUNCTION: Check To See If The Script Is Executed Through An Elevated PowerShell Command Prompt Or Not +Function checkLocalElevationStatus() { + # Determine Current User + $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent() + + # Check The Process Owner SID And The User SID And Compare + $processOwnerSid = $currentUser.Owner.Value + $processUserSid = $currentUser.User.Value + + # When Equal, Not Elevated. When Different Elevated + If ($processOwnerSid -eq $processUserSid) { + Return "NOT-ELEVATED" + } Else { + Return "ELEVATED" + } +} + +### FUNCTION: Test Credentials For Specific Admin Role +Function testAdminRole($adminRole) { + # Determine Current User + $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent() + + # Check The Current User Is In The Specified Admin Role + (New-Object Security.Principal.WindowsPrincipal $currentUser).IsInRole($adminRole) +} + +### FUNCTION: Request For Admin Credentials +Function requestForAdminCreds() { + # Ask For The Remote Credentials + $adminUserAccount = $null + Do { + Logging "Please provide an account (\) that is a member of the 'Administrators' group in every AD domain of the specified AD forest: " "ACTION-NO-NEW-LINE" + $adminUserAccount = Read-Host + } Until ($adminUserAccount -ne "" -And $null -ne $adminUserAccount) + + # Ask For The Corresponding Password + $adminUserPasswordString = $null + Do { + Logging "Please provide the corresponding password of that admin account: " "ACTION-NO-NEW-LINE" + [System.Security.SecureString]$adminUserPasswordSecureString = Read-Host -AsSecureString -ErrorAction SilentlyContinue + } Until ($adminUserPasswordSecureString.Length -gt 0) + [string]$adminUserPasswordString = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($adminUserPasswordSecureString)) + $secureAdminUserPassword = ConvertTo-SecureString $adminUserPasswordString -AsPlainText -Force + $adminCrds = $null + $adminCrds = New-Object System.Management.Automation.PSCredential $adminUserAccount, $secureAdminUserPassword + + Return $adminCrds +} + +### FUNCTION: Create Temporary Canary Object +Function createTempCanaryObject($targetedADdomainRWDCFQDN, $krbTgtSamAccountName, $execDateTimeCustom1, $localADforest, $adminCrds) { + # Determine The DN Of The Default NC Of The Targeted Domain + $targetedADdomainDefaultNC = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$targetedADdomainDefaultNC = (Get-ADRootDSE -Server $targetedADdomainRWDCFQDN).defaultNamingContext + $targetedADdomainDefaultNC = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$targetedADdomainRWDCFQDN' For 'rootDSE'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$targetedADdomainDefaultNC = (Get-ADRootDSE -Server $targetedADdomainRWDCFQDN -Credential $adminCrds).defaultNamingContext + $targetedADdomainDefaultNC = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$targetedADdomainRWDCFQDN' For 'rootDSE' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Determine The DN Of The Users Container Of The Targeted Domain + $containerForTempCanaryObject = $null + $containerForTempCanaryObject = "CN=Users," + $targetedADdomainDefaultNC + + # Generate The Name Of The Temporary Canary Object + $targetObjectToCheckName = $null + $targetObjectToCheckName = "_adReplTempObject_" + $krbTgtSamAccountName + "_" + $execDateTimeCustom1 + + # Specify The Description Of The Temporary Canary Object + $targetObjectToCheckDescription = "...!!!.TEMP OBJECT TO CHECK AD REPLICATION IMPACT.!!!..." + + # Generate The DN Of The Temporary Canary Object + $targetObjectToCheckDN = $null + $targetObjectToCheckDN = "CN=" + $targetObjectToCheckName + "," + $containerForTempCanaryObject + Logging " --> RWDC To Create Object On..............: '$targetedADdomainRWDCFQDN'" + Logging " --> Full Name Temp Canary Object..........: '$targetObjectToCheckName'" + Logging " --> Description...........................: '$targetObjectToCheckDescription'" + Logging " --> Container For Temp Canary Object......: '$containerForTempCanaryObject'" + Logging "" + + # Try To Create The Canary Object In The AD Domain And If Not Successfull Throw Error + Try { + $contactObject = [PSCustomObject]@{distinguishedName = $null; objectClass = $null; displayName = $null; description = $null} + $contactObject.DistinguishedName = "CN=$targetObjectToCheckName,$containerForTempCanaryObject" + $contactObject.objectClass = "contact" + $contactObject.displayName = $targetObjectToCheckName + $contactObject.description = $targetObjectToCheckDescription + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + #New-ADObject -Type contact -Name $targetObjectToCheckName -Path $containerForTempCanaryObject -DisplayName $targetObjectToCheckName -Description $targetObjectToCheckDescription -Server $targetedADdomainRWDCFQDN + Add-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -Object $contactObject + } + If ($localADforest -eq $false -And $adminCrds) { + #New-ADObject -Type contact -Name $targetObjectToCheckName -Path $containerForTempCanaryObject -DisplayName $targetObjectToCheckName -Description $targetObjectToCheckDescription -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + Add-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -Object $contactObject + } + } Catch { + Logging " --> Temp Canary Object [$targetObjectToCheckDN] FAILED TO BE CREATED on RWDC [$targetedADdomainRWDCFQDN]!..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + + # Check The Temporary Canary Object Exists And Was created In AD + $targetObjectToCheck = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$targetObjectToCheck = Get-ADObject -LDAPFilter "(&(objectClass=contact)(name=$targetObjectToCheckName))" -Server $targetedADdomainRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $targetObjectToCheck = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectClass=contact)(name=$targetObjectToCheckName))" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For Contact Object With 'name=$targetObjectToCheckName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$targetObjectToCheck = Get-ADObject -LDAPFilter "(&(objectClass=contact)(name=$targetObjectToCheckName))" -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $targetObjectToCheck = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectClass=contact)(name=$targetObjectToCheckName))" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For Contact Object With 'name=$targetObjectToCheckName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($targetObjectToCheck) { + $targetObjectToCheckDN = $null + $targetObjectToCheckDN = $targetObjectToCheck.DistinguishedName + Logging " --> Temp Canary Object [$targetObjectToCheckDN] CREATED on RWDC [$targetedADdomainRWDCFQDN]!..." "REMARK" + Logging "" "REMARK" + } + Return $targetObjectToCheckDN +} + +### FUNCTION: Confirm Generated Password Meets Complexity Requirements +# Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements +Function confirmPasswordIsComplex($passwd) { + Process { + $criteriaMet = 0 + + # Upper Case Characters (A through Z, with diacritic marks, Greek and Cyrillic characters) + If ($passwd -cmatch '[A-Z]') {$criteriaMet++} + + # Lower Case Characters (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) + If ($passwd -cmatch '[a-z]') {$criteriaMet++} + + # Numeric Characters (0 through 9) + If ($passwd -match '\d') {$criteriaMet++} + + # Special Chracters (Non-alphanumeric characters, currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting) + If ($passwd -match '[\^~!@#$%^&*_+=`|\\(){}\[\]:;"''<>,.?/]') {$criteriaMet++} + + # Check If It Matches Default Windows Complexity Requirements + If ($criteriaMet -lt 3) { + Return $false + } ElseIf ($passwd.Length -lt 8) { + Return $false + } Else { + Return $true + } + } +} + +### FUNCTION: Generate New Complex Password +Function generateNewComplexPassword([int]$passwdNrChars) { + Process { + $iterations = 0 + Do { + If ($iterations -ge 20) { + Logging " --> Complex password generation failed after '$iterations' iterations..." "ERROR" + Logging "" "ERROR" + EXIT + } + $iterations++ + $passwdBytes = @() + $rng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider + Do { + [byte[]]$byte = [byte]1 + $rng.GetBytes($byte) + If ($byte[0] -lt 33 -or $byte[0] -gt 126) { + CONTINUE + } + $passwdBytes += $byte[0] + } + While ($passwdBytes.Count -lt $passwdNrChars) + $passwd = ([char[]]$passwdBytes) -join '' + } + Until (confirmPasswordIsComplex $passwd) + Return $passwd + } +} + +### FUNCTION: Retrieve The Metadata Of An Object +Function retrieveObjectMetadata($targetedADdomainRWDCFQDN, $ObjectDN, $localADforest, $adminCrds) { + # Get The Metadata Of The Object, And More Specific Of The pwdLastSet Attribute Of That Object BEFORE THE PASSWORD SET + $objectMetadata = $null + $targetedADdomainRWDCContext = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + $targetedADdomainRWDCContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $targetedADdomainRWDCFQDN) + } + If ($localADforest -eq $false -And $adminCrds) { + $targetedADdomainRWDCContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $targetedADdomainRWDCFQDN, $($adminCrds.UserName), $($adminCrds.GetNetworkCredential().Password)) + } + $targetedADdomainRWDCObject = $null + Try { + $targetedADdomainRWDCObject = [System.DirectoryServices.ActiveDirectory.DomainController]::GetDomainController($targetedADdomainRWDCContext) + $objectMetadata = $targetedADdomainRWDCObject.GetReplicationMetadata($ObjectDN) + } Catch { + Logging "" "ERROR" + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Logging "Error Getting Metadata From '$targetedADdomainRWDCFQDN' For Object '$krbTgtObjectBeforeDN'..." "ERROR" + } + If ($localADforest -eq $false -And $adminCrds) { + Logging "Error Getting Metadata From '$targetedADdomainRWDCFQDN' For Object '$krbTgtObjectBeforeDN' Using '$($adminCrds.UserName)'..." "ERROR" + } + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + + If ($objectMetadata) { + Return $($objectMetadata.Values) + } +} + +### FUNCTION: Reset Password Of AD Account +Function setPasswordOfADAccount($targetedADdomainRWDCFQDN, $krbTgtSamAccountName, $localADforest, $adminCrds) { + # Retrieve The KrgTgt Object In The AD Domain BEFORE THE PASSWORD SET + $krbTgtObjectBefore = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$krbTgtObjectBefore = Get-ADUser -LDAPFilter "(sAMAccountName=$krbTgtSamAccountName)" -Properties * -Server $targetedADdomainRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $krbTgtObjectBefore = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$krbTgtSamAccountName))" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'sAMAccountName=$krbTgtSamAccountName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$krbTgtObjectBefore = Get-ADUser -LDAPFilter "(sAMAccountName=$krbTgtSamAccountName)" -Properties * -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $krbTgtObjectBefore = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$krbTgtSamAccountName))" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For Contact Object With 'sAMAccountName=$krbTgtSamAccountName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Get The DN Of The KrgTgt Object In The AD Domain BEFORE THE PASSWORD SET + $krbTgtObjectBeforeDN = $null + $krbTgtObjectBeforeDN = $krbTgtObjectBefore.DistinguishedName + + # Get The Password Last Set Value From The KrgTgt Object In The AD Domain BEFORE THE PASSWORD SET + $krbTgtObjectBeforePwdLastSet = $null + $krbTgtObjectBeforePwdLastSet = Get-Date $([datetime]::fromfiletime($krbTgtObjectBefore.pwdLastSet)) -f "yyyy-MM-dd HH:mm:ss" + + # Get The Metadata Of The Object, And More Specific Of The pwdLastSet Attribute Of That Object BEFORE THE PASSWORD SET + $objectMetadataBefore = $null + $objectMetadataBefore = retrieveObjectMetadata $targetedADdomainRWDCFQDN $krbTgtObjectBeforeDN $localADforest $adminCrds + $objectMetadataBeforeAttribPwdLastSet = $null + $objectMetadataBeforeAttribPwdLastSet = $objectMetadataBefore | Where-Object{$_.Name -eq "pwdLastSet"} + $objectMetadataBeforeAttribPwdLastSetOrgRWDCFQDN = $null + $objectMetadataBeforeAttribPwdLastSetOrgRWDCFQDN = If ($objectMetadataBeforeAttribPwdLastSet.OriginatingServer) {$objectMetadataBeforeAttribPwdLastSet.OriginatingServer} Else {"RWDC Demoted"} + $objectMetadataBeforeAttribPwdLastSetOrgTime = $null + $objectMetadataBeforeAttribPwdLastSetOrgTime = Get-Date $($objectMetadataBeforeAttribPwdLastSet.LastOriginatingChangeTime) -f "yyyy-MM-dd HH:mm:ss" + $objectMetadataBeforeAttribPwdLastSetVersion = $null + $objectMetadataBeforeAttribPwdLastSetVersion = $objectMetadataBeforeAttribPwdLastSet.Version + + Logging " --> RWDC To Reset Password On.............: '$targetedADdomainRWDCFQDN'" + Logging " --> sAMAccountName Of KrbTgt Account......: '$krbTgtSamAccountName'" + Logging " --> Distinguished Name Of KrbTgt Account..: '$krbTgtObjectBeforeDN'" + + # Specify The Number Of Characters The Generate Password Should Contain + $passwdNrChars = 64 + Logging " --> Number Of Chars For Pwd Generation....: '$passwdNrChars'" + + # Generate A New Password With The Specified Length (Text) + $newKrbTgtPassword = $null + $newKrbTgtPassword = (generateNewComplexPassword $passwdNrChars).ToString() + + # Convert The Text Based Version Of The New Password To A Secure String + #$newKrbTgtPasswordSecure = $null + #$newKrbTgtPasswordSecure = ConvertTo-SecureString $newKrbTgtPassword -AsPlainText -Force + + # Try To Set The New Password On The Targeted KrbTgt Account And If Not Successfull Throw Error + Try { + $krbTgtObj = [PSCustomObject]@{distinguishedName = $null; unicodePwd = $null} + $krbTgtObj.distinguishedName = $krbTgtObjectBeforeDN + $krbTgtObj.unicodePwd = $newKrbTgtPassword + #Register-LdapAttributeTransform -name unicodePwd -AttributeName unicodePwd + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + #Set-ADAccountPassword -Identity $krbTgtObjectBeforeDN -Server $targetedADdomainRWDCFQDN -Reset -NewPassword $newKrbTgtPasswordSecure + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -Mode Replace -Object $krbTgtObj -BinaryProps unicodePwd + } + If ($localADforest -eq $false -And $adminCrds) { + #Set-ADAccountPassword -Identity $krbTgtObjectBeforeDN -Server $targetedADdomainRWDCFQDN -Reset -NewPassword $newKrbTgtPasswordSecure -Credential $adminCrds + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -Mode Replace -Object $krbTgtObj -BinaryProps unicodePwd + } + } Catch { + Logging "" + Logging " --> Setting the new password for [$krbTgtObjectBeforeDN] FAILED on RWDC [$targetedADdomainRWDCFQDN]!..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + + # Retrieve The KrgTgt Object In The AD Domain AFTER THE PASSWORD SET + $krbTgtObjectAfter = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$krbTgtObjectAfter = Get-ADUser -LDAPFilter "(sAMAccountName=$krbTgtSamAccountName)" -Properties * -Server $targetedADdomainRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $krbTgtObjectAfter = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$krbTgtSamAccountName))" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'sAMAccountName=$krbTgtSamAccountName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$krbTgtObjectAfter = Get-ADUser -LDAPFilter "(sAMAccountName=$krbTgtSamAccountName)" -Properties * -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $krbTgtObjectAfter = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$krbTgtSamAccountName))" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'sAMAccountName=$krbTgtSamAccountName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Get The DN Of The KrgTgt Object In The AD Domain AFTER THE PASSWORD SET + $krbTgtObjectAfterDN = $null + $krbTgtObjectAfterDN = $krbTgtObjectAfter.DistinguishedName + + # Get The Password Last Set Value From The KrgTgt Object In The AD Domain AFTER THE PASSWORD SET + $krbTgtObjectAfterPwdLastSet = $null + $krbTgtObjectAfterPwdLastSet = Get-Date $([datetime]::fromfiletime($krbTgtObjectAfter.pwdLastSet)) -f "yyyy-MM-dd HH:mm:ss" + + # Get The Metadata Of The Object, And More Specific Of The pwdLastSet Attribute Of That Object AFTER THE PASSWORD SET + $objectMetadataAfter = $null + $objectMetadataAfter = retrieveObjectMetadata $targetedADdomainRWDCFQDN $krbTgtObjectAfterDN $localADforest $adminCrds + $objectMetadataAfterAttribPwdLastSet = $null + $objectMetadataAfterAttribPwdLastSet = $objectMetadataAfter | Where-Object{$_.Name -eq "pwdLastSet"} + $objectMetadataAfterAttribPwdLastSetOrgRWDCFQDN = $null + $objectMetadataAfterAttribPwdLastSetOrgRWDCFQDN = If ($objectMetadataAfterAttribPwdLastSet.OriginatingServer) {$objectMetadataAfterAttribPwdLastSet.OriginatingServer} Else {"RWDC Demoted"} + $objectMetadataAfterAttribPwdLastSetOrgTime = $null + $objectMetadataAfterAttribPwdLastSetOrgTime = Get-Date $($objectMetadataAfterAttribPwdLastSet.LastOriginatingChangeTime) -f "yyyy-MM-dd HH:mm:ss" + $objectMetadataAfterAttribPwdLastSetVersion = $null + $objectMetadataAfterAttribPwdLastSetVersion = $objectMetadataAfterAttribPwdLastSet.Version + + Logging "" + Logging " --> Previous Password Set Date/Time.......: '$krbTgtObjectBeforePwdLastSet'" + If ($krbTgtObjectAfterPwdLastSet -ne $krbTgtObjectBeforePwdLastSet) { + Logging " --> New Password Set Date/Time............: '$krbTgtObjectAfterPwdLastSet'" + } + Logging "" + Logging " --> Previous Originating RWDC.............: '$objectMetadataBeforeAttribPwdLastSetOrgRWDCFQDN'" + If ($krbTgtObjectAfterPwdLastSet -ne $krbTgtObjectBeforePwdLastSet) { + Logging " --> New Originating RWDC..................: '$objectMetadataAfterAttribPwdLastSetOrgRWDCFQDN'" + } + Logging "" + Logging " --> Previous Originating Time.............: '$objectMetadataBeforeAttribPwdLastSetOrgTime'" + If ($krbTgtObjectAfterPwdLastSet -ne $krbTgtObjectBeforePwdLastSet) { + Logging " --> New Originating Time..................: '$objectMetadataAfterAttribPwdLastSetOrgTime'" + } + Logging "" + Logging " --> Previous Version Of Attribute Value...: '$objectMetadataBeforeAttribPwdLastSetVersion'" + If ($krbTgtObjectAfterPwdLastSet -ne $krbTgtObjectBeforePwdLastSet) { + Logging " --> New Version Of Attribute Value........: '$objectMetadataAfterAttribPwdLastSetVersion'" + } + + # Check And Confirm If The Password Value Has Been Updated By Comparing The Password Last Set Before And After The Reset + If ($krbTgtObjectAfterPwdLastSet -ne $krbTgtObjectBeforePwdLastSet) { + Logging "" + Logging " --> The new password for [$krbTgtObjectAfterDN] HAS BEEN SET on RWDC [$targetedADdomainRWDCFQDN]!..." "REMARK" + Logging "" "REMARK" + } +} + +### FUNCTION: Replicate Single AD Object +# INFO: https://msdn.microsoft.com/en-us/library/cc223306.aspx +Function replicateSingleADObject($sourceDCNTDSSettingsObjectDN, $targetDCFQDN, $objectDN, $contentScope, $localADforest, $adminCrds) { + # Define And Target The root DSE Context + $rootDSE = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + $rootDSE = [ADSI]"LDAP://$targetDCFQDN/rootDSE" + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$targetDCFQDN' For 'rootDSE'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + $rootDSE = New-Object System.DirectoryServices.DirectoryEntry(("LDAP://$targetDCFQDN/rootDSE"), $($adminCrds.UserName), $($adminCrds.GetNetworkCredential().password)) + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$targetDCFQDN' For 'rootDSE' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Perform A Replicate Single Object For The Complete Object + If ($contentScope -eq "Full") { + Try { + $rootDSE.Put("replicateSingleObject", $sourceDCNTDSSettingsObjectDN + ":" + $objectDN) + } Catch { + Logging "" "ERROR" + Logging "Replicate Single Object (Full) Failed From '$sourceDCNTDSSettingsObjectDN' To '$targetDCFQDN' For Object '$objectDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Perform A Replicate Single Object For Obnly The Secrets Of The Object + If ($contentScope -eq "Secrets") { + Try { + $rootDSE.Put("replicateSingleObject", $sourceDCNTDSSettingsObjectDN + ":" + $objectDN + ":SECRETS_ONLY") + } Catch { + Logging "" "ERROR" + Logging "Replicate Single Object (Secrets Only) Failed From '$sourceDCNTDSSettingsObjectDN' To '$targetDCFQDN' For Object '$objectDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Commit The Change To The Operational Attribute + Try { + $rootDSE.SetInfo() + } Catch { + Logging "" "ERROR" + Logging "Triggering Replicate Single Object On '$targetDCFQDN' From '$sourceDCNTDSSettingsObjectDN' Failed For Object '$objectDN' Using The '$contentScope' Scope..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } +} + +### FUNCTION: Delete/Cleanup Temporary Canary Object +Function deleteTempCanaryObject($targetedADdomainRWDCFQDN, $targetObjectToCheckDN, $localADforest, $adminCrds) { + # Try To Delete The Canary Object In The AD Domain And If Not Successfull Throw Error + Try { + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + #Remove-ADObject -Identity $targetObjectToCheckDN -Server $targetedADdomainRWDCFQDN -Confirm:$false + Remove-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -Object $targetObjectToCheckDN + } + If ($localADforest -eq $false -And $adminCrds) { + #Remove-ADObject -Identity $targetObjectToCheckDN -Server $targetedADdomainRWDCFQDN -Credential $adminCrds -Confirm:$false + Remove-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -Object $targetObjectToCheckDN + } + } Catch { + Logging " --> Temp Canary Object [$targetObjectToCheckDN] FAILED TO BE DELETED on RWDC [$targetedADdomainRWDCFQDN]!..." "ERROR" + Logging " --> Manually delete the Temp Canary Object [$targetObjectToCheckDN] on RWDC [$targetedADdomainRWDCFQDN]!..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + + # Retrieve The Temporary Canary Object From The AD Domain And If It Does Not Exist It Was Deleted Successfully + $targetObjectToCheck = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$targetObjectToCheck = Get-ADObject -LDAPFilter "(distinguishedName=$targetObjectToCheckDN)" -Server $targetedADdomainRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $targetObjectToCheck = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$targetObjectToCheckDN)" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'distinguishedName=$targetObjectToCheckDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$targetObjectToCheck = Get-ADObject -LDAPFilter "(distinguishedName=$targetObjectToCheckDN)" -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $targetObjectToCheck = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$targetObjectToCheckDN)" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'distinguishedName=$targetObjectToCheckDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If (!$targetObjectToCheck) { + Logging " --> Temp Canary Object [$targetObjectToCheckDN] DELETED on RWDC [$targetedADdomainRWDCFQDN]!..." "REMARK" + Logging "" "REMARK" + } +} + +### FUNCTION: Check AD Replication Convergence +Function checkADReplicationConvergence($targetedADdomainFQDN, $targetedADdomainSourceRWDCFQDN, $targetObjectToCheckDN, $listOfDCsToCheckObjectOnStart, $listOfDCsToCheckObjectOnEnd, $modeOfOperationNr, $localADforest, $adminCrds) { + # Determine The Starting Time + $startDateTime = Get-Date + + # Counter + $c = 0 + + # Boolean To Use In The While Condition + $continue = $true + + # The Delay In Seconds Before The Next Check Iteration + $delay = 0.1 + + While ($continue) { + $c++ + $oldpos = $host.UI.RawUI.CursorPosition + Logging "" + Logging " =================================================================== CHECK $c ===================================================================" + Logging "" + + # Wait For The Duration Of The Configured Delay Before Trying Again + Start-Sleep $delay + + # Variable Specifying The Object Is In Sync + $replicated = $true + + # For Each DC To Check On The Starting List With All DCs To Check Execute The Following... + ForEach ($dcToCheck in $listOfDCsToCheckObjectOnStart) { + # HostName Of The DC To Check + $dcToCheckHostName = $null + $dcToCheckHostName = $dcToCheck."Host Name" + + # Is The DC To Check Also The PDC? + $dcToCheckIsPDC = $null + $dcToCheckIsPDC = $dcToCheck.PDC + + # Type (RWDC Or RODC) Of The DC To Check + $dcToCheckDSType = $null + $dcToCheckDSType = $dcToCheck."DS Type" + + # SiteName Of The DC To Check + $dcToCheckSiteName = $null + $dcToCheckSiteName = $dcToCheck."Site Name" + + # IP Address Of The DC To Check + $dcToCheckIPAddress = $null + $dcToCheckIPAddress = $dcToCheck."IP Address" + + # Reachability Of The DC To Check + $dcToCheckReachability = $null + $dcToCheckReachability = $dcToCheck.Reachable + + # HostName Of The Source RWDC Of The DC To Check + #$dcToCheckSourceRWDCFQDN = $null + #$dcToCheckSourceRWDCFQDN = $dcToCheck."Source RWDC FQDN" + + # DSA DN Of The Source RWDC Of The DC To Check + $dcToCheckSourceRWDCNTDSSettingsObjectDN = $null + $dcToCheckSourceRWDCNTDSSettingsObjectDN = $dcToCheck."Source RWDC DSA" + + # If Mode 3, Simulate Password Reset Of KrbTgt TEST/BOGUS Accounts (No Password Reset/WhatIf Mode) + # If Mode 4, Do A Real Password Reset Of KrbTgt TEST/BOGUS Accounts (Password Reset!) + # If Mode 5, Simulate Password Reset Of KrbTgt PROD/REAL Accounts (No Password Reset/WhatIf Mode) + # If Mode 6, Do A Real Password Reset Of KrbTgt PROD/REAL Accounts (Password Reset!) + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + # Retrieve The Object From The Source Originating RWDC + $objectOnSourceOrgRWDC = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$objectOnSourceOrgRWDC = Get-ADObject -Identity $targetObjectToCheckDN -Properties * -Server $targetedADdomainSourceRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $objectOnSourceOrgRWDC = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$targetObjectToCheckDN)" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainSourceRWDCFQDN' For Object '$targetObjectToCheckDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$objectOnSourceOrgRWDC = Get-ADObject -Identity $targetObjectToCheckDN -Properties * -Server $targetedADdomainSourceRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $objectOnSourceOrgRWDC = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$targetObjectToCheckDN)" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainSourceRWDCFQDN' For Object '$targetObjectToCheckDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Retrieve The Password Last Set Of The Object On The Source Originating RWDC + $objectOnSourceOrgRWDCPwdLastSet = $null + $objectOnSourceOrgRWDCPwdLastSet = Get-Date $([datetime]::fromfiletime($objectOnSourceOrgRWDC.pwdLastSet)) -f "yyyy-MM-dd HH:mm:ss" + } + + # When The DC To Check Is Also The Source (Originating) RWDC + If ($dcToCheckHostName -eq $targetedADdomainSourceRWDCFQDN) { + Logging " - Contacting DC in AD domain ...[$($dcToCheckHostName.ToUpper())]...(SOURCE RWDC)" + Logging " * DC is Reachable..." "SUCCESS" + + # For Mode 2 Only + If ($modeOfOperationNr -eq 2) { + Logging " * Object [$targetObjectToCheckDN] exists in the AD database" "SUCCESS" + } + + # For Mode 3 Or 4 Or 5 Or 6 Only + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + Logging " * The (new) password for Object [$targetObjectToCheckDN] exists in the AD database" "SUCCESS" + } + Logging "" + CONTINUE + } + + Logging " - Contacting DC in AD domain ...[$($dcToCheckHostName.ToUpper())]..." + If ($dcToCheckReachability -eq $true) { + # When The DC To Check Is Reachable + Logging " * DC is Reachable..." "SUCCESS" + + # When The DC To Check Is Not The Source (Originating) RWDC + If ($dcToCheckHostName -ne $targetedADdomainSourceRWDCFQDN) { + # As The DSA DN Use The DSA DN Of The Source (Originating) RWDC Of The DC Being Checked + $sourceDCNTDSSettingsObjectDN = $dcToCheckSourceRWDCNTDSSettingsObjectDN + + # For Mode 2 Perform A Full Replicate Single Object + If ($modeOfOperationNr -eq 2) { + $contentScope = "Full" + } + + # For Mode 3 Or 4 Or 5 Or 6 Only + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + # If The DC Being Checked Is An RWDC Perform A Full Replicate Single Object + If ($dcToCheckDSType -eq "Read/Write") { + $contentScope = "Full" + } + + # If The DC Being Checked Is An RODC Perform A Partial Replicate Single Object (Secrets Only) + If ($dcToCheckDSType -eq "Read-Only") { + $contentScope = "Secrets" + } + } + + # Execute The Replicate Single Object Function For The Targeted Object To Check + replicateSingleADObject $sourceDCNTDSSettingsObjectDN $dcToCheckHostName $targetObjectToCheckDN $contentScope $localADforest $adminCrds + } + + # For Mode 2 From The DC to Check Retrieve The AD Object Of The Temporary Canary Object That Was Created On The Source (Originating) RWDC + If ($modeOfOperationNr -eq 2) { + $targetObjectToCheck = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$targetObjectToCheck = Get-ADObject -LDAPFilter "(distinguishedName=$targetObjectToCheckDN)" -Server $dcToCheckHostName + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$dcToCheckHostName -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $targetObjectToCheck = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$dcToCheckHostName -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$targetObjectToCheckDN)" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$dcToCheckHostName' For Object With 'distinguishedName=$targetObjectToCheckDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$targetObjectToCheck = Get-ADObject -LDAPFilter "(distinguishedName=$targetObjectToCheckDN)" -Server $dcToCheckHostName -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$dcToCheckHostName -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $targetObjectToCheck = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$dcToCheckHostName -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$targetObjectToCheckDN)" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$dcToCheckHostName' For User Object With 'distinguishedName=$targetObjectToCheckDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + } + + # For Mode 3 Or 4 From The DC to Check Retrieve The AD Object Of The Targeted KrbTgt Account (And Its Password Last Set) That Had Its Password Reset On The Source (Originating) RWDC + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + # Retrieve The Object From The Target DC + $objectOnTargetDC = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$objectOnTargetDC = Get-ADObject -Identity $targetObjectToCheckDN -Properties * -Server $dcToCheckHostName + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$dcToCheckHostName -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $objectOnTargetDC = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$dcToCheckHostName -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$targetObjectToCheckDN)" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$dcToCheckHostName' For Object '$targetObjectToCheckDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$objectOnTargetDC = Get-ADObject -Identity $targetObjectToCheckDN -Properties * -Server $dcToCheckHostName -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$dcToCheckHostName -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $objectOnTargetDC = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$dcToCheckHostName -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$targetObjectToCheckDN)" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$dcToCheckHostName' For Object '$targetObjectToCheckDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Retrieve The Password Last Set Of The Object On The Target DC + $objectOnTargetDCPwdLastSet = $null + $objectOnTargetDCPwdLastSet = Get-Date $([datetime]::fromfiletime($objectOnTargetDC.pwdLastSet)) -f "yyyy-MM-dd HH:mm:ss" + } + } Else { + # When The DC To Check Is Not Reachable + Logging " * DC is NOT reachable..." "ERROR" + } + + If ($dcToCheckReachability -eq $true) { + # When The DC To Check Is Reachable + + If ($targetObjectToCheck -Or $objectOnTargetDCPwdLastSet -eq $objectOnSourceOrgRWDCPwdLastSet) { + # If The Target Object To Check Does Exist Or Its Password Last Set Does Match With The Password Last Set Of The Object On The Source (Originating) RWDC + # For Mode 2 Only + If ($modeOfOperationNr -eq 2) { + Logging " * Object [$targetObjectToCheckDN] now does exist in the AD database" "SUCCESS" + } + + # For Mode 3 Or 4 Or 5 Or 6 Only + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + Logging " * The (new) password for Object [$targetObjectToCheckDN] now does exist in the AD database" "SUCCESS" + } + Logging "" "SUCCESS" + + # If The DC To Check Does Not Yet Exist On The Ending List With All DCs That Were Checked, Then Add It To The Ending List + If (!($listOfDCsToCheckObjectOnEnd | Where-Object{$_."Host Name" -eq $dcToCheckHostName})) { + $listOfDCsToCheckObjectOnEndObj = New-Object -TypeName System.Object + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "Host Name" -Value $dcToCheckHostName + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "PDC" -Value $dcToCheckIsPDC + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "Site Name" -Value $dcToCheckSiteName + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "DS Type" -Value $dcToCheckDSType + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "IP Address" -Value $dcToCheckIPAddress + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "Reachable" -Value $dcToCheckReachability + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "Source RWDC FQDN" -Value $targetedADdomainSourceRWDCFQDN + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "Time" -Value $(("{0:n2}" -f ((Get-Date) - $startDateTime).TotalSeconds)) + $listOfDCsToCheckObjectOnEnd += $listOfDCsToCheckObjectOnEndObj + } + } Else { + # If The Target Object To Check Does Not Exist Or Its Password Last Set Does Not Match (Yet) With The Password Last Set Of The Object On The Source (Originating) RWDC + # For Mode 2 Only + If ($modeOfOperationNr -eq 2) { + Logging " * Object [$targetObjectToCheckDN] does NOT exist yet in the AD database" "WARNING" + } + + # For Mode 3 Or 4 Or 5 Or 6 Only + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + Logging " * The (new) password for Object [$targetObjectToCheckDN] does NOT exist yet in the AD database" "WARNING" + } + Logging "" "WARNING" + + # Variable Specifying The Object Is Not In Sync + $replicated = $false + } + } Else { + # When The DC To Check Is Not Reachable + Logging " * Unable to connect to DC and check for Object [$targetObjectToCheckDN]..." "ERROR" + Logging "" "WARNING" + + # If The DC To Check Does Not Yet Exist On The Ending List With All DCs That Were Checked, Then Add It To The Ending List + If (!($listOfDCsToCheckObjectOnEnd | Where-Object{$_."Host Name" -eq $dcToCheckHostName})) { + $listOfDCsToCheckObjectOnEndObj = New-Object -TypeName System.Object + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "Host Name" -Value $dcToCheckHostName + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "PDC" -Value $dcToCheckIsPDC + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "Site Name" -Value $dcToCheckSiteName + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "DS Type" -Value $dcToCheckDSType + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "IP Address" -Value $dcToCheckIPAddress + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "Reachable" -Value $dcToCheckReachability + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "Source RWDC FQDN" -Value $targetedADdomainSourceRWDCFQDN + $listOfDCsToCheckObjectOnEndObj | Add-Member -MemberType NoteProperty -Name "Time" -Value "" + $listOfDCsToCheckObjectOnEnd += $listOfDCsToCheckObjectOnEndObj + } + } + } + + # If The Object Is In Sync + If ($replicated) { + # Do Not Continue For The DC That Is Being Checked + $continue = $false + } Else { + # Do Continue For The DC That Is Being Checked And Move The Cursor Back To The Initial Position + $host.UI.RawUI.CursorPosition = $oldpos + } + } + + # Determine The Ending Time + $endDateTime = Get-Date + + # Calculate The Duration + $duration = "{0:n2}" -f ($endDateTime.Subtract($startDateTime).TotalSeconds) + Logging "" + Logging " --> Start Time......: $(Get-Date $startDateTime -format 'yyyy-MM-dd HH:mm:ss')" + Logging " --> End Time........: $(Get-Date $endDateTime -format 'yyyy-MM-dd HH:mm:ss')" + Logging " --> Duration........: $duration Seconds" + Logging "" + + # If Mode 2 Was Being Executed, Then Delete The Temp Canary Object On The Source (Originating) RWDC + If ($modeOfOperationNr -eq 2) { + # Retrieve The Temp Canary Object From The Source (Originating) RWDC + $targetObjectToCheck = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$targetObjectToCheck = Get-ADObject -LDAPFilter "(distinguishedName=$targetObjectToCheckDN)" -Server $targetedADdomainSourceRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $targetObjectToCheck = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$targetObjectToCheckDN)" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainSourceRWDCFQDN' For Object '$targetObjectToCheckDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$targetObjectToCheck = Get-ADObject -LDAPFilter "(distinguishedName=$targetObjectToCheckDN)" -Server $targetedADdomainSourceRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $targetObjectToCheck = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$targetObjectToCheckDN)" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainSourceRWDCFQDN' For Object '$targetObjectToCheckDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # If The Temp Canary Object Exists On The Source (Originating) RWDC, Then Delete It + If ($targetObjectToCheck) { + # Execute The Deletion Of The Temp Canary Object On The Source (Originating) RWDC. There Is No Need To Force Deletion Of The Object On All The Other DCs As In Time It Will Be Deleted + deleteTempCanaryObject $targetedADdomainSourceRWDCFQDN $targetObjectToCheckDN $localADforest $adminCrds + } + } + + # Sort The Ending List With All DCs That Were Checked + $listOfDCsToCheckObjectOnEnd = $listOfDCsToCheckObjectOnEnd | Sort-Object -Property @{Expression = "Time"; Descending = $False} | Format-Table -Autosize + Logging "" + Logging "List Of DCs In AD Domain '$targetedADdomainFQDN' And Their Timing..." + Logging "" + Logging "$($listOfDCsToCheckObjectOnEnd | Out-String)" + Logging "" +} + +### FUNCTION: Create Test Krbtgt Accounts +Function createTestKrbTgtADAccount($targetedADdomainRWDCFQDN, $krbTgtInUseByDCFQDN, $krbTgtSamAccountName, $krbTgtUse, $targetedADdomainDomainSID, $localADforest, $adminCrds) { + # Determine The DN Of The Default NC Of The Targeted Domain + $targetedADdomainDefaultNC = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$targetedADdomainDefaultNC = (Get-ADRootDSE -Server $targetedADdomainRWDCFQDN).defaultNamingContext + $targetedADdomainDefaultNC = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$targetedADdomainRWDCFQDN' For 'rootDSE'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$targetedADdomainDefaultNC = (Get-ADRootDSE -Server $targetedADdomainRWDCFQDN -Credential $adminCrds).defaultNamingContext + $targetedADdomainDefaultNC = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$targetedADdomainRWDCFQDN' For 'rootDSE' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Determine The DN Of The Users Container Of The Targeted Domain + $containerForTestKrbTgtAccount = $null + $containerForTestKrbTgtAccount = "CN=Users," + $targetedADdomainDefaultNC + + # Set The SamAccountName For The Test/Bogus KrbTgt Account + $testKrbTgtObjectSamAccountName = $null + $testKrbTgtObjectSamAccountName = $krbTgtSamAccountName + + # Set The Name For The Test/Bogus KrbTgt Account + $testKrbTgtObjectName = $null + $testKrbTgtObjectName = $testKrbTgtObjectSamAccountName + + # Set The Description For The Test/Bogus KrbTgt Account + $testKrbTgtObjectDescription = $null + + # Set The Description For The Test/Bogus KrbTgt Account For RWDCs + If ($krbTgtUse -eq "RWDC") { + $testKrbTgtObjectDescription = "Test Copy Representing '$($krbTgtSamAccountName.SubString(0,$krbTgtSamAccountName.IndexOf('_TEST')))' - Key Distribution Center Service Account For RWDCs" + } + + # Set The Description For The Test/Bogus KrbTgt Account For RODCs + If ($krbTgtUse -eq "RODC") { + $testKrbTgtObjectDescription = "Test Copy Representing '$($krbTgtSamAccountName.SubString(0,$krbTgtSamAccountName.IndexOf('_TEST')))' - Key Distribution Center Service Account For RODC '$krbTgtInUseByDCFQDN'" + } + + # Generate The DN Of The Test KrbTgt Object + $testKrbTgtObjectDN = $null + $testKrbTgtObjectDN = "CN=" + $testKrbTgtObjectName + "," + $containerForTestKrbTgtAccount + + # Display Information About The Test KrbTgt To Be Created/Edited + Logging " --> RWDC To Create/Update Object On.......: '$targetedADdomainRWDCFQDN'" + Logging " --> Full Name Test KrbTgt Account.........: '$testKrbTgtObjectName'" + Logging " --> Description...........................: '$testKrbTgtObjectDescription'" + Logging " --> Container Test KrbTgt Account.........: '$containerForTestKrbTgtAccount'" + If ($krbTgtUse -eq "RWDC") { + Logging " --> To Be Used By DC(s)...................: 'All RWDCs'" + } + If ($krbTgtUse -eq "RODC") { + Logging " --> To Be Used By RODC....................: '$krbTgtInUseByDCFQDN'" + } + + # If The Test/Bogus KrbTgt Account Is Used By RWDCs + If ($krbTgtUse -eq "RWDC") { + $deniedRODCPwdReplGroupRID = "572" + $deniedRODCPwdReplGroupObjectSID = $targetedADdomainDomainSID + "-" + $deniedRODCPwdReplGroupRID + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$deniedRODCPwdReplGroupObjectName = (Get-ADGroup -Identity $deniedRODCPwdReplGroupObjectSID -Server $targetedADdomainRWDCFQDN).Name + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $deniedRODCPwdReplGroupObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(objectSID=$deniedRODCPwdReplGroupObjectSID)" -PropertiesToLoad @("name") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For Group Object With 'objectSID=$deniedRODCPwdReplGroupObjectSID'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$deniedRODCPwdReplGroupObjectName = (Get-ADGroup -Identity $deniedRODCPwdReplGroupObjectSID -Server $targetedADdomainRWDCFQDN -Credential $adminCrds).Name + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $deniedRODCPwdReplGroupObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(objectSID=$deniedRODCPwdReplGroupObjectSID)" -PropertiesToLoad @("name") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For Group Object With 'objectSID=$deniedRODCPwdReplGroupObjectSID' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + $deniedRODCPwdReplGroupObjectDN = $deniedRODCPwdReplGroupObject.distinguishedName + $deniedRODCPwdReplGroupObjectName = $deniedRODCPwdReplGroupObject.name + Logging " --> Membership Of RODC PRP Group..........: '$deniedRODCPwdReplGroupObjectName' ('$deniedRODCPwdReplGroupObjectDN')" + } + + # If The Test/Bogus KrbTgt Account Is Used By RODCs + If ($krbTgtUse -eq "RODC") { + $allowedRODCPwdReplGroupRID = "571" + $allowedRODCPwdReplGroupObjectSID = $targetedADdomainDomainSID + "-" + $allowedRODCPwdReplGroupRID + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$allowedRODCPwdReplGroupObjectName = (Get-ADGroup -Identity $allowedRODCPwdReplGroupObjectSID -Server $targetedADdomainRWDCFQDN).Name + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $allowedRODCPwdReplGroupObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(objectSID=$allowedRODCPwdReplGroupObjectSID)" -PropertiesToLoad @("name") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For Group Object With 'objectSID=$allowedRODCPwdReplGroupObjectSIDD'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$allowedRODCPwdReplGroupObjectName = (Get-ADGroup -Identity $allowedRODCPwdReplGroupObjectSID -Server $targetedADdomainRWDCFQDN -Credential $adminCrds).Name + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $allowedRODCPwdReplGroupObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(objectSID=$allowedRODCPwdReplGroupObjectSID)" -PropertiesToLoad @("name") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For Group Object With 'objectSID=$allowedRODCPwdReplGroupObjectSID' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + $allowedRODCPwdReplGroupObjectDN = $allowedRODCPwdReplGroupObject.distinguishedName + $allowedRODCPwdReplGroupObjectName = $allowedRODCPwdReplGroupObject.name + Logging " --> Membership Of RODC PRP Group..........: '$allowedRODCPwdReplGroupObjectName' ('$allowedRODCPwdReplGroupObjectDN')" + } + Logging "" + + # Check If The Test/Bogus KrbTgt Account Already Exists In AD + $testKrbTgtObject = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$testKrbTgtObject = Get-ADUser -LDAPFilter "(distinguishedName=$testKrbTgtObjectDN)" -Properties Description -Server $targetedADdomainRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $testKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$testKrbTgtObjectDN)" -PropertiesToLoad @("description") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'distinguishedName=$testKrbTgtObjectDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$testKrbTgtObject = Get-ADUser -LDAPFilter "(distinguishedName=$testKrbTgtObjectDN)" -Properties Description -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $testKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$testKrbTgtObjectDN)" -PropertiesToLoad @("description") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'distinguishedName=$testKrbTgtObjectDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($testKrbTgtObject) { + Logging " --> Test KrbTgt Account [$testKrbTgtObjectDN] ALREADY EXISTS on RWDC [$targetedADdomainRWDCFQDN]!..." "REMARK" + Logging "" + # Update The Description For The Test KrbTgt Account If There Is A Mismatch For Whatever Reason + If ($testKrbTgtObject.Description -ne $testKrbTgtObjectDescription) { + $testKrbTgtObj = [PSCustomObject]@{distinguishedName = $null; description = $null} + $testKrbTgtObj.distinguishedName = $testKrbTgtObjectDN + $testKrbTgtObj.description = $testKrbTgtObjectDescription + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #Set-ADUser -Identity $testKrbTgtObjectSamAccountName -description $testKrbTgtObjectDescription -Server $targetedADdomainRWDCFQDN + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -Mode Replace -Object $testKrbTgtObj + } Catch { + Logging "" "ERROR" + Logging "Error Updating User On '$targetedADdomainRWDCFQDN' For Object '$testKrbTgtObjectSamAccountName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #Set-ADUser -Identity $testKrbTgtObjectSamAccountName -description $testKrbTgtObjectDescription -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -Mode Replace -Object $testKrbTgtObj + } Catch { + Logging "" "ERROR" + Logging "Error Updating User On '$targetedADdomainRWDCFQDN' For Object '$testKrbTgtObjectSamAccountName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + Logging " --> Updated Description For Existing Test KrbTgt Account [$testKrbTgtObjectDN] on RWDC [$targetedADdomainRWDCFQDN] Due To Mismatch!..." "REMARK" + } + + # Check The Membership Of The Test KrbTgt Accounts And Update As Needed + $updateMembership = $false + If ($krbTgtUse -eq "RWDC") { + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + If (!(Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$testKrbTgtObjectSamAccountName)(memberOf:1.2.840.113556.1.4.1941:=$deniedRODCPwdReplGroupObjectDN))")) { + $updateMembership = $true + } + } Catch { + Logging "" "ERROR" + Logging "Error Checking Membership On '$targetedADdomainRWDCFQDN' Of Object '$testKrbTgtObjectSamAccountName' For Object '$deniedRODCPwdReplGroupObjectName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + If (!(Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$testKrbTgtObjectSamAccountName)(memberOf:1.2.840.113556.1.4.1941:=$deniedRODCPwdReplGroupObjectDN))")) { + $updateMembership = $true + } + } Catch { + Logging "" "ERROR" + Logging "Error Checking Membership On '$targetedADdomainRWDCFQDN' Of Object '$testKrbTgtObjectSamAccountName' For Object '$deniedRODCPwdReplGroupObjectName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + } + If ($krbTgtUse -eq "RODC") { + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + If (!(Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$testKrbTgtObjectSamAccountName)(memberOf:1.2.840.113556.1.4.1941:=$allowedRODCPwdReplGroupObjectDN))")) { + $updateMembership = $true + } + } Catch { + Logging "" "ERROR" + Logging "Error Checking Membership On '$targetedADdomainRWDCFQDN' Of Object '$testKrbTgtObjectSamAccountName' For Object '$allowedRODCPwdReplGroupObjectName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + If (!(Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$testKrbTgtObjectSamAccountName)(memberOf:1.2.840.113556.1.4.1941:=$allowedRODCPwdReplGroupObjectDN))")) { + $updateMembership = $true + } + } Catch { + Logging "" "ERROR" + Logging "Error Checking Membership On '$targetedADdomainRWDCFQDN' Of Object '$testKrbTgtObjectSamAccountName' For Object '$allowedRODCPwdReplGroupObjectName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + } + } Else { + # If The Test/Bogus KrbTgt Account Does Not Exist Yet In AD + # Specify The Number Of Characters The Generate Password Should Contain + $passwdNrChars = 64 + + # Generate A New Password With The Specified Length (Text) + $krbTgtPassword = $null + $krbTgtPassword = (generateNewComplexPassword $passwdNrChars).ToString() + + # Convert The Text Based Version Of The New Password To A Secure String + #$krbTgtPasswordSecure = $null + #$krbTgtPasswordSecure = ConvertTo-SecureString $krbTgtPassword -AsPlainText -Force + + # Try To Create The Test/Bogus KrbTgt Account In The AD Domain And If Not Successfull Throw Error + Try { + $testKrbTgtObj = [PSCustomObject]@{distinguishedName = $null; objectClass = $null; sAMAccountName = $null; displayName = $null; userAccountControl = 0; unicodePwd = $null; description = $null} + $testKrbTgtObj.distinguishedName = $testKrbTgtObjectDN + $testKrbTgtObj.objectClass = "user" + $testKrbTgtObj.sAMAccountName = $testKrbTgtObjectSamAccountName + $testKrbTgtObj.displayName = $testKrbTgtObjectName + $testKrbTgtObj.userAccountControl = 514 + $testKrbTgtObj.unicodePwd = $krbTgtPassword + $testKrbTgtObj.description = $testKrbTgtObjectDescription + #Register-LdapAttributeTransform -name unicodePwd -AttributeName unicodePwd + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #New-ADUser -SamAccountName $testKrbTgtObjectSamAccountName -Name $testKrbTgtObjectName -DisplayName $testKrbTgtObjectName -Path $containerForTestKrbTgtAccount -AccountPassword $krbTgtPasswordSecure -Enabled $False -description $testKrbTgtObjectDescription -Server $targetedADdomainRWDCFQDN + Add-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -Object $testKrbTgtObj -BinaryProps unicodePwd + } Catch { + Logging "" "ERROR" + Logging "Error Creating User On '$targetedADdomainRWDCFQDN' For Object '$testKrbTgtObjectSamAccountName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #New-ADUser -SamAccountName $testKrbTgtObjectSamAccountName -Name $testKrbTgtObjectName -DisplayName $testKrbTgtObjectName -Path $containerForTestKrbTgtAccount -AccountPassword $krbTgtPasswordSecure -Enabled $False -description $testKrbTgtObjectDescription -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + Add-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -Object $testKrbTgtObj -BinaryProps unicodePwd + } Catch { + Logging "" "ERROR" + Logging "Error Creating User On '$targetedADdomainRWDCFQDN' For Object '$testKrbTgtObjectSamAccountName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + } Catch { + #Logging "" "ERROR" + Logging " --> Test KrbTgt Account [$testKrbTgtObjectDN] FAILED TO BE CREATED on RWDC [$targetedADdomainRWDCFQDN]!..." "ERROR" + Logging "" "ERROR" + #Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + #Logging "" "ERROR" + #Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + #Logging "" "ERROR" + #Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + #Logging "" "ERROR" + } + + # Check The The Test/Bogus KrbTgt Account Exists And Was created In AD + $testKrbTgtObject = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$testKrbTgtObject = Get-ADObject -LDAPFilter "(&(objectClass=user)(name=$testKrbTgtObjectName))" -Server $targetedADdomainRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $testKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectClass=user)(name=$testKrbTgtObjectName))" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'name=$testKrbTgtObjectName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$testKrbTgtObject = Get-ADObject -LDAPFilter "(&(objectClass=user)(name=$testKrbTgtObjectName))" -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $testKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectClass=user)(name=$testKrbTgtObjectName))" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'name=$testKrbTgtObjectName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($testKrbTgtObject) { + $testKrbTgtObjectDN = $null + $testKrbTgtObjectDN = $testKrbTgtObject.DistinguishedName + Logging " --> New Test KrbTgt Account [$testKrbTgtObjectDN] CREATED on RWDC [$targetedADdomainRWDCFQDN]!..." "REMARK" + Logging "" "REMARK" + $updateMembership = $true + } Else { + $updateMembership = $false + } + } + + If ($testKrbTgtObject -And $updateMembership -eq $true) { + # If The Test/Bogus KrbTgt Account Already Exists In AD + # If The Test/Bogus KrbTgt Account Is Not Yet A Member Of The Specified AD Group, Then Add It As A Member + If ($krbTgtUse -eq "RWDC") { + # If The Test/Bogus KrbTgt Account Is Used By RWDCs + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #Add-ADGroupMember -Identity $deniedRODCPwdReplGroupObjectName -Members $testKrbTgtObjectDN -Server $targetedADdomainRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $deniedRODCPwdReplGroupObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectClass=group)(sAMAccountName=$deniedRODCPwdReplGroupObjectName))" -AdditionalProperties @('member') + $deniedRODCPwdReplGroupObject.member = $testKrbTgtObjectDN + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -Object $deniedRODCPwdReplGroupObject -Mode Add + } Catch { + Logging "" "ERROR" + Logging "Error Adding Members On '$targetedADdomainRWDCFQDN' For Group Object With 'name=$deniedRODCPwdReplGroupObjectName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #Add-ADGroupMember -Identity $deniedRODCPwdReplGroupObjectName -Members $testKrbTgtObjectDN -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $deniedRODCPwdReplGroupObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectClass=group)(sAMAccountName=$deniedRODCPwdReplGroupObjectName))" -AdditionalProperties @('member') + $deniedRODCPwdReplGroupObject.member = $testKrbTgtObjectDN + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -Object $deniedRODCPwdReplGroupObject -Mode Add + } Catch { + Logging "" "ERROR" + Logging "Error Retrieving Members On '$targetedADdomainRWDCFQDN' For Group Object With 'name=$deniedRODCPwdReplGroupObjectName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + Logging " --> Test KrbTgt Account [$testKrbTgtObjectDN] ADDED AS MEMBER OF [$deniedRODCPwdReplGroupObjectName]!..." "REMARK" + Logging "" "REMARK" + } + + If ($krbTgtUse -eq "RODC") { + # If The Test/Bogus KrbTgt Account Is Used By RODCs + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #Add-ADGroupMember -Identity $allowedRODCPwdReplGroupObjectName -Members $testKrbTgtObjectDN -Server $targetedADdomainRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $allowedRODCPwdReplGroupObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectClass=group)(sAMAccountName=$allowedRODCPwdReplGroupObjectName))" -AdditionalProperties @('member') + $allowedRODCPwdReplGroupObject.member = $testKrbTgtObjectDN + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -Object $allowedRODCPwdReplGroupObject -Mode Add + } Catch { + Logging "" "ERROR" + Logging "Error Adding Members On '$targetedADdomainRWDCFQDN' For Group Object With 'name=$allowedRODCPwdReplGroupObjectName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #Add-ADGroupMember -Identity $allowedRODCPwdReplGroupObjectName -Members $testKrbTgtObjectDN -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $allowedRODCPwdReplGroupObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectClass=group)(sAMAccountName=$allowedRODCPwdReplGroupObjectName))" -AdditionalProperties @('member') + $allowedRODCPwdReplGroupObject.member = $testKrbTgtObjectDN + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -Object $allowedRODCPwdReplGroupObject -Mode Add + } Catch { + Logging "" "ERROR" + Logging "Error Retrieving Members On '$targetedADdomainRWDCFQDN' For Group Object With 'name=$allowedRODCPwdReplGroupObjectName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + Logging " --> Test KrbTgt Account [$testKrbTgtObjectDN] ADDED AS MEMBER OF [$allowedRODCPwdReplGroupObjectName]!..." "REMARK" + Logging "" "REMARK" + } + } ElseIf ($testKrbTgtObject -And $updateMembership -eq $false) { + # If The Test/Bogus KrbTgt Account Is Already A Member Of The Specified AD Group + If ($krbTgtUse -eq "RWDC") { + Logging " --> Test KrbTgt Account [$testKrbTgtObjectDN] ALREADY MEMBER OF [$deniedRODCPwdReplGroupObjectName]!..." "REMARK" + } + If ($krbTgtUse -eq "RODC") { + Logging " --> Test KrbTgt Account [$testKrbTgtObjectDN] ALREADY MEMBER OF [$allowedRODCPwdReplGroupObjectName]!..." "REMARK" + } + Logging "" "REMARK" + } +} + +### FUNCTION: Delete Test Krbtgt Accounts +Function deleteTestKrbTgtADAccount($targetedADdomainRWDCFQDN, $krbTgtSamAccountName) { + # Check If The Test/Bogus KrbTgt Account Exists In AD + $testKrbTgtObject = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$testKrbTgtObject = Get-ADUser -LDAPFilter "(sAMAccountName=$krbTgtSamAccountName)" -Server $targetedADdomainRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $testKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$krbTgtSamAccountName))" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'sAMAccountName=$krbTgtSamAccountName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$testKrbTgtObject = Get-ADUser -LDAPFilter "(sAMAccountName=$krbTgtSamAccountName)" -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $testKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$krbTgtSamAccountName))" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object 'sAMAccountName=$krbTgtSamAccountName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($testKrbTgtObject) { + # If It Does Exist In AD + $testKrbTgtObjectDN = $null + $testKrbTgtObjectDN = $testKrbTgtObject.DistinguishedName + Logging " --> RWDC To Delete Object On..............: '$targetedADdomainRWDCFQDN'" + Logging " --> Test KrbTgt Account DN................: '$testKrbTgtObjectDN'" + Logging "" + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #Remove-ADUser -Identity $testKrbTgtObjectDN -Server $targetedADdomainRWDCFQDN -Confirm:$false + Remove-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -Object $testKrbTgtObjectDN + } Catch { + Logging "" "ERROR" + Logging "Error Deleting User On '$targetedADdomainRWDCFQDN' For Object '$testKrbTgtObjectDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #Remove-ADUser -Identity $testKrbTgtObjectDN -Server $targetedADdomainRWDCFQDN -Credential $adminCrds -Confirm:$false + Remove-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -Object $testKrbTgtObjectDN + } Catch { + Logging "" "ERROR" + Logging "Error Deleting User On '$targetedADdomainRWDCFQDN' For Object '$testKrbTgtObjectDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + $testKrbTgtObject = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$testKrbTgtObject = Get-ADUser -LDAPFilter "(distinguishedName=$testKrbTgtObjectDN)" -Server $targetedADdomainRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $testKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$testKrbTgtObjectDN)" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'distinguishedName=$testKrbTgtObjectDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$testKrbTgtObject = Get-ADUser -LDAPFilter "(distinguishedName=$testKrbTgtObjectDN)" -Server $targetedADdomainRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $testKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$testKrbTgtObjectDN)" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainRWDCFQDN' For User Object With 'distinguishedName=$testKrbTgtObjectDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If (!$testKrbTgtObject) { + Logging " --> Test KrbTgt Account [$testKrbTgtObjectDN] DELETED on RWDC [$targetedADdomainRWDCFQDN]!..." "REMARK" + Logging "" "REMARK" + } Else { + Logging " --> Test KrbTgt Account [$testKrbTgtObjectDN] FAILED TO BE DELETED on RWDC [$targetedADdomainRWDCFQDN]!..." "ERROR" + Logging " --> Manually delete the Test KrbTgt Account [$testKrbTgtObjectDN] on RWDC [$targetedADdomainRWDCFQDN]!..." "ERROR" + Logging "" "ERROR" + } + } Else { + # If It Does Not Exist In AD + Logging " --> Test KrbTgt Account [$testKrbTgtObjectDN] DOES NOT EXIST on RWDC [$targetedADdomainRWDCFQDN]!..." "WARNING" + Logging "" "WARNING" + } +} + +### FUNCTION: Send E-mail With Information +Function sendMailMessage($smtpServer, $smtpPort, $smtpCredsUserName, $smtpCredsPassword, $mailFromSender, $mailToRecipient, $mailCcRecipients, $mailPriority, $mailSubject, $mailBody, $mailAttachments, $mailSignAndEncryptDllFile, $mailSign, $mailSignAndEncryptCertLocation, $mailSignAndEncryptCertThumbprint, $mailSignAndEncryptCertPFXFile, $mailSignAndEncryptCertPFXPassword, $mailEncrypt, $mailEncryptCertLocation, $mailEncryptCertThumbprint, $mailEncryptCertCERFile) { + If ($mailSign.ToUpper() -eq "ON" -Or $mailEncrypt.ToUpper() -eq "ON") { + # Load Cpi.Net.SecureMail.dll + Add-Type -Path $mailSignAndEncryptDllFile + + # Create Cryptocertificate Object + If ($mailSign.ToUpper() -eq "ON" -Or $mailEncrypt.ToUpper() -eq "ON") { + If ($mailSignAndEncryptCertLocation.ToUpper() -eq "PFX") { + $mailSignAndEncryptCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($mailSignAndEncryptCertPFXFile, $mailSignAndEncryptCertPFXPassword) # Cert From The Sender If Applicable! + } + If ($mailSignAndEncryptCertLocation.ToUpper() -eq "STORE") { + $certStore = [System.Security.Cryptography.X509Certificates.X509Store]::new("My", "CurrentUser") + $certStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly) + $mailSignAndEncryptCert = $($certStore.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindByThumbprint, $mailSignAndEncryptCertThumbprint, $true))[0] # Cert From The Sender If Applicable! + $certStore.Close() + } + } Else { + $mailSignCert = $null + } + If ($mailEncrypt.ToUpper() -eq "ON") { + If ($mailEncryptCertLocation.ToUpper() -eq "CER") { + $mailEncryptCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($mailEncryptCertCERFile) # Cert From The Recipient(s) If Applicable! + } + If ($mailEncryptCertLocation.ToUpper() -eq "STORE") { + $certStore = [System.Security.Cryptography.X509Certificates.X509Store]::new("My", "CurrentUser") + $certStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly) + $mailEncryptCert = $($certStore.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindByThumbprint, $mailEncryptCertThumbprint, $true))[0] # Cert From The Recipient(s) If Applicable! + $certStore.Close() + } + } Else { + $mailEncryptCert = $null + } + + # Split Sender E-mail Adress To Get Sender Name + $mailFromSenderName = $mailFromSender -split '@' + + # Split Recipient E-mail Adress To Get Sender Name + $mailToRecipientName = $mailToRecipient -split '@' + + # Create Secure Mail Message Object + $mail = New-Object Cpi.Net.SecureMail.SecureMailMessage + $mail.From = New-Object Cpi.Net.SecureMail.SecureMailAddress($mailFromSender, $mailFromSenderName[0], $mailSignAndEncryptCert, $mailSignAndEncryptCert) + $mail.To.Add((New-Object Cpi.Net.SecureMail.SecureMailAddress($mailToRecipient, $mailToRecipientName[0], $mailEncryptCert))) + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + $mail.CC.Add((New-Object Cpi.Net.SecureMail.SecureMailAddress($_))) + } + } + $mail.Subject = $mailSubject + $mail.Priority = $mailPriority + $mail.Body = $mailBody + $mail.IsBodyHtml = $true + If ($mailAttachments.Length -gt 0) { + $mailAttachments | ForEach-Object { + $mail.Attachments.Add((New-Object Cpi.Net.SecureMail.SecureAttachment($_))) + } + } + # Set Mail Properties For Signing And Encryption + If ($mailSign.ToUpper() -eq "ON") { + $mail.IsSigned = $true + } Else { + $mail.IsSigned = $false + } + If ($mailEncrypt.ToUpper() -eq "ON") { + $mail.IsEncrypted = $true + } Else { + $mail.IsEncrypted = $false + } + + # Create SMTP-Client To Send Mail Message + $smtp = New-Object System.Net.Mail.SmtpClient($smtpServer, $smtpPort) + If ($useSSLForSMTP -eq "TRUE") { + $smtp.EnableSsl = $true + } Else { + $smtp.EnableSsl = $false + } + If ($null -ne $smtpCredsUserName -And $smtpCredsUserName -ne "LEAVE_EMPTY_OR_LEAVE_AS_IS_OR_SPECIFY" -And $null -ne $smtpCredsPassword -And $smtpCredsPassword -ne "LEAVE_EMPTY_OR_LEAVE_AS_IS_OR_SPECIFY") { + $smtp.Credentials = New-Object System.Net.NetworkCredential($smtpCredsUserName, $(ConvertTo-SecureString $smtpCredsPassword -AsPlainText -Force)) + } + + # Finally Send Mail + Try { + $smtp.Send($mail) + } Catch { + Write-Host "" + Write-Host "Error Sending Mail..." -ForeGroundColor Red + Write-Host "" + Write-Host "Exception Type......: $($_.Exception.GetType().FullName)" -ForeGroundColor Red + Write-Host "" + Write-Host "Exception Message...: $($_.Exception.Message)" -ForeGroundColor Red + Write-Host "" + Write-Host "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" -ForeGroundColor Red + Write-Host "" + } + } Else { + If ($sslType.ToUpper() -eq "IMPLICIT") { + # SOURCE: https://nicholasarmstrong.com/2009/12/sending-email-with-powershell-implicit-and-explicit-ssl/ + # Load System.Web assembly + [System.Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null + + # Create Mail Message Object + $mail = New-Object System.Web.Mail.MailMessage + $mail.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpserver", $smtpServer) + $mail.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpserverport", $smtpPort) + $mail.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpusessl", $true) + $mail.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendusername", $smtpCredsUserName) + $mail.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendpassword", $smtpCredsPassword) + #$mail.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout", 30000/1000) + # Use Network SMTP server... + $mail.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendusing", 2) + # ... and basic authentication + $mail.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate", 1) + $mail.From = $mailFromSender + $mail.To = $mailToRecipient + If ($mailCcRecipients.Length -gt 0) { + $mail.CC = $($mailCcRecipients -join ";") + } + $mail.Subject = $mailSubject + $mail.Priority = $mailPriority + $mail.Body = $mailBody + $mail.BodyFormat = "Html" + If ($mailAttachments.Length -gt 0) { + $mailAttachments | ForEach-Object { + $mail.Attachments.Add($(New-Object System.Web.Mail.MailAttachment $_)) + } + } + + # Finally Send Mail + Try { + [System.Web.Mail.SmtpMail]::Send($mail) + } Catch { + Write-Host "" + Write-Host "Error Sending Mail..." -ForeGroundColor Red + Write-Host "" + Write-Host "Exception Type......: $($_.Exception.GetType().FullName)" -ForeGroundColor Red + Write-Host "" + Write-Host "Exception Message...: $($_.Exception.Message)" -ForeGroundColor Red + Write-Host "" + Write-Host "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" -ForeGroundColor Red + Write-Host "" + } + } + If ($sslType.ToUpper() -eq "EXPLICIT") { + # Create Mail Message Object + $mail = New-Object System.Net.Mail.MailMessage + $mail.From = $mailFromSender + $mail.To.Add($mailToRecipient) + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + $mail.CC.Add($_) + } + } + $mail.Subject = $mailSubject + $mail.Priority = $mailPriority + $mail.Body = $mailBody + $mail.IsBodyHtml = $true + If ($mailAttachments.Length -gt 0) { + $mailAttachments | ForEach-Object { + $mail.Attachments.Add($_) + } + } + + # Create SMTP-Client To Send Mail Message + $smtp = New-Object System.Net.Mail.SmtpClient($smtpServer, $smtpPort) + If ($useSSLForSMTP -eq "TRUE") { + $smtp.EnableSsl = $true + } Else { + $smtp.EnableSsl = $false + } + If ($null -ne $smtpCredsUserName -And $smtpCredsUserName -ne "LEAVE_EMPTY_OR_LEAVE_AS_IS_OR_SPECIFY" -And $null -ne $smtpCredsPassword -And $smtpCredsPassword -ne "LEAVE_EMPTY_OR_LEAVE_AS_IS_OR_SPECIFY") { + $smtp.Credentials = New-Object System.Net.NetworkCredential($smtpCredsUserName, $(ConvertTo-SecureString $smtpCredsPassword -AsPlainText -Force)) + } + + # Finally Send Mail + Try { + $smtp.Send($mail) + } Catch { + Write-Host "" + Write-Host "Error Sending Mail..." -ForeGroundColor Red + Write-Host "" + Write-Host "Exception Type......: $($_.Exception.GetType().FullName)" -ForeGroundColor Red + Write-Host "" + Write-Host "Exception Message...: $($_.Exception.Message)" -ForeGroundColor Red + Write-Host "" + Write-Host "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" -ForeGroundColor Red + Write-Host "" + } + } + } +} + +### FUNCTION: Get Server Names +Function getServerNames { + $localComputerName = $(Get-WmiObject -Class Win32_ComputerSystem).Name # [0] NetBIOS Computer Name + $fqdnADDomainOfComputer = $(Get-WmiObject -Class Win32_ComputerSystem).Domain # [1] FQDN Of The AD Domain The Computer Is A Member Of + $fqdnComputerInADDomain = $localComputerName + "." + $fqdnADDomainOfComputer # [2] FQDN Of The Computer In The AD (!) Domain + $fqdnComputerInDNS = [System.Net.Dns]::GetHostByName($localComputerName).HostName # [3] FQDN Of The Computer In The DNS (!) Domain + $fqdnDnsDomainOfComputer = $fqdnComputerInDNS.SubString($fqdnComputerInDNS.IndexOf(".") + 1) # [4] FQDN Of The Dns Domain The Computer Is A Part Of + + Return $localComputerName, $fqdnADDomainOfComputer, $fqdnComputerInADDomain, $fqdnComputerInDNS, $fqdnDnsDomainOfComputer +} + +### +# Clear The Screen +### +Clear-Host + +### +# Configure The Appropriate Screen And Buffer Size To Make Sure Everything Fits Nicely +### +$uiConfig = (Get-Host).UI.RawUI +$uiConfig.WindowTitle = "+++ RESET KRBTGT ACCOUNT PASSWORD FOR RWDCs/RODCs +++" +$uiConfig.ForegroundColor = "Yellow" +$uiConfigBufferSize = $uiConfig.BufferSize +$uiConfigBufferSize.Width = 400 +$uiConfigBufferSize.Height = 9999 +$uiConfigScreenSizeMax = $uiConfig.MaxPhysicalWindowSize +$uiConfigScreenSizeMaxWidth = $uiConfigScreenSizeMax.Width +$uiConfigScreenSizeMaxHeight = $uiConfigScreenSizeMax.Height +$uiConfigScreenSize = $uiConfig.WindowSize +If ($uiConfigScreenSizeMaxWidth -lt 240) { + $uiConfigScreenSize.Width = $uiConfigScreenSizeMaxWidth +} Else { + $uiConfigScreenSize.Width = 240 +} +If ($uiConfigScreenSizeMaxHeight -lt 75) { + $uiConfigScreenSize.Height = $uiConfigScreenSizeMaxHeight - 5 +} Else { + $uiConfigScreenSize.Height = 75 +} +$uiConfig.BufferSize = $uiConfigBufferSize +$uiConfig.WindowSize = $uiConfigScreenSize + +### +# Definition Of Some Constants +### +$execDateTime = Get-Date +$execDateTimeYEAR = $execDateTime.Year +$execDateTimeMONTH = $execDateTime.Month +$execDateTimeDAY = $execDateTime.Day +$execDateTimeHOUR = $execDateTime.Hour +$execDateTimeMINUTE = $execDateTime.Minute +$execDateTimeSECOND = $execDateTime.Second +$execDateTimeCustom = [STRING]$execDateTimeYEAR + "-" + $("{0:D2}" -f $execDateTimeMONTH) + "-" + $("{0:D2}" -f $execDateTimeDAY) + "_" + $("{0:D2}" -f $execDateTimeHOUR) + "." + $("{0:D2}" -f $execDateTimeMINUTE) + "." + $("{0:D2}" -f $execDateTimeSECOND) +$execDateTimeCustom1 = [STRING]$execDateTimeYEAR + $("{0:D2}" -f $execDateTimeMONTH) + $("{0:D2}" -f $execDateTimeDAY) + $("{0:D2}" -f $execDateTimeHOUR) + $("{0:D2}" -f $execDateTimeMINUTE) + $("{0:D2}" -f $execDateTimeSECOND) +$adRunningUserAccount = $ENV:USERDOMAIN + "\" + $ENV:USERNAME +$scriptFullPath = $MyInvocation.MyCommand.Definition +$currentScriptCmdLineUsed = $MyInvocation.Line +$currentScriptFolderPath = Split-Path $scriptFullPath +$getServerNames = getServerNames +$localComputerName = $getServerNames[0] # [0] NetBIOS Computer Name +$fqdnADDomainOfComputer = $getServerNames[1] # [1] FQDN Of The AD Domain The Computer Is A Member Of +$fqdnComputerInADDomain = $getServerNames[2] # [2] FQDN Of The Computer In The AD (!) Domain +$fqdnComputerInDNS = $getServerNames[3] # [3] FQDN Of The Computer In The DNS (!) Domain +$fqdnDnsDomainOfComputer = $getServerNames[4] # [4] FQDN Of The Dns Domain The Computer Is A Part Of +$fqdnADDomainOfComputerContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $fqdnADDomainOfComputer) +$fqdnADForestOfComputer = ([System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($fqdnADDomainOfComputerContext)).Forest.Name +[string]$logFilePath = Join-Path $currentScriptFolderPath $($execDateTimeCustom + "_" + $localComputerName + "_Reset-KrbTgt-Password-For-RWDCs-And-RODCs.log") +$connectionTimeout = 2000 +$argsCount = $PSBoundParameters.Count +If ($argsCount -gt 0 -And $sendMailWithLogFile) { + [string]$scriptXMLConfigFilePath = Join-Path $currentScriptFolderPath "Reset-KrbTgt-Password-For-RWDCs-And-RODCs.xml" + + ### Read The XML Config File + If (!(Test-Path $scriptXMLConfigFilePath)) { + Write-Host "" + Write-Host "The XML Config File '$scriptXMLConfigFilePath' CANNOT Be Found!..." -ForeGroundColor Red + Write-Host "Aborting Script..." -ForeGroundColor Red + Write-Host "" + + BREAK + } Else { + [XML]$script:configResetKrbTgtPasswordNotify = Get-Content $scriptXMLConfigFilePath + + ### Read The Properties From The XML Config File + $script:smtpServer = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.smtpServer + $script:smtpPort = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.smtpPort + $script:useSSLForSMTP = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.useSSLForSMTP + $script:sslType = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.sslType + $script:smtpCredsUserName = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.smtpCredsUserName + $script:smtpCredsPassword = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.smtpCredsPassword + $script:mailSubject = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailSubject + $script:mailPriority = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailPriority + $script:mailBody = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailBody + $script:mailFromSender = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailFromSender + $script:mailToRecipient = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailToRecipient + $script:mailCcRecipients = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailCcRecipients.mailCcRecipient + $script:mailSign = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailSign + $script:mailEncrypt = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailEncrypt + $script:mailSignAndEncryptDllFile = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailSignAndEncryptDllFile + If ($mailSign.ToUpper() -eq "ON") { + $script:mailSignAndEncryptCertLocation = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailSignAndEncryptCertLocation + If ($mailSignAndEncryptCertLocation.ToUpper() -eq "PFX") { + $script:mailSignAndEncryptCertPFXFile = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailSignAndEncryptCertPFXFile + $script:mailSignAndEncryptCertPFXPassword = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailSignAndEncryptCertPFXPassword + } + If ($mailSignAndEncryptCertLocation.ToUpper() -eq "STORE") { + $script:mailSignAndEncryptCertThumbprint = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailSignAndEncryptCertThumbprint + } + } + If ($mailEncrypt.ToUpper() -eq "ON") { + $script:mailEncryptCertLocation = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailEncryptCertLocation + If ($mailEncryptCertLocation.ToUpper() -eq "CER") { + $script:mailEncryptCertCERFile = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailEncryptCertCERFile + } + If ($mailEncryptCertLocation.ToUpper() -eq "STORE") { + $script:mailEncryptCertThumbprint = $configResetKrbTgtPasswordNotify.resetKrbTgtPassword.mailEncryptCertThumbprint + } + } + } +} + +### +# Loading Any Applicable/Required Libraries +### +Add-Type -AssemblyName System.DirectoryServices.Protocols -ErrorAction Stop + +### +# Execute Any Additional Actions Required For The Script To Run Successfully +### +# N.A. + +### +# Start Of Script +### +### Presentation Of Script Header +Logging "" +Logging " **********************************************************" "MAINHEADER" +Logging " * *" "MAINHEADER" +Logging " * --> Reset KrbTgt Account Password For RWDCs/RODCs <-- *" "MAINHEADER" +Logging " * *" "MAINHEADER" +Logging " * Re-Written By: Jorge de Almeida Pinto [MVP-EMS] *" "MAINHEADER" +Logging " * *" "MAINHEADER" +Logging " * BLOG: Jorge's Quest For Knowledge *" "MAINHEADER" +Logging " * (URL: http://jorgequestforknowledge.wordpress.com/) *" "MAINHEADER" +Logging " * *" "MAINHEADER" +Logging " * $version *" "MAINHEADER" +Logging " * *" "MAINHEADER" +Logging " **********************************************************" "MAINHEADER" +Logging "" + +### +# Script Details +### +### Logging Where The Script Is Being Executed From +Logging "" +Logging "Local Computer Name...................: $localComputerName" +Logging "FQDN AD Domain Of Computer............: $fqdnADDomainOfComputer" +Logging "FQDN Computer In AD Domain............: $fqdnComputerInADDomain" +Logging "FQDN Computer In DNS..................: $fqdnComputerInDNS" +Logging "FQDN DNS Domain Of Computer...........: $fqdnDnsDomainOfComputer" +Logging "Execution Mode........................: $(If ($argsCount -eq 0) {'ON-DEMAND'} Else {'AUTOMATED'})" +If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "Arguments Used........................:" + $PSBoundParameters.Keys | ForEach-Object { + Logging " - Argument...........................: $($_.PadRight(25,' ')) = $($PSBoundParameters[$_])" + } + Logging "XML Config Options....................:" + Logging " - smtpServer.........................: $smtpServer" + Logging " - smtpPort...........................: $smtpPort" + Logging " - useSSLForSMTP......................: $useSSLForSMTP" + If ($useSSLForSMTP.ToUpper() -eq "TRUE") { + Logging " - sslType............................: $sslType" + } + Logging " - smtpCredsUserName..................: $smtpCredsUserName" + Logging " - smtpCredsPassword..................: ******************" + Logging " - mailSubject........................: $mailSubject" + Logging " - mailPriority.......................: $mailPriority" + Logging " - mailBody...........................: `" + Logging " - mailFromSender.....................: $mailFromSender" + Logging " - mailToRecipient....................: $mailToRecipient" + If ($mailCcRecipients.count -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - mailCcRecipient....................: $($_)" + } + } + Logging " - mailSign...........................: $mailSign" + Logging " - mailEncrypt........................: $mailEncrypt" + Logging " - mailSignAndEncryptDllFile..........: $mailSignAndEncryptDllFile" + Logging " - mailSignAndEncryptCertLocation.....: $mailSignAndEncryptCertLocation" + Logging " - mailSignAndEncryptCertPFXFile......: $mailSignAndEncryptCertPFXFile" + Logging " - mailSignAndEncryptCertThumbprint...: $mailSignAndEncryptCertThumbprint" + Logging " - mailEncryptCertLocation............: $mailEncryptCertLocation" + Logging " - mailEncryptCertCERFile.............: $mailEncryptCertCERFile" + Logging " - mailEncryptCertThumbprint..........: $mailEncryptCertThumbprint" +} +Logging "" + +### +# Checking Requirements +### +### Checking Elevation Status Of Current Process +Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" +Logging "CHECKING ELEVATION STATUS OF CURRENT PROCESS..." "HEADER" +Logging "" + +$currentElevationStatus = checkLocalElevationStatus +Logging "Current Elevation Status...: $currentElevationStatus" +If ($currentElevationStatus -eq "NOT-ELEVATED") { + $sleepInSecs = 5 + Logging "" "REMARK" + Logging "The Script IS NOT Running In An Elevated PowerShell Command Prompt..." "REMARK" + Logging "Restarting The Script Through An Elevated Command Prompt In $sleepInSecs Seconds..." "REMARK" + $iTimer = 0 + Do { + Logging " > $($sleepInSecs - $iTimer)..." "REMARK" + Start-Sleep -s 1 + $iTimer++ + } Until ($iTimer -eq $sleepInSecs) + Logging "" "REMARK" + Start-Process Powershell -Wait -Verb runAs -ArgumentList "-NoExit -Command `"$currentScriptCmdLineUsed`"" + Stop-Process -Id $PID +} + +<# +### Loading The DLL Required For System.DirectoryServices.Protocols (S.DS.P.) +Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" +Logging "LOADING THE DLL REQUIRED FOR SYSTEM.DIRECTORYSERVICES.PROTOCOLS (S.DS.P.)..." "HEADER" +Logging "" + +If ([Environment]::Is64BitProcess) { + $processArchitecture = "64-Bit" + $dotNetMainFolderPath = "$ENV:WINDIR\Microsoft.NET\Framework64" +} Else { + $processArchitecture = "32-Bit" + $dotNetMainFolderPath = "$ENV:WINDIR\Microsoft.NET\Framework" +} +$sdspDLLPath = Get-ChildItem -Path $dotNetMainFolderPath -Recurse -Filter "System.DirectoryServices.Protocols.dll" +Logging "Process Architecture..................: $processArchitecture" +Logging "S.DS.P. DLL Path......................: $(($sdspDLLPath | Sort-Object -Property ProductVersion)[0].FullName)" +Add-Type -Path $(($sdspDLLPath | Sort-Object -Property ProductVersion)[0].FullName) +#> + +### +# Technical Information +### +### Providing Information About What The Script Is Capable Of And How The Script Works +Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" +Logging "INFORMATION REGARDING KRBTGT ACCOUNTS AND PASSWORD RESETS..." "HEADER" +Logging "" +If ($noInfo) { + Logging "Do you want to read information about the script, its functions, its behavior and the impact? [YES | NO]: NO" "ACTION" + $yesOrNo = "NO" +} Else { + Logging "Do you want to read information about the script, its functions, its behavior and the impact? [YES | NO]: " "ACTION-NO-NEW-LINE" + $yesOrNo = Read-Host + If ($yesOrNo.ToUpper() -ne "NO" -And $yesOrNo.ToUpper() -ne "N") { + $yesOrNo = "YES" + } +} +Logging "" +Logging " --> Chosen: $yesOrNo" "REMARK" +Logging "" +If ($yesOrNo.ToUpper() -ne "NO" -And $yesOrNo.ToUpper() -ne "N") { + Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" + Logging "INFORMATION ABOUT THE SCRIPT, ITS FUNCTIONS AND BEHAVIOR, AND IMPACT TO THE ENVIRONMENT - PLEASE READ CAREFULLY..." "HEADER" + Logging "" + Logging "-----" "REMARK" + Logging "This PoSH script provides the following functions:" "REMARK" + Logging "-----" "REMARK" + Logging " - Single Password Reset for the KrbTgt account in use by RWDCs in a specific AD domain, using either TEST or PROD KrbTgt accounts" "REMARK" + Logging " - Single Password Reset for the KrbTgt account in use by an individual RODC in a specific AD domain, using either TEST or PROD KrbTgt accounts" "REMARK" + Logging " * A single RODC in a specific AD domain" "REMARK" + Logging " * A specific list of in a specific AD domain" "REMARK" + Logging " * All RODCs in a specific AD domain" "REMARK" + Logging " - Resetting the password/keys of the KrbTgt Account can be done for multiple reasons such as for example:" "REMARK" + Logging " * From a security perspective as mentioned in:" "REMARK" + Logging " https://cloudblogs.microsoft.com/microsoftsecure/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/" "REMARK" + Logging " * From an AD recovery perspective as mentioned in:" "REMARK" + Logging " https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password" "REMARK" + Logging " - For all scenarios, an informational mode, which is mode 1 with no changes" "REMARK" + Logging " - For all scenarios, a simulation mode, which is mode 2 where replication is tested through the replication of a temporary canary" "REMARK" + Logging " object that is created and deleted afterwards" "REMARK" + Logging " - For all scenarios, a simulation mode, which is mode 3 where the password reset of the chosen TEST KrbTgt account is actually executed" "REMARK" + Logging " and replication of it is monitored through the environment for its duration" "REMARK" + Logging " - For all scenarios, a real reset mode, which is mode 4 where the password reset of the chosen PROD KrbTgt account is actually executed" "REMARK" + Logging " and replication of it is monitored through the environment for its duration" "REMARK" + Logging " - The creation of Test KrbTgt Accounts" "REMARK" + Logging " - The cleanup of previously created Test KrbTgt Accounts" "REMARK" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging "-----" "REMARK" + Logging "This PoSH script has the following behavior:" "REMARK" + Logging "-----" "REMARK" + Logging "" + Logging " - Mode 1 is INFORMATIONAL MODE..." "REMARK-IMPORTANT" + Logging " * Safe to run at any time as there are not changes in any way!" "REMARK-IMPORTANT" + Logging " * Analyzes the environment and check for issues that may impact mode 2, 3 or 4!" "REMARK-IMPORTANT" + Logging " * For the targeted AD domain, it always retrieves all RWDCs, and all RODCs if applicable." "REMARK-IMPORTANT" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging " - Mode 2 is SIMULATION MODE USING A TEMPORARY CANARY OBJECT..." "REMARK-MORE-IMPORTANT" + Logging " * Also executes everything from mode 1!" "REMARK-MORE-IMPORTANT" + Logging " * Creates the temporary canary object and, depending on the scope, it will check if it exists in the AD database of the remote DC(s)" "REMARK-MORE-IMPORTANT" + Logging " (RWDC/RODC)." "REMARK-MORE-IMPORTANT" + Logging " * When simulating the KrbTgt account for RWDCs, the creation of the object is against the RWDC with the PDC Emulator FSMO followed" "REMARK-MORE-IMPORTANT" + Logging " by the 'replicate single object' operation against every available/reachable RWDC. This is a way to estimate the total replication" "REMARK-MORE-IMPORTANT" + Logging " time for mode 4." "REMARK-MORE-IMPORTANT" + Logging " * When simulating the KrbTgt account for RODCs, the creation of the object is against the RWDC the RODC is replicating from if" "REMARK-MORE-IMPORTANT" + Logging " available. If not available the creation is against the RWDC with the PDC Emulator FSMO. Either way it is followed by the 'replicate" "REMARK-MORE-IMPORTANT" + Logging " single object' operation against the RODC. This is a way to estimate the total replication time for mode 4." "REMARK-MORE-IMPORTANT" + Logging " * If a remote DC (RWDC/RODC) is not available or cannot be reached, there will not be a check against its AD database to determine if" "REMARK-MORE-IMPORTANT" + Logging " the change made reached it or not." "REMARK-MORE-IMPORTANT" + Logging " * When performing the 'replicate single object' operation, it will always be for the full object, no matter if the remote DC is an RWDC" "REMARK-MORE-IMPORTANT" + Logging " or an RODC" "REMARK-MORE-IMPORTANT" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging " - Mode 3 is SIMULATION MODE USING TEST/BOGUS KRBTGT ACCOUNTS..." "REMARK-MORE-IMPORTANT" + Logging " * Also executes everything from mode 1!" "REMARK-MORE-IMPORTANT" + Logging " * Instead of using PROD/REAL KrbTgt Account(s), it uses pre-created TEST/BOGUS KrbTgt Accounts(s) for the password reset whatif!" "REMARK-MORE-IMPORTANT" + Logging " * For RWDCs it uses the TEST/BOGUS KrbTgt account 'krbtgt_TEST' (All RWDCs) (= Created when running mode 8)" "REMARK-MORE-IMPORTANT" + Logging " * For RODCs it uses the TEST/BOGUS KrbTgt account 'krbtgt__TEST' (RODC Specific) (= Created when running mode 8)" "REMARK-MORE-IMPORTANT" + Logging " * IT DOES NOT reset the password of the TEST/BOGUS KrbTgt Accounts(s) and, depending on the scope, it will check if the Password Last Set value" "REMARK-MORE-IMPORTANT" + Logging " in the AD database of the remote DC(s) (RWDC/RODC) matches the Password Last Set value in the AD database of the source originating" "REMARK-MORE-IMPORTANT" + Logging " RWDC." "REMARK-MORE-IMPORTANT" + Logging " * If a remote DC (RWDC/RODC) is not available or cannot be reached, there will not be a check against its AD database to determine if" "REMARK-MORE-IMPORTANT" + Logging " the change made reached it or not." "REMARK-MORE-IMPORTANT" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging " - Mode 4 is REAL RESET MODE USING TEST/BOGUS KRBTGT ACCOUNTS..." "REMARK-MORE-IMPORTANT" + Logging " * Also executes everything from mode 1!" "REMARK-MORE-IMPORTANT" + Logging " * Instead of using PROD/REAL KrbTgt Account(s), it uses pre-created TEST/BOGUS KrbTgt Accounts(s) for the password reset!" "REMARK-MORE-IMPORTANT" + Logging " * For RWDCs it uses the TEST/BOGUS KrbTgt account 'krbtgt_TEST' (All RWDCs) (= Created when running mode 8)" "REMARK-MORE-IMPORTANT" + Logging " * For RODCs it uses the TEST/BOGUS KrbTgt account 'krbtgt__TEST' (RODC Specific) (= Created when running mode 8)" "REMARK-MORE-IMPORTANT" + Logging " * Resets the password of the TEST/BOGUS KrbTgt Accounts(s) and, depending on the scope, it will check if the Password Last Set value" "REMARK-MORE-IMPORTANT" + Logging " in the AD database of the remote DC(s) (RWDC/RODC) matches the Password Last Set value in the AD database of the source originating" "REMARK-MORE-IMPORTANT" + Logging " RWDC." "REMARK-MORE-IMPORTANT" + Logging " * When simulating the KrbTgt account for RWDCs, the password reset is done for the TEST/BOGUS KrbTgt Accounts(s) against the RWDC with" "REMARK-MORE-IMPORTANT" + Logging " the PDC Emulator FSMO followed by the 'replicate single object' operation against every available/reachable RWDC. No RODCs are involved" "REMARK-MORE-IMPORTANT" + Logging " as those do not use the KrbTgt account in use by the RWDCs and also do not store/cache its password. This is a way to estimate the" "REMARK-MORE-IMPORTANT" + Logging " total replication time for mode 6." "REMARK-MORE-IMPORTANT" + Logging " * When simulating the KrbTgt account for RODCs, the password reset is done for the TEST/BOGUS KrbTgt Accounts(s) against the RWDC the" "REMARK-MORE-IMPORTANT" + Logging " RODC is replicating from if available/reachable. If not available the password reset is against the RWDC with the PDC Emulator FSMO." "REMARK-MORE-IMPORTANT" + Logging " Either way it is followed by the 'replicate single object' operation against the RODC that uses that KrbTgt account. Only the RODC" "REMARK-MORE-IMPORTANT" + Logging " that uses the specific KrbTgt account is checked against to see if the change has reached it, but only if the RODC is available/reachable." "REMARK-MORE-IMPORTANT" + Logging " This is a way to estimate the total replication time for mode 6." "REMARK-MORE-IMPORTANT" + Logging " * If a remote DC (RWDC/RODC) is not available or cannot be reached, there will not be a check against its AD database to determine if" "REMARK-MORE-IMPORTANT" + Logging " the change made reached it or not." "REMARK-MORE-IMPORTANT" + Logging " * When performing the 'replicate single object' operation, it will always be for the full object if the target DC is an RWDC. If the" "REMARK-MORE-IMPORTANT" + Logging " target DC is an RODC, then it will be for the partial object (secrets only)." "REMARK-MORE-IMPORTANT" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging " - Mode 5 is SIMULATION MODE USING PROD/REAL KRBTGT ACCOUNTS..." "REMARK-MORE-IMPORTANT" + Logging " * Also executes everything from mode 1!" "REMARK-MORE-IMPORTANT" + Logging " * Now it does use the PROD/REAL KrbTgt Accounts(s) for the password reset whatif!" "REMARK-MORE-IMPORTANT" + Logging " * For RWDCs it uses the PROD/REAL KrbTgt account 'krbtgt' (All RWDCs) (= Created when running mode 8)" "REMARK-MORE-IMPORTANT" + Logging " * For RODCs it uses the PROD/REAL KrbTgt account 'krbtgt_' (RODC Specific) (= Created when running mode 8)" "REMARK-MORE-IMPORTANT" + Logging " * IT DOES NOT reset the password of the PROD/REAL KrbTgt Accounts(s) and, depending on the scope, it will check if the Password Last Set value" "REMARK-MORE-IMPORTANT" + Logging " in the AD database of the remote DC(s) (RWDC/RODC) matches the Password Last Set value in the AD database of the source originating" "REMARK-MORE-IMPORTANT" + Logging " RWDC." "REMARK-MORE-IMPORTANT" + Logging " * If a remote DC (RWDC/RODC) is not available or cannot be reached, there will not be a check against its AD database to determine if" "REMARK-MORE-IMPORTANT" + Logging " the change made reached it or not." "REMARK-MORE-IMPORTANT" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging " - Mode 6 is REAL RESET MODE USING PROD/REAL KRBTGT ACCOUNTS..." "REMARK-MOST-IMPORTANT" + Logging " * Also executes everything from mode 1!" "REMARK-MOST-IMPORTANT" + Logging " * Now it does use the PROD/REAL KrbTgt Accounts(s) for the password reset!" "REMARK-MOST-IMPORTANT" + Logging " * For RWDCs it uses the PROD/REAL KrbTgt account 'krbtgt' (All RWDCs)" "REMARK-MOST-IMPORTANT" + Logging " * For RODCs it uses the PROD/REAL KrbTgt account 'krbtgt_' (RODC Specific)" "REMARK-MOST-IMPORTANT" + Logging " * Resets the password of the PROD/REAL KrbTgt Accounts(s) and, depending on the scope, it will check if the Password Last Set value" "REMARK-MOST-IMPORTANT" + Logging " in the AD database of the remote DC(s) (RWDC/RODC) matches the Password Last Set value in the AD database of the source originating" "REMARK-MOST-IMPORTANT" + Logging " RWDC." "REMARK-MOST-IMPORTANT" + Logging " * When simulating the KrbTgt account for RWDCs, the password reset is done for the PROD/REAL KrbTgt Accounts(s) against the RWDC with" "REMARK-MOST-IMPORTANT" + Logging " the PDC Emulator FSMO followed by the 'replicate single object' operation against every available/reachable RWDC. No RODCs are involved" "REMARK-MOST-IMPORTANT" + Logging " as those do not use the KrbTgt account in use by the RWDCs and also do not store/cache its password. Once the replication is" "REMARK-MOST-IMPORTANT" + Logging " complete, the total impact time will be displayed." "REMARK-MOST-IMPORTANT" + Logging " * When simulating the KrbTgt account for RODCs, the password reset is done for the PROD/REAL KrbTgt Accounts(s) against the RWDC the" "REMARK-MOST-IMPORTANT" + Logging " RODC is replicating from if available/reachable. If not available the password reset is against the RWDC with the PDC Emulator FSMO." "REMARK-MOST-IMPORTANT" + Logging " Either way it is followed by the 'replicate single object' operation against the RODC that uses that KrbTgt account. Only the RODC" "REMARK-MOST-IMPORTANT" + Logging " that uses the specific KrbTgt account is checked against to see if the change has reached it, but only if the RODC is available/reachable." "REMARK-MOST-IMPORTANT" + Logging " Once the replication is complete, the total impact time will be displayed." "REMARK-MOST-IMPORTANT" + Logging " * If a remote DC (RWDC/RODC) is not available or cannot be reached, there will not be a check against its AD database to determine if" "REMARK-MOST-IMPORTANT" + Logging " the change made reached it or not." "REMARK-MOST-IMPORTANT" + Logging " * When performing the 'replicate single object' operation, it will always be for the full object if the target DC is an RWDC. If the" "REMARK-MOST-IMPORTANT" + Logging " target DC is an RODC, then it will be for the partial object (secrets only)." "REMARK-MOST-IMPORTANT" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging " - Mode 8 is CREATE TEST KRBTGT ACCOUNTS MODE..." "REMARK-IMPORTANT" + Logging " * Creates so called TEST/BOGUS KrbTgt Account(s) to simulate the password reset with." "REMARK-IMPORTANT" + Logging " * Has no impact on the PROD/REAL KrbTgt Account(s)." "REMARK-IMPORTANT" + Logging " * For RWDCs it creates (in disabled state!) the TEST/BOGUS KrbTgt account 'krbtgt_TEST' and adds it to the AD group 'Denied RODC" "REMARK-IMPORTANT" + Logging " Password Replication Group'." "REMARK-IMPORTANT" + Logging " * For RODCs, if any in the AD domain, it creates (in disabled state!) the TEST/BOGUS KrbTgt account 'krbtgt__TEST' and" "REMARK-IMPORTANT" + Logging " adds it to the AD group 'Allowed RODC Password Replication Group'. To determine the specific KrbTgt account in use by an RODC, the" "REMARK-IMPORTANT" + Logging " script reads the attribute 'msDS-KrbTgtLink' on the RODC computer account." "REMARK-IMPORTANT" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging " - Mode 9 is CLEANUP TEST KRBTGT ACCOUNTS MODE..." "REMARK-IMPORTANT" + Logging " * Cleanup (delete) the so called TEST/BOGUS KrbTgt Account(s) that were used to simulate the password reset with." "REMARK-IMPORTANT" + Logging " * For RWDCs it deletes the TEST/BOGUS KrbTgt account 'krbtgt_TEST' if it exists." "REMARK-IMPORTANT" + Logging " * For RODCs, if any in the AD domain, it deletes the TEST/BOGUS KrbTgt account 'krbtgt__TEST' if it exists. To determine" "REMARK-IMPORTANT" + Logging " the specific KrbTgt account in use by an RODC, the script reads the attribute 'msDS-KrbTgtLink' on the RODC computer account." "REMARK-IMPORTANT" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging " - ADDITIONAL INFO - BEHAVIOR..." "REMARK-IMPORTANT" + Logging " * If the operating system attribute of an RODC computer account does not have a value, it is determined to be unknown (not a real RODC)," "REMARK-IMPORTANT" + Logging " and therefore something else. It could for example be a Riverbed appliance in 'RODC mode'." "REMARK-IMPORTANT" + Logging " * The only DC that knows what the real replication partner is of an RODC, is the RODC itself. Only the RODC manages a connection object" "REMARK-IMPORTANT" + Logging " (CO) that only exists in the AD database of the RODC and does not replicate out to other DCs as RODCs do not support outbound replication." "REMARK-IMPORTANT" + Logging " Therefore, assuming the RODC is available, the CO is looked up in the RODC AD database and from that CO, the 'source' server is" "REMARK-IMPORTANT" + Logging " determined. In case the RODC is not available or its 'source' server is not available, the RWDC with the PDC FSMO is used to reset" "REMARK-IMPORTANT" + Logging " the password of the krbtgt account in use by that RODC. If the RODC is available a check will be done against its database, and if" "REMARK-IMPORTANT" + Logging " not available the check is skipped." "REMARK-IMPORTANT" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging " - ADDITIONAL INFO - OBSERVED IMPACT..." "REMARK-IMPORTANT" + Logging " * Within an AD domain, all RWDCs use the account 'krbtgt' to encrypt/sign Kerberos tickets trusted by all RWDCs" "REMARK-IMPORTANT" + Logging " * Within an AD domain, every RODC uses its own 'krbtgt_' account to encrypt/sign Kerberos tickets trusted by only that RODC" "REMARK-IMPORTANT" + Logging " and that account is specified in the attribute 'msDS-KrbTgtLink' on the RODC computer account." "REMARK-IMPORTANT" + Logging " * RODCs are cryptographically isolated from other RODCs and the RWDCs, whether these are in the same AD site or not. Any Kerberos TGT/Service" "REMARK-IMPORTANT" + Logging " tickets issued by an RODC are only valid against that RODC and any resource that has a secure channel with that RODC. That's why when an" "REMARK-IMPORTANT" + Logging " RODC is compromised the scope of impact is only for that RODC and any resource using it, and not the complete AD domain." "REMARK-IMPORTANT" + Logging " * Kerberos PAC validation failures: Until the new KrbTgt account password is replicated to all DCs in the domain using that KrbTgt account," "REMARK-IMPORTANT" + Logging " applications which attempt KDC PAC validation may experience KDC PAC validation failures. This is possible when a client in one AD site" "REMARK-IMPORTANT" + Logging " is accessing an application leveraging the Kerberos Authentication protocol that is in a different AD site. If that application is not a" "REMARK-IMPORTANT" + Logging " trusted part of the operating system, it may attempt to validate the PAC of the client's Kerberos Service Ticket against the KDC (DC) in" "REMARK-IMPORTANT" + Logging " its AD site. If the DC in its site does not yet have the new KrbTgt account password, this KDC PAC validation will fail. This will likely" "REMARK-IMPORTANT" + Logging " manifest itself to the client as authentication errors for that application. Once all DCs using a specific KrbTgt account have the new" "REMARK-IMPORTANT" + Logging " password some affected clients may recover gracefully and resume functioning normally. If not, rebooting the affected client(s) will" "REMARK-IMPORTANT" + Logging " resolve the issue. This issue may not occur if the replication of the new KrbTgt account password is timely and successful and no" "REMARK-IMPORTANT" + Logging " applications attempt KDC PAC validation against an out of sync DC during that time." "REMARK-IMPORTANT" + Logging " * Kerberos TGS request failures: Until the new KrbTgt account password is replicated to all DCs in the domain that use that KrbTgt account," "REMARK-IMPORTANT" + Logging " a client may experience Kerberos authentication failures. This is when a client in one AD site has obtained a Kerberos Ticket Granting" "REMARK-IMPORTANT" + Logging " Ticket (TGT) from an RWDC that has the new KrbTgt account password, but then subsequently attempts to obtain a Kerberos Service Ticket" "REMARK-IMPORTANT" + Logging " via a TGS request against an RWDC in a different AD site. If that RWDC does not also have the new KrbTgt account password, it will not" "REMARK-IMPORTANT" + Logging " be able to decrypt the client''s TGT, which will result in a TGS request failure. This will manifest itself to the client as authenticate" "REMARK-IMPORTANT" + Logging " errors. However, it should be noted that this impact is very unlikely, because it is very unlikely that a client will attempt to obtain a" "REMARK-IMPORTANT" + Logging " service ticket from a different RWDC than the one from which their TGT was obtained, especially during the relatively short impact" "REMARK-IMPORTANT" + Logging " duration of Mode 4." "REMARK-IMPORTANT" + Logging " * Resetting the password of account 'krbtgt' 2x very quickly in sequence will NEGATIVELY impact both DCs and server/apps/users." "REMARK-IMPORTANT" + Logging " * Resetting the password of account 'krbtgt' 1x, allowing AD replication to occur end-to-end, and resetting it a second time WITHIN the max" "REMARK-IMPORTANT" + Logging " ticket lifetime will NEGATIVELY impact server/apps/users only." "REMARK-IMPORTANT" + Logging " * Resetting the password of account 'krbtgt' 1x, allowing AD replication to occur end-to-end, and resetting it a second time AFTER the max" "REMARK-IMPORTANT" + Logging " ticket lifetime will not impact DCs nor server/apps/users only." "REMARK-IMPORTANT" + Logging " * Resetting the password of account 'krbtgt' 2x very quickly in sequence should only be done during forest/domain recovery (isolation) and/or" "REMARK-IMPORTANT" + Logging " a ransomware attack (taking back control)." "REMARK-IMPORTANT" + Logging "" + Logging "" + Logging "First, read the info above, then..." "ACTION" + Logging "Press Any Key (TWICE!) To Continue..." "ACTION" + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null + Logging "" + Logging "" + Logging " !!! It is highly recommended to use the following order of execution: !!!" "REMARK-MORE-IMPORTANT" + Logging " - Mode 1 - Informational Mode (No Changes At All)" "REMARK-MORE-IMPORTANT" + Logging " - Mode 8 - Create TEST KrbTgt Accounts" "REMARK-MORE-IMPORTANT" + Logging " - Mode 2 - Simulation Mode (Temporary Canary Object Created, No Password Reset!)" "REMARK-MORE-IMPORTANT" + Logging " - Mode 3 - Simulation Mode - Use KrbTgt TEST/BOGUS Accounts (No Password Reset, Check Only!)" "REMARK-MORE-IMPORTANT" + Logging " - Mode 4 - Real Reset Mode - Use KrbTgt TEST/BOGUS Accounts (Password Will Be Reset Once!)" "REMARK-MORE-IMPORTANT" + Logging " - Mode 5 - Simulation Mode - Use KrbTgt PROD/REAL Accounts (No Password Reset, Check Only!)" "REMARK-MORE-IMPORTANT" + Logging " - Mode 6 - Real Reset Mode - Use KrbTgt PROD/REAL Accounts (Password Will Be Reset Once!)" "REMARK-MORE-IMPORTANT" + Logging " - Mode 9 - Cleanup TEST KrbTgt Accounts (Could be skipped to reuse accounts the next time!)" "REMARK-MORE-IMPORTANT" + Logging "" + Logging "" + Logging " - RECOMMENDATIONS:" "REMARK-MORE-IMPORTANT" + Logging " * Reset password of ALL krbtgt accounts periodically every 3 or 6 months. Whatever is comfortable for you." "REMARK-MORE-IMPORTANT" + Logging " * Want to reset more frequently? Please pay attention to the max kerberos ticket lifetime configured for the AD domain!" "REMARK-MORE-IMPORTANT" + Logging " * Normally 6 months is a good balance between security and management overhead!" "REMARK-MORE-IMPORTANT" + Logging "" + Logging "" +} + +### +# Loading Required PowerShell Modules +### +Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" +Logging "LOADING REQUIRED POWERSHELL MODULES..." "HEADER" +Logging "" + +# Try To Load The Required PowerShell Module. Abort Script If Not Available +#"S.DS.P", "ActiveDirectory", "GroupPolicy" | ForEach-Object { +#"ActiveDirectory", "GroupPolicy" | ForEach-Object { +"GroupPolicy" | ForEach-Object { + $poshModuleState = $null + $poshModuleState = loadPoSHModules $_ + If ($poshModuleState -eq "NotAvailable") { + Logging "" + + EXIT + } + Logging "" +} + +### +# Display And Selecting The Mode Of Operation +### +Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" +Logging "SELECT THE MODE OF OPERATION..." "HEADER" +Logging "" +Logging "Which mode of operation do you want to execute?" +Logging "" +Logging " - 1 - Informational Mode (No Changes At All)" +Logging "" +Logging " - 2 - Simulation Mode | Temporary Canary Object Created To Test Replication Convergence!" +Logging "" +Logging " - 3 - Simulation Mode | Use KrbTgt TEST/BOGUS Accounts - No Password Reset/WhatIf Mode!" +Logging "" +Logging " - 4 - Real Reset Mode | Use KrbTgt TEST/BOGUS Accounts - Password Will Be Reset Once!" +Logging "" +Logging " - 5 - Simulation Mode | Use KrbTgt PROD/REAL Accounts - No Password Reset/WhatIf Mode!" +Logging "" +Logging " - 6 - Real Reset Mode | Use KrbTgt PROD/REAL Accounts - Password Will Be Reset Once!" +Logging "" +Logging "" +Logging " - 8 - Create TEST KrbTgt Accounts" +Logging " - 9 - Cleanup TEST KrbTgt Accounts" +Logging "" +Logging "" +Logging " - 0 - Exit Script" +Logging "" +Switch ($modeOfOperation) { + "infoMode" {$modeOfOperationNr = 1} + "simulModeCanaryObject" {$modeOfOperationNr = 2} + "simulModeKrbTgtTestAccountsWhatIf" {$modeOfOperationNr = 3} + "resetModeKrbTgtTestAccountsResetOnce" { $modeOfOperationNr = 4} + "simulModeKrbTgtProdAccountsWhatIf" {$modeOfOperationNr = 5} + "resetModeKrbTgtProdAccountsResetOnce" {$modeOfOperationNr = 6} + Default {$modeOfOperationNr = $null} +} +If ($null -eq $modeOfOperationNr) { + Logging "Please specify the mode of operation: " "ACTION-NO-NEW-LINE" + $modeOfOperationNr = Read-Host +} Else { + Logging "Please specify the mode of operation: $modeOfOperationNr" "ACTION" +} +Logging "" + +# If Anything Else Than The Allowed/Available Non-Zero Modes, Abort The Script +If (($modeOfOperationNr -ne 1 -And $modeOfOperationNr -ne 2 -And $modeOfOperationNr -ne 3 -And $modeOfOperationNr -ne 4 -And $modeOfOperationNr -ne 5 -And $modeOfOperationNr -ne 6 -And $modeOfOperationNr -ne 8 -And $modeOfOperationNr -ne 9) -Or $modeOfOperationNr -notmatch "^[\d\.]+$") { + Logging " --> Chosen mode: Mode 0 - Exit Script..." "REMARK" + Logging "" + + EXIT +} + +# If Mode 1 +If ($modeOfOperationNr -eq 1) { + Logging " --> Chosen Mode: Mode 1 - Informational Mode (No Changes At All)..." "REMARK" + Logging "" +} + +# If Mode 2 +If ($modeOfOperationNr -eq 2) { + Logging " --> Chosen Mode: Mode 2 - Simulation Mode | Temporary Canary Object Created To Test Replication Convergence..." "REMARK" + Logging "" +} + +# If Mode 3 +If ($modeOfOperationNr -eq 3) { + Logging " --> Chosen Mode: Mode 3 - Simulation Mode | Use KrbTgt TEST/BOGUS Accounts - No Password Reset/WhatIf Mode!..." "REMARK" + Logging "" +} + +# If Mode 4 +If ($modeOfOperationNr -eq 4) { + Logging " --> Chosen Mode: Mode 4 - Real Reset Mode | Use KrbTgt TEST/BOGUS Accounts - Password Will Be Reset Once!..." "REMARK" + Logging "" +} + +# If Mode 5 +If ($modeOfOperationNr -eq 5) { + Logging " --> Chosen Mode: Mode 5 - Simulation Mode | Use KrbTgt PROD/REAL Accounts - No Password Reset/WhatIf Mode!..." "REMARK" + Logging "" +} + +# If Mode 6 +If ($modeOfOperationNr -eq 6) { + Logging " --> Chosen Mode: Mode 6 - Real Reset Mode | Use KrbTgt PROD/REAL Accounts - Password Will Be Reset Once!..." "REMARK" + Logging "" +} + +# If Mode 8 +If ($modeOfOperationNr -eq 8) { + Logging " --> Chosen Mode: Mode 8 - Create TEST KrbTgt Accounts..." "REMARK" + Logging "" +} + +# If Mode 9 +If ($modeOfOperationNr -eq 9) { + Logging " --> Chosen Mode: Mode 9 - Cleanup TEST KrbTgt Accounts..." "REMARK" + Logging "" +} + +### +# All Modes - Selecting The Target AD Forest +### +Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" +Logging "SPECIFY THE TARGET AD FOREST..." "HEADER" +Logging "" + +# Retrieve The AD Domain And AD Forest Of The Computer Where The Script Is Executed +#$currentADDomainOfLocalComputer = $(Get-WmiObject -Class Win32_ComputerSystem).Domain +#$currentADForestOfLocalComputer = (Get-ADDomain $currentADDomainOfLocalComputer).Forest +#$currentADDomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $fqdnADDomainOfComputer) +#$currentADForestOfLocalComputer = ([System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($currentADDomainContext)).Forest.Name + +# Ask Which AD Forest To Target +If ($targetedADforestFQDN -eq "") { + Logging "For the AD forest to be targeted, please provide the FQDN or press [ENTER] for the current AD forest: " "ACTION-NO-NEW-LINE" + $targetedADforestFQDN = Read-Host +} Else { + Logging "For the AD forest to be targeted, please provide the FQDN or press [ENTER] for the current AD forest: $targetedADforestFQDN" "ACTION" +} + +# If No FQDN Of An AD Domain Is Specified, Then Use The AD Domain Of The Local Computer +If ($targetedADforestFQDN -eq "" -Or $null -eq $targetedADforestFQDN) { + $targetedADforestFQDN = $fqdnADForestOfComputer +} +Logging "" +Logging " --> Selected AD Forest: '$targetedADforestFQDN'..." "REMARK" + +# Validate The Specified AD Forest And Check A (Forest) Trust Is In Place, If Applicable +$adForestValidity = $false + +# Test To See If The Forest FQDN Exists At All +If ($targetedADforestFQDN -eq $fqdnADForestOfComputer) { + $localADforest = $true + $adForestLocation = "Local" +} Else { + $localADforest = $false + $adForestLocation = "Remote" +} + +Try { + # Checking Through DNS Resolution + Logging "" + Logging "Checking Resolvability of the specified $adForestLocation AD forest '$targetedADforestFQDN' through DNS..." + [System.Net.Dns]::GetHostEntry($targetedADforestFQDN) | Out-Null + $adForestValidity = $true +} Catch { + Try { + # Checking Through RootDse Connection + Logging "" + Logging "Checking Reachability of the specified $adForestLocation AD forest '$targetedADforestFQDN' through RootDse..." + #Get-ADRootDSE -Server $targetedADforestFQDN -ErrorAction Stop | Out-Null + Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADforestFQDN -EncryptionType Kerberos) -ErrorAction Stop | Out-Null + $adForestValidity = $true + } Catch [System.Security.Authentication.AuthenticationException] { + # $Error[0].Exception.GetType().FullName + $adForestValidity = $true + } Catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { + # $Error[0].Exception.GetType().FullName + $adForestValidity = $false + } Catch { + $adForestValidity = $false + } +} + +If ($adForestValidity -eq $true) { + # If The AD Forest Is Resolvable/Reachable And Therefore Exists, Continue + Logging "" "SUCCESS" + Logging "The specified $adForestLocation AD forest '$targetedADforestFQDN' is either resolvable through DNS or reachable through RootDse!" "SUCCESS" + Logging "" "SUCCESS" + Logging "Continuing Script..." "SUCCESS" + Logging "" "SUCCESS" +} Else { + # If The AD Forest Is Not Resolvable And Not Reachable And Therefore Does Not Exists, Abort + Logging "" "ERROR" + Logging "The specified $adForestLocation AD forest '$targetedADforestFQDN' IS NOT resolvable through DNS and IS NOT reachable through RootDse!" "ERROR" + Logging "" "ERROR" + Logging "Please re-run the script and provide the FQDN of an AD forest that exists..." "ERROR" + Logging "" "ERROR" + Logging "Aborting Script..." "ERROR" + Logging "" "ERROR" + + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "ERROR" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "ERROR" + Logging " - TO: '$mailToRecipient'..." "ERROR" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "ERROR" + } + } + Logging "" "ERROR" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT +} + +# Validate The Specified AD Forest Is Accessible. If it is the local AD forest then it is accessible. If it is a remote AD forest and a (forest) trust is in place, then it is accessible. If it is a remote AD forest and a (forest) trust is NOT in place, then it is NOT accessible. +$adForestAccessibility = $false +# Test To See If The AD Forest Is Accessible +Try { + # Retrieve The Nearest RWDC In The Forest Root AD Domain + #$nearestRWDCInForestRootADDomain = (Get-ADDomainController -DomainName $targetedADforestFQDN -Discover -ErrorAction Stop).HostName[0] + #$dcLocatorFlag = [System.DirectoryServices.ActiveDirectory.LocatorOptions]::"ForceRediscovery","WriteableRequired" + #$adDomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $targetedADforestFQDN) + #$thisADDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($adDomainContext) + #$nearestRWDCInForestRootADDomain = $thisADDomain.FindDomainController($dcLocatorFlag) + + # Retrieve Information About The AD Forest + #$thisADForest = Get-ADForest -Identity $targetedADforestFQDN -Server $nearestRWDCInForestRootADDomain -ErrorAction Stop + $adForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Forest", $targetedADforestFQDN) + $thisADForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($adForestContext) + + $adForestAccessibility = $true +} Catch { + $adForestAccessibility = $false +} +Logging "" +Logging "Checking Accessibility of the specified AD forest '$targetedADforestFQDN' By Trying To Retrieve AD Forest Data..." +If ($adForestAccessibility -eq $true) { + # If The AD Forest Is Accessible, Continue + Logging "" "SUCCESS" + Logging "The specified AD forest '$targetedADforestFQDN' is accessible!" "SUCCESS" + Logging "" "SUCCESS" + Logging "Continuing Script..." "SUCCESS" + Logging "" "SUCCESS" +} Else { + If ($argsCount -eq 0) { + # If The AD Forest Is NOT Accessible, Ask For Credentials + Logging "" "WARNING" + Logging "The specified AD forest '$targetedADforestFQDN' IS NOT accessible!" "WARNING" + Logging "" "WARNING" + Logging "Custom credentials are needed..." "WARNING" + Logging "" "WARNING" + Logging "Continuing Script And Asking For Credentials..." "WARNING" + Logging "" "WARNING" + Logging "" + + # Ask For The Remote Credentials + $adminCrds = requestForAdminCreds + + # Test To See If The AD Forest Is Accessible + Try { + # Retrieve The Nearest RWDC In The Forest Root AD Domain: ADDED CREDS To Get A DC. It Was Not Here Before! Why? + #$nearestRWDCInForestRootADDomain = (Get-ADDomainController -DomainName $targetedADforestFQDN -Discover -Credential $adminCrds -ErrorAction Stop).HostName[0] + #$dcLocatorFlag = [System.DirectoryServices.ActiveDirectory.LocatorOptions]::"ForceRediscovery","WriteableRequired" + #$adDomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $targetedADforestFQDN, $($adminCrds.UserName), $($adminCrds.GetNetworkCredential().Password)) + #$thisADDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($adDomainContext) + #$nearestRWDCInForestRootADDomain = $thisADDomain.FindDomainController($dcLocatorFlag) + + # Retrieve Information About The AD Forest + #$thisADForest = Get-ADForest -Identity $targetedADforestFQDN -Server $nearestRWDCInForestRootADDomain -Credential $adminCrds -ErrorAction Stop + $adForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Forest", $targetedADforestFQDN, $($adminCrds.UserName), $($adminCrds.GetNetworkCredential().Password)) + $thisADForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($adForestContext) + + $adForestAccessibility = $true + } Catch { + $adForestAccessibility = $false + } + Logging "" + Logging "Checking Accessibility of the specified AD forest '$targetedADforestFQDN' By Trying To Retrieve AD Forest Data..." + If ($adForestAccessibility -eq $true) { + # If The AD Forest Is Accessible, Continue + Logging "" "SUCCESS" + Logging "The specified AD forest '$targetedADforestFQDN' is accessible!" "SUCCESS" + Logging "" "SUCCESS" + Logging "Continuing Script..." "SUCCESS" + Logging "" "SUCCESS" + } Else { + # If The AD Forest Is NOT Accessible, Ask For Credentials + Logging "" "ERROR" + Logging "The specified AD forest '$targetedADforestFQDN' IS NOT accessible!" "ERROR" + Logging "" "ERROR" + Logging "Please re-run the script and provide the correct credentials to connect to the remote AD forest..." "ERROR" + Logging "" "ERROR" + Logging "Aborting Script..." "ERROR" + Logging "" "ERROR" + + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "ERROR" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "ERROR" + Logging " - TO: '$mailToRecipient'..." "ERROR" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "ERROR" + } + } + Logging "" "ERROR" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } + } Else { + Logging "" "WARNING" + Logging "The specified AD forest '$targetedADforestFQDN' IS NOT accessible!" "WARNING" + Logging "" "WARNING" + Logging "Custom credentials are needed..." "WARNING" + Logging "" "WARNING" + Logging "Script is running in automated mode and because of that it cannot ask fo customer credentials..." "WARNING" + Logging "" "WARNING" + Logging "Please re-run the script and run the script with the correct credentials to connect to the remote AD forest..." "WARNING" + Logging "" "WARNING" + + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "ERROR" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "ERROR" + Logging " - TO: '$mailToRecipient'..." "ERROR" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "ERROR" + } + } + Logging "" "ERROR" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } +} + +### +# All Modes - Selecting The Target AD Domain +### +Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" +Logging "SELECT THE TARGET AD DOMAIN..." "HEADER" +Logging "" + +# Retrieve Root AD Domain Of The AD Forest +#$rootADDomainInADForest = $thisADForest.RootDomain +$rootADDomainInADForest = $thisADForest.RootDomain.Name + +# Retrieve All The AD Domains In The AD Forest And Sort These In Some Way +$arrayOfADDomainFQDNsInADForest = $thisADForest.Domains.Name +$sortedListOfADDomainFQDNsInADForest = @() +($arrayOfADDomainFQDNsInADForest | ?{$_ -like "*$rootDomain"} | %{([regex]::Matches($_, '.', 'RightToLeft') | %{$_.value}) -join ''}) | Sort-Object | %{$sortedListOfADDomainFQDNsInADForest += $(([regex]::Matches($_, '.', 'RightToLeft') | %{$_.value}) -join '')} +(@($arrayOfADDomainFQDNsInADForest | ?{$_ -notin $sortedListOfADDomainFQDNsInADForest}) | %{([regex]::Matches($_, '.', 'RightToLeft') | %{$_.value}) -join ''}) | Sort-Object | %{$sortedListOfADDomainFQDNsInADForest += $(([regex]::Matches($_, '.', 'RightToLeft') | %{$_.value}) -join '')} + +# Retrieve The DN Of The Partitions Container In The AD Forest +#$partitionsContainerDN = $thisADForest.PartitionsContainer +$partitionsContainerDN = $($thisADForest.Schema.Name).Replace("CN=Schema", "CN=Partitions") + +# Retrieve The Mode/Functional Level Of The AD Forest + Fix For Buf In S.DS.P. +$targetedADforestForestFunctionalMode = $thisADForest.ForestMode +$targetedADforestForestFunctionalModeLevel = $thisADForest.ForestModeLevel +If ([int]$targetedADforestForestFunctionalModeLevel -eq 7 -And $targetedADforestForestFunctionalMode -eq "Unknown") { + $targetedADforestForestFunctionalMode = "Windows2016Forest" +} + +# Define An Empty List/Table That Will Contain All AD Domains In The AD Forest And Related Information +$tableOfADDomainsInADForest = @() +Logging "Forest Mode/Level...: $targetedADforestForestFunctionalMode" + +# Set The Counter To Zero +$nrOfDomainsInForest = 0 + +# Execute For All AD Domains In The AD Forest +$sortedListOfADDomainFQDNsInADForest | ForEach-Object { + # Increase The Counter + $nrOfDomainsInForest += 1 + + # Get The FQDN Of The AD Domain + $domainFQDN = $_ + + <# + # Retrieve The Nearest RWDC In The AD Domain + $nearestRWDCInADDomain = $null + $nearestRWDCInADDomain = (Get-ADDomainController -DomainName $domainFQDN -Discover).HostName[0] + + # Retrieve The Object Of The AD Domain From AD + $domainObj = $null + Try { + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + $domainObj = Get-ADDomain $domainFQDN -Server $nearestRWDCInADDomain + } + If ($localADforest -eq $false -And $adminCrds) { + $domainObj = Get-ADDomain $domainFQDN -Server $nearestRWDCInADDomain -Credential $adminCrds + } + } Catch { + $domainObj = $null + } + #> + + # Retrieve The Object Of The AD Domain From AD And The Nearest RWDC + $domainObj = $null + $nearestRWDCInADDomain = $null + Try { + $dcLocatorFlag = [System.DirectoryServices.ActiveDirectory.LocatorOptions]::"ForceRediscovery", "WriteableRequired" + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + $adDomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $domainFQDN) + } + If ($localADforest -eq $false -And $adminCrds) { + $adDomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $domainFQDN, $($adminCrds.UserName), $($adminCrds.GetNetworkCredential().Password)) + } + $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($adDomainContext) + $nearestRWDCInADDomain = $domainObj.FindDomainController($dcLocatorFlag).Name + } Catch { + $domainObj = $null + } + + # Populate The Table With Data From The Processed AD Domain + Bug Fix For DomainMode(Level) In S.DS.P. When FFL/DFL Is 2016 + $tableOfADDomainsInADForestObj = New-Object -TypeName System.Object + $tableOfADDomainsInADForestObj | Add-Member -MemberType NoteProperty -Name "ListNr" -Value $nrOfDomainsInForest + $tableOfADDomainsInADForestObj | Add-Member -MemberType NoteProperty -Name "Name" -Value $domainFQDN + $tableOfADDomainsInADForestObj | Add-Member -MemberType NoteProperty -Name "NetBIOS" -Value $(If ($domainObj) {$domainObj.GetDirectoryEntry().Properties["Name"].Value} Else {"AD Domain Is Not Available"}) + $tableOfADDomainsInADForestObj | Add-Member -MemberType NoteProperty -Name "DomainSID" -Value $(If ($domainObj) {$objectSidBytes = $domainObj.GetDirectoryEntry().Properties["objectSid"].Value; (New-Object System.Security.Principal.SecurityIdentifier($objectSidBytes, 0)).Value} Else {"AD Domain Is Not Available"}) + $tableOfADDomainsInADForestObj | Add-Member -MemberType NoteProperty -Name "IsRootDomain" -Value $(If ($rootADDomainInADForest -eq $domainFQDN) {$true} Else {$false}) + $tableOfADDomainsInADForestObj | Add-Member -MemberType NoteProperty -Name "DomainMode" -Value $(If ($domainObj) {If ([int]$($domainObj.DomainModeLevel) -eq 7 -And $($domainObj.DomainMode) -eq "Unknown") {"Windows2016Domain"} Else {$($domainObj.DomainMode)}} Else {"AD Domain Is Not Available"}) + $tableOfADDomainsInADForestObj | Add-Member -MemberType NoteProperty -Name "IsCurrentDomain" -Value $(If ($fqdnADDomainOfComputer -eq $domainFQDN) {$true} Else {$false}) + $tableOfADDomainsInADForestObj | Add-Member -MemberType NoteProperty -Name "IsAvailable" -Value $(If ($domainObj) {$true} Else {$false}) + $tableOfADDomainsInADForestObj | Add-Member -MemberType NoteProperty -Name "PDCFsmoOwner" -Value $(If ($domainObj) {$domainObj.PdcRoleOwner.Name} Else {"AD Domain Is Not Available"}) + $tableOfADDomainsInADForestObj | Add-Member -MemberType NoteProperty -Name "NearestRWDC" -Value $(If ($domainObj) {$nearestRWDCInADDomain} Else {"AD Domain Is Not Available"}) + $tableOfADDomainsInADForest += $tableOfADDomainsInADForestObj +} + +# Display The List And Amount Of AD Domains +Logging "" +Logging "List Of AD Domains In AD Forest '$rootADDomainInADForest'..." +Logging "" +Logging "$($tableOfADDomainsInADForest | Format-Table | Out-String)" +Logging " --> Found [$nrOfDomainsInForest] AD Domain(s) in the AD forest '$rootADDomainInADForest'..." "REMARK" +Logging "" + +# Ask Which AD Domain To Target From The Previously Presented List +If ($targetedADdomainFQDN -eq "") { + Logging "For the AD domain to be targeted, please provide the list nr or the FQDN or press [ENTER] for the current AD domain: " "ACTION-NO-NEW-LINE" + $targetedADdomainFQDN = Read-Host +} Else { + Logging "For the AD domain to be targeted, please provide the list nr or the FQDN or press [ENTER] for the current AD domain: $targetedADdomainFQDN" "ACTION" +} + +# If A Numeric Value Was Entered Instead, Then Resolve That To An Actual FQDN +If ($targetedADdomainFQDN -match "^\d$" -And [int]$targetedADdomainFQDN -le $tableOfADDomainsInADForest.Count) { + $targetedADdomainFQDN = ($tableOfADDomainsInADForest | Where-Object{$_.ListNr -eq $targetedADdomainFQDN}).Name +} + +# If No FQDN Of An AD Domain Is Specified, Then Use The AD Domain Of The Local Computer +If ($targetedADdomainFQDN -eq "" -Or $null -eq $targetedADdomainFQDN) { + $targetedADdomainFQDN = $fqdnADDomainOfComputer +} +Logging "" +Logging " --> Selected AD Domain: '$targetedADdomainFQDN'..." "REMARK" + +# Validate The Chosen AD Domain Against The List Of Available AD Domains To See If It Does Exist In The AD Forest +$adDomainValidity = $false +$sortedListOfADDomainFQDNsInADForest | ForEach-Object { + $domainFQDN = $null + $domainFQDN = $_ + If ($targetedADdomainFQDN -eq $domainFQDN) { + $adDomainValidity = $true + } +} +Logging "" +Logging "Checking existence of the specified AD domain '$targetedADdomainFQDN' in the AD forest '$rootADDomainInADForest'..." +If ($adDomainValidity -eq $true) { + # If The AD Domain Is Valid And Therefore Exists, Continue + Logging "" "SUCCESS" + Logging "The specified AD domain '$targetedADdomainFQDN' exists in the AD forest '$rootADDomainInADForest'!" "SUCCESS" + Logging "" "SUCCESS" + Logging "Continuing Script..." "SUCCESS" + Logging "" "SUCCESS" +} Else { + # If The AD Domain Is Not Valid And Therefore Does Not Exist, Abort + Logging "" "ERROR" + Logging "The specified AD domain '$targetedADdomainFQDN' DOES NOT exist in the AD forest '$rootADDomainInADForest'!" "ERROR" + Logging "" "ERROR" + Logging "Please re-run the script and provide the FQDN of an AD domain that does exist in the AD forest '$rootADDomainInADForest'..." "ERROR" + Logging "" "ERROR" + Logging "Aborting Script..." "ERROR" + Logging "" "ERROR" + + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "ERROR" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "ERROR" + Logging " - TO: '$mailToRecipient'..." "ERROR" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "ERROR" + } + } + Logging "" "ERROR" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT +} + +### +# All Modes - Testing If Required Permissions Are Available (Domain/Enterprise Admin Credentials) +### +Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" +Logging "TESTING IF REQUIRED PERMISSIONS ARE AVAILABLE (DOMAIN/ENTERPRISE ADMINS OR ADMINISTRATORS CREDENTIALS)..." "HEADER" +Logging "" + +# Target AD Domain Data +$targetedADdomainData = $tableOfADDomainsInADForest | Where-Object{$_.Name -eq $targetedADdomainFQDN} + +# Retrieve The HostName Of Nearest RWDC In The AD Domain +$targetedADdomainNearestRWDCFQDN = $targetedADdomainData.NearestRWDC + +# Retrieve The ObjectSIDOf The Targeted AD Domain +$targetedDomainObjectSID = $targetedADdomainData.DomainSID + +# If The AD Forest Is Local, Then We Can Test For Role Membership Of Either Domain Admins Or Enterprise Admins. +If ($localADforest -eq $true) { + # Validate The User Account Running This Script Is A Member Of The Domain Admins Group Of The Targeted AD Domain + $domainAdminRID = "512" + $domainAdminRole = (New-Object System.Security.Principal.SecurityIdentifier($targetedDomainObjectSID + "-" + $domainAdminRID)).Translate([System.Security.Principal.NTAccount]).Value + $userIsDomainAdmin = testAdminRole $domainAdminRole + If (!$userIsDomainAdmin) { + # The User Account Running This Script Has Been Validated Not Being A Member Of The Domain Admins Group Of The Targeted AD Domain + # Validate The User Account Running This Script Is A Member Of The Enterprise Admins Group Of The AD Forest + $forestRootDomainObjectSID = ($tableOfADDomainsInADForest | Where-Object{$_.IsRootDomain -eq $true}).DomainSID + $enterpriseAdminRID = "519" + $enterpriseAdminRole = (New-Object System.Security.Principal.SecurityIdentifier($forestRootDomainObjectSID + "-" + $enterpriseAdminRID)).Translate([System.Security.Principal.NTAccount]).Value + $userIsEnterpriseAdmin = testAdminRole $enterpriseAdminRole + If (!$userIsEnterpriseAdmin) { + # The User Account Running This Script Has Been Validated Not Being A Member Of The Enterprise Admins Group Of The AD Forest + Logging "The user account '$adRunningUserAccount' IS NOT running with Domain/Enterprise Administrator equivalent permissions in the AD Domain '$targetedADdomainFQDN'!..." "ERROR" + Logging "The user account '$adRunningUserAccount' IS NOT a member of '$domainAdminRole' and NOT a member of '$enterpriseAdminRole'!..." "ERROR" + Logging "" "ERROR" + Logging "For this script to run successfully, Domain/Enterprise Administrator equivalent permissions are required..." "ERROR" + Logging "" "ERROR" + Logging "Aborting Script..." "ERROR" + Logging "" "ERROR" + + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "ERROR" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "ERROR" + Logging " - TO: '$mailToRecipient'..." "ERROR" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "ERROR" + } + } + Logging "" "ERROR" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } Else { + # The User Account Running This Script Has Been Validated To Be A Member Of The Enterprise Admins Group Of The AD Forest + Logging "The user account '$adRunningUserAccount' is running with Enterprise Administrator equivalent permissions in the AD Domain '$targetedADdomainFQDN'!..." "SUCCESS" + Logging "The user account '$adRunningUserAccount' is a member of '$enterpriseAdminRole'!..." "SUCCESS" + Logging "" "SUCCESS" + Logging "Continuing Script..." "SUCCESS" + Logging "" "SUCCESS" + } + } Else { + # The User Account Running This Script Has Been Validated To Be A Member Of The Domain Admins Group Of The Targeted AD Domain + Logging "The user account '$adRunningUserAccount' is running with Domain Administrator equivalent permissions in the AD Domain '$targetedADdomainFQDN'!..." "SUCCESS" + Logging "The user account '$adRunningUserAccount' is a member of '$domainAdminRole'!..." "SUCCESS" + Logging "" "SUCCESS" + Logging "Continuing Script..." "SUCCESS" + Logging "" "SUCCESS" + } +} + +# If The AD Forest Is Remote Then We Cannot Test For Role Membership Of The Administrators Group. We Will Test Permissions By Copying The Value Of The Description Field Into The Title Field And Clearing It Again +If ($localADforest -eq $false -And !$adminCrds) { + Try { + #Set-ADUser -Identity KRBTGT -Title $((Get-ADUser -Identity KRBTGT -Properties Description -Server $targetedADdomainFQDN).Description) -Server $targetedADdomainFQDN + #Set-ADUser -Identity KRBTGT -Clear Title -Server $targetedADdomainFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $krbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=KRBTGT))" -PropertiesToLoad @("description") -AdditionalProperties @('title') + $krbTgtObject.title = $krbTgtObject.description + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -Mode Replace -Object $krbTgtObject + $krbTgtObject.title = $null + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -Mode Replace -Object $krbTgtObject + Logging "The user account '$adRunningUserAccount' is running with Administrators equivalent permissions in the AD Domain '$targetedADdomainFQDN'!..." "SUCCESS" + Logging "" "SUCCESS" + Logging "Continuing Script..." "SUCCESS" + Logging "" "SUCCESS" + } Catch { + Logging "The user account '$adRunningUserAccount' IS NOT running with Administrators equivalent permissions in the AD Domain '$targetedADdomainFQDN'!..." "ERROR" + Logging "" "ERROR" + Logging "For this script to run successfully, Administrators equivalent permissions are required in the AD Domain '$targetedADdomainFQDN'..." "ERROR" + Logging "" "ERROR" + + If ($argsCount -gt 0) { + Logging "Aborting Script..." "ERROR" + Logging "" "ERROR" + # Mail The Log File With The Results + If ($sendMailWithLogFile) { + Logging "" "ERROR" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "ERROR" + Logging " - TO: '$mailToRecipient'..." "ERROR" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "ERROR" + } + } + Logging "" "ERROR" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } Else { + Logging "Continuing Script..." "ERROR" + Logging "" "ERROR" + # Ask For The Remote Credentials + $adminCrds = requestForAdminCreds + Logging "" + } + } +} +If ($localADforest -eq $false -And $adminCrds) { + Try { + $adminUserAccountRemoteForest = $adminCrds.UserName + $adminUserPasswordRemoteForest = $adminCrds.GetNetworkCredential().Password + #Set-ADUser -Identity KRBTGT -Title $((Get-ADUser -Identity KRBTGT -Properties Description -Server $targetedADdomainFQDN -Credential $adminCrds).Description) -Server $targetedADdomainFQDN -Credential $adminCrds + #Set-ADUser -Identity KRBTGT -Clear Title -Server $targetedADdomainFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $krbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=KRBTGT))" -PropertiesToLoad @("description") -AdditionalProperties @('title') + $krbTgtObject.title = $krbTgtObject.description + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -Mode Replace -Object $krbTgtObject + $krbTgtObject.title = $null + Edit-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -Mode Replace -Object $krbTgtObject + Logging "The user account '$adminUserAccountRemoteForest' is running with Administrators equivalent permissions in the AD Domain '$targetedADdomainFQDN'!..." "SUCCESS" + Logging "" "SUCCESS" + Logging "Continuing Script..." "SUCCESS" + Logging "" "SUCCESS" + } Catch { + Logging "The user account '$adminUserAccountRemoteForest' IS NOT running with Administrators equivalent permissions in the AD Domain '$targetedADdomainFQDN' OR username/password IS NOT correct!..." "ERROR" + Logging "" "ERROR" + Logging "For this script to run successfully, Administrators equivalent permissions are required in the AD Domain '$targetedADdomainFQDN'..." "ERROR" + Logging "" "ERROR" + Logging "Aborting Script..." "ERROR" + Logging "" "ERROR" + + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "ERROR" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "ERROR" + Logging " - TO: '$mailToRecipient'..." "ERROR" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "ERROR" + } + } + Logging "" "ERROR" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } +} + +### +# All Modes - Gathering AD Domain Information +### +Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" +Logging "GATHERING TARGETED AD DOMAIN INFORMATION..." "HEADER" +Logging "" + +# Retrieve Information For The AD Domain That Was Chosen +Try { + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + #$thisADDomain = Get-ADDomain $targetedADdomainFQDN -Server $targetedADdomainNearestRWDCFQDN + $adDomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $targetedADdomainFQDN) + + $targetSearchBase = "OU=Domain Controllers," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName) + $dcsInADDomain = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectClass=computer)(|(primaryGroupID=516)(primaryGroupID=521)))" -PropertiesToLoad @("dNSHostName", "msDS-isRODC", "primaryGroupID") + } + If ($localADforest -eq $false -And $adminCrds) { + #$thisADDomain = Get-ADDomain $targetedADdomainFQDN -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds + $adDomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $targetedADdomainFQDN, $($adminCrds.UserName), $($adminCrds.GetNetworkCredential().Password)) + + $targetSearchBase = "OU=Domain Controllers," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName) + $dcsInADDomain = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectClass=computer)(|(primaryGroupID=516)(primaryGroupID=521)))" -PropertiesToLoad @("dNSHostName", "msDS-isRODC", "primaryGroupID") + } + $thisADDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($adDomainContext) +} Catch { + $thisADDomain = $null +} + +If ($thisADDomain) { + # Retrieve The Domain SID + #$targetedADdomainDomainSID = $thisADDomain.DomainSID.Value + $objectSidBytes = $thisADDomain.GetDirectoryEntry().Properties["objectSid"].Value + $targetedADdomainDomainSID = (New-Object System.Security.Principal.SecurityIdentifier($objectSidBytes, 0)).Value + + # Retrieve The HostName Of RWDC In The AD Domain That Hosts The PDC FSMO Role + #$targetedADdomainRWDCFQDNWithPDCFSMOFQDN = $thisADDomain.PDCEmulator + $targetedADdomainRWDCFQDNWithPDCFSMOFQDN = $thisADDomain.PdcRoleOwner.Name + + # Retrieve The DSA DN Of RWDC In The AD Domain That Hosts The PDC FSMO Role + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$targetedADdomainRWDCFQDNWithPDCFSMONTDSSettingsObjectDN = (Get-ADDomainController $targetedADdomainRWDCFQDNWithPDCFSMOFQDN -Server $targetedADdomainNearestRWDCFQDN).NTDSSettingsObjectDN + $targetSearchBase = "CN=Sites," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).configurationNamingContext.distinguishedName) + $targetedADdomainRWDCFQDNWithPDCFSMONTDSSettingsObjectDN = "CN=NTDS Settings," + $((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectClass=server)(dNSHostName=$targetedADdomainRWDCFQDNWithPDCFSMOFQDN))" -PropertiesToLoad @("distinguishedName")).distinguishedName) + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For Domain Controller With 'dNSHostName=$targetedADdomainRWDCFQDNWithPDCFSMOFQDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$targetedADdomainRWDCFQDNWithPDCFSMONTDSSettingsObjectDN = (Get-ADDomainController $targetedADdomainRWDCFQDNWithPDCFSMOFQDN -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds).NTDSSettingsObjectDN + $targetSearchBase = "CN=Sites," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).configurationNamingContext.distinguishedName) + $targetedADdomainRWDCFQDNWithPDCFSMONTDSSettingsObjectDN = "CN=NTDS Settings," + $((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectClass=server)(dNSHostName=$targetedADdomainRWDCFQDNWithPDCFSMOFQDN))" -PropertiesToLoad @("distinguishedName")).distinguishedName) + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For Domain Controller With 'dNSHostName=$targetedADdomainRWDCFQDNWithPDCFSMOFQDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Retrieve Domain Functional Level/Mode Of The AD Domain + $targetedADdomainDomainFunctionalMode = $thisADDomain.DomainMode + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$targetedADdomainDomainFunctionalModeLevel = (Get-ADObject -LDAPFilter "(&(objectClass=crossRef)(nCName=$('DC=' + $targetedADdomainFQDN.replace('.',',DC='))))" -SearchBase $partitionsContainerDN -Properties "msDS-Behavior-Version" -Server $targetedADdomainNearestRWDCFQDN)."msDS-Behavior-Version" + $targetedADdomainDomainFunctionalModeLevel = (Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $partitionsContainerDN -searchFilter "(&(objectClass=crossRef)(nCName=$('DC=' + $targetedADdomainFQDN.replace('.',',DC='))))" -PropertiesToLoad @("msDS-Behavior-Version"))."msDS-Behavior-Version" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For Cross Reference Object With 'nCName=$('DC=' + $targetedADdomainFQDN.replace('.',',DC='))'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$targetedADdomainDomainFunctionalModeLevel = (Get-ADObject -LDAPFilter "(&(objectClass=crossRef)(nCName=$('DC=' + $targetedADdomainFQDN.replace('.',',DC='))))" -SearchBase $partitionsContainerDN -Properties "msDS-Behavior-Version" -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds)."msDS-Behavior-Version" + $targetedADdomainDomainFunctionalModeLevel = (Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $partitionsContainerDN -searchFilter "(&(objectClass=crossRef)(nCName=$('DC=' + $targetedADdomainFQDN.replace('.',',DC='))))" -PropertiesToLoad @("msDS-Behavior-Version"))."msDS-Behavior-Version" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For Cross Reference Object With 'nCName=$('DC=' + $targetedADdomainFQDN.replace('.',',DC='))' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($targetedADdomainDomainFunctionalModeLevel -eq 7 -And $targetedADdomainDomainFunctionalMode -eq "Unknown") { + $targetedADdomainDomainFunctionalMode = "Windows2016Domain" + } + + Try { + # Execute An RSoP Against The Nearest RWDC In The Targeted AD Domain To Determine The Result Settings And The GPO(s) That Provided The Final Setting + # Get The List Of GPOs That Were Processed For RSoP So We Can Map The GUID Back To Show Which GPO Won + # Determine The Max Tgt Lifetime In Hours From The Winning GPO And The Max Clock Skew In Minutes From The Winning GPO + If ($localADforest -eq $true) { + $sidOfProfilesOnDC = (Get-WmiObject Win32_UserProfile -ComputerName $targetedADdomainNearestRWDCFQDN).SID | Where-Object{$_ -match $targetedADdomainDomainSID} + If ($($sidOfProfilesOnDC | Measure-Object).Count -eq 1) { + $sidToChoose = $sidOfProfilesOnDC + } ElseIf ($($sidOfProfilesOnDC | Measure-Object).Count -gt 1) { + $sidToChoose = $sidOfProfilesOnDC[0] + } Else { + $sidToChoose = [Security.Principal.WindowsIdentity]::GetCurrent().User + } + $accountToChoose = $(New-Object System.Security.Principal.SecurityIdentifier($sidToChoose)).Translate([System.Security.Principal.NTAccount]).Value + Get-GPResultantSetOfPolicy -Computer $targetedADdomainNearestRWDCFQDN -User $accountToChoose -ReportType xml -Path "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml" -ErrorAction Stop | Out-Null + If (Test-Path "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml") { + [xml]$gpRSoPxml = Get-Content "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml" + $gpoList = @{} + (Select-Xml -xml $gpRSoPxml -XPath '/rsop:Rsop' -Namespace @{rsop = "http://www.microsoft.com/GroupPolicy/Rsop"}).Node.ComputerResults.GPO | ForEach-Object{$gpoList.Add($_.Path.Identifier."#text", $_.Name)} + $rsopKerberosPolicy = (Select-Xml -xml $gpRSoPxml -XPath '/rsop:Rsop' -Namespace @{rsop = "http://www.microsoft.com/GroupPolicy/Rsop"}).Node.ComputerResults.ExtensionData.Extension.Account | Where-Object{$_.Type -eq "Kerberos"} + $kerberosPolicyMaxTgtAgeObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxTicketAge"; + SettingValue = ($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxTicketAge"}).SettingNumber; + SourceGPOGuid = $(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxTicketAge"}).GPO.Identifier.'#text'); + SourceGPOName = $gpoList[$(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxTicketAge"}).GPO.Identifier.'#text')]; + } + $kerberosPolicyMaxClockSkewObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxClockSkew"; + SettingValue = ($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxClockSkew"}).SettingNumber; + SourceGPOGuid = $(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxClockSkew"}).GPO.Identifier.'#text'); + SourceGPOName = $gpoList[$(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxClockSkew"}).GPO.Identifier.'#text')]; + } + Try { + Remove-Item "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml" -Force -ErrorAction Stop + } Catch { + Logging "" "ERROR" + Logging "Error Removing The RSoP File '$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } Else { + $kerberosPolicyMaxTgtAgeObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxTicketAge"; + SettingValue = 10; + SourceGPOGuid = "00000000-0000-0000-0000-000000000000"; + SourceGPOName = "Default Value Assumed"; + } + $kerberosPolicyMaxClockSkewObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxClockSkew"; + SettingValue = 5; + SourceGPOGuid = "00000000-0000-0000-0000-000000000000"; + SourceGPOName = "Default Value Assumed"; + } + } + } + If ($localADforest -eq $false -And !$adminCrds) { + $targetedServerSession = New-PSSession -ComputerName $targetedADdomainNearestRWDCFQDN -ErrorAction Stop + $kerberosPolicyMaxTgtAgeObject, $kerberosPolicyMaxClockSkewObject = Invoke-Command -Session $targetedServerSession -ArgumentList $targetedADdomainFQDN, $targetedADdomainDomainSID, $targetedADdomainNearestRWDCFQDN, $execDateTimeCustom, $loadPoSHModulesDef, $LoggingDef -ScriptBlock { + Param ( + $targetedADdomainFQDN, + $targetedADdomainDomainSID, + $targetedADdomainNearestRWDCFQDN, + $execDateTimeCustom, + $loadPoSHModulesDef, + $LoggingDef + ) + + . ([ScriptBlock]::Create($loadPoSHModulesDef)) + . ([ScriptBlock]::Create($LoggingDef)) + + "GroupPolicy" | ForEach-Object { + $poshModuleState = $null + $poshModuleState = loadPoSHModules $_ $true + If ($poshModuleState -eq "NotAvailable") { + BREAK + } + } + + If ($poshModuleState -eq "HasBeenLoaded" -Or $poshModuleState -eq "AlreadyLoaded") { + $sidOfProfilesOnDC = (Get-WmiObject Win32_UserProfile -ComputerName $targetedADdomainNearestRWDCFQDN).SID | Where-Object{$_ -match $targetedADdomainDomainSID} + If ($($sidOfProfilesOnDC | Measure-Object).Count -eq 1) { + $sidToChoose = $sidOfProfilesOnDC + } ElseIf ($($sidOfProfilesOnDC | Measure-Object).Count -gt 1) { + $sidToChoose = $sidOfProfilesOnDC[0] + } Else { + $sidToChoose = [Security.Principal.WindowsIdentity]::GetCurrent().User + } + $accountToChoose = $(New-Object System.Security.Principal.SecurityIdentifier($sidToChoose)).Translate([System.Security.Principal.NTAccount]).Value + Get-GPResultantSetOfPolicy -Computer $targetedADdomainNearestRWDCFQDN -User $accountToChoose -ReportType xml -Path "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml" -ErrorAction Stop | Out-Null + If (Test-Path "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml") { + [xml]$gpRSoPxml = Get-Content "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml" + $gpoList = @{} + (Select-Xml -xml $gpRSoPxml -XPath '/rsop:Rsop' -Namespace @{rsop = "http://www.microsoft.com/GroupPolicy/Rsop"}).Node.ComputerResults.GPO | ForEach-Object{$gpoList.Add($_.Path.Identifier."#text", $_.Name)} + $rsopKerberosPolicy = (Select-Xml -xml $gpRSoPxml -XPath '/rsop:Rsop' -Namespace @{rsop = "http://www.microsoft.com/GroupPolicy/Rsop"}).Node.ComputerResults.ExtensionData.Extension.Account | Where-Object{$_.Type -eq "Kerberos"} + $kerberosPolicyMaxTgtAgeObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxTicketAge"; + SettingValue = ($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxTicketAge"}).SettingNumber; + SourceGPOGuid = $(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxTicketAge"}).GPO.Identifier.'#text'); + SourceGPOName = $gpoList[$(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxTicketAge"}).GPO.Identifier.'#text')]; + } + $kerberosPolicyMaxClockSkewObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxClockSkew"; + SettingValue = ($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxClockSkew"}).SettingNumber; + SourceGPOGuid = $(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxClockSkew"}).GPO.Identifier.'#text'); + SourceGPOName = $gpoList[$(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxClockSkew"}).GPO.Identifier.'#text')]; + } + Try { + Remove-Item "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml" -Force -ErrorAction Stop + } Catch { + Logging "" "ERROR" + Logging "Error Removing The RSoP File '$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } Else { + $kerberosPolicyMaxTgtAgeObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxTicketAge"; + SettingValue = 10; + SourceGPOGuid = "00000000-0000-0000-0000-000000000000"; + SourceGPOName = "Default Value Assumed (Reason: RsOP Failed)"; + } + $kerberosPolicyMaxClockSkewObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxClockSkew"; + SettingValue = 5; + SourceGPOGuid = "00000000-0000-0000-0000-000000000000"; + SourceGPOName = "Default Value Assumed (Reason: RsOP Failed)"; + } + } + } Else { + $kerberosPolicyMaxTgtAgeObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxTicketAge"; + SettingValue = 10; + SourceGPOGuid = "00000000-0000-0000-0000-000000000000"; + SourceGPOName = "Default Value Assumed (Reason: PoSH Module Not Installed On Remote RWDC)"; + } + $kerberosPolicyMaxClockSkewObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxClockSkew"; + SettingValue = 5; + SourceGPOGuid = "00000000-0000-0000-0000-000000000000"; + SourceGPOName = "Default Value Assumed (Reason: PoSH Module Not Installed On Remote RWDC)"; + } + } + Return $kerberosPolicyMaxTgtAgeObject, $kerberosPolicyMaxClockSkewObject + } + Remove-PSSession $targetedServerSession + } + If ($localADforest -eq $false -And $adminCrds) { + $targetedServerSession = New-PSSession -ComputerName $targetedADdomainNearestRWDCFQDN -Credential $adminCrds -ErrorAction Stop + $kerberosPolicyMaxTgtAgeObject, $kerberosPolicyMaxClockSkewObject = Invoke-Command -Session $targetedServerSession -ArgumentList $targetedADdomainFQDN, $targetedADdomainDomainSID, $targetedADdomainNearestRWDCFQDN, $execDateTimeCustom, $loadPoSHModulesDef, $LoggingDef -ScriptBlock { + Param ( + $targetedADdomainFQDN, + $targetedADdomainDomainSID, + $targetedADdomainNearestRWDCFQDN, + $execDateTimeCustom, + $loadPoSHModulesDef, + $LoggingDef + ) + + . ([ScriptBlock]::Create($loadPoSHModulesDef)) + . ([ScriptBlock]::Create($LoggingDef)) + + "GroupPolicy" | ForEach-Object { + $poshModuleState = $null + $poshModuleState = loadPoSHModules $_ $true + If ($poshModuleState -eq "NotAvailable") { + BREAK + } + } + + If ($poshModuleState -eq "HasBeenLoaded" -Or $poshModuleState -eq "AlreadyLoaded") { + $sidOfProfilesOnDC = (Get-WmiObject Win32_UserProfile -ComputerName $targetedADdomainNearestRWDCFQDN).SID | Where-Object{$_ -match $targetedADdomainDomainSID} + If ($($sidOfProfilesOnDC | Measure-Object).Count -eq 1) { + $sidToChoose = $sidOfProfilesOnDC + } ElseIf ($($sidOfProfilesOnDC | Measure-Object).Count -gt 1) { + $sidToChoose = $sidOfProfilesOnDC[0] + } Else { + $sidToChoose = [Security.Principal.WindowsIdentity]::GetCurrent().User + } + $accountToChoose = $(New-Object System.Security.Principal.SecurityIdentifier($sidToChoose)).Translate([System.Security.Principal.NTAccount]).Value + Get-GPResultantSetOfPolicy -Computer $targetedADdomainNearestRWDCFQDN -User $accountToChoose -ReportType xml -Path "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml" -ErrorAction Stop | Out-Null + If (Test-Path "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml") { + [xml]$gpRSoPxml = Get-Content "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml" + $gpoList = @{} + (Select-Xml -xml $gpRSoPxml -XPath '/rsop:Rsop' -Namespace @{rsop = "http://www.microsoft.com/GroupPolicy/Rsop"}).Node.ComputerResults.GPO | ForEach-Object{$gpoList.Add($_.Path.Identifier."#text", $_.Name)} + $rsopKerberosPolicy = (Select-Xml -xml $gpRSoPxml -XPath '/rsop:Rsop' -Namespace @{rsop = "http://www.microsoft.com/GroupPolicy/Rsop"}).Node.ComputerResults.ExtensionData.Extension.Account | Where-Object{$_.Type -eq "Kerberos"} + $kerberosPolicyMaxTgtAgeObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxTicketAge"; + SettingValue = ($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxTicketAge"}).SettingNumber; + SourceGPOGuid = $(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxTicketAge"}).GPO.Identifier.'#text'); + SourceGPOName = $gpoList[$(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxTicketAge"}).GPO.Identifier.'#text')]; + } + $kerberosPolicyMaxClockSkewObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxClockSkew"; + SettingValue = ($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxClockSkew"}).SettingNumber; + SourceGPOGuid = $(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxClockSkew"}).GPO.Identifier.'#text'); + SourceGPOName = $gpoList[$(($rsopKerberosPolicy | Where-Object{$_.Name -eq "MaxClockSkew"}).GPO.Identifier.'#text')]; + } + Try { + Remove-Item "$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml" -Force -ErrorAction Stop + } Catch { + Logging "" "ERROR" + Logging "Error Removing The RSoP File '$($ENV:WINDIR + '\TEMP')\gpRSoP_$targetedADdomainFQDN`_$targetedADdomainNearestRWDCFQDN`_$execDateTimeCustom.xml'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } Else { + $kerberosPolicyMaxTgtAgeObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxTicketAge"; + SettingValue = 10; + SourceGPOGuid = "00000000-0000-0000-0000-000000000000"; + SourceGPOName = "Default Value Assumed"; + } + $kerberosPolicyMaxClockSkewObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxClockSkew"; + SettingValue = 5; + SourceGPOGuid = "00000000-0000-0000-0000-000000000000"; + SourceGPOName = "Default Value Assumed"; + } + } + } Else { + $kerberosPolicyMaxTgtAgeObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxTicketAge"; + SettingValue = 10; + SourceGPOGuid = "00000000-0000-0000-0000-000000000000"; + SourceGPOName = "Default Value Assumed (Reason: PoSH Module Not Installed On Remote RWDC)"; + } + $kerberosPolicyMaxClockSkewObject = New-Object -TypeName PSObject -Property @{ + SettingName = "MaxClockSkew"; + SettingValue = 5; + SourceGPOGuid = "00000000-0000-0000-0000-000000000000"; + SourceGPOName = "Default Value Assumed (Reason: PoSH Module Not Installed On Remote RWDC)"; + } + } + Return $kerberosPolicyMaxTgtAgeObject, $kerberosPolicyMaxClockSkewObject + } + Remove-PSSession $targetedServerSession + } + $targetedADdomainMaxTgtLifetimeHrs = $kerberosPolicyMaxTgtAgeObject.SettingValue + $targetedADdomainMaxTgtLifetimeHrsSourceGPO = $kerberosPolicyMaxTgtAgeObject.SourceGPOName + $targetedADdomainMaxClockSkewMins = $kerberosPolicyMaxClockSkewObject.SettingValue + $targetedADdomainMaxClockSkewMinsSourceGPO = $kerberosPolicyMaxClockSkewObject.SourceGPOName + } Catch { + Logging "Could not lookup 'MaxTicketAge' (default 10 hours) and 'MaxClockSkew' (default 5 minutes) from the resultant GPO, so default values will be assumed." "WARNING" + Logging "" + $targetedADdomainMaxTgtLifetimeHrs = 10 + $targetedADdomainMaxTgtLifetimeHrsSourceGPO = "Default Value Assumed" + $targetedADdomainMaxClockSkewMins = 5 + $targetedADdomainMaxClockSkewMinsSourceGPO = "Default Value Assumed" + } +} Else { + $targetedADdomainRWDCFQDNWithPDCFSMOFQDN = "Unavailable" + $targetedADdomainRWDCFQDNWithPDCFSMONTDSSettingsObjectDN = "Unavailable" + $targetedADdomainDomainFunctionalMode = "Unavailable" + $targetedADdomainDomainFunctionalModeLevel = "Unavailable" + $targetedADdomainMaxTgtLifetimeHrs = "Unavailable" + $targetedADdomainMaxTgtLifetimeHrsSourceGPO = "Unavailable" + $targetedADdomainMaxClockSkewMins = "Unavailable" + $targetedADdomainMaxClockSkewMinsSourceGPO = "Unavailable" +} + +# Present The Information +Logging "" +Logging "Domain FQDN...........................: '$targetedADdomainFQDN'" +Logging "Domain Functional Mode................: '$targetedADdomainDomainFunctionalMode'" +Logging "Domain Functional Mode Level..........: '$targetedADdomainDomainFunctionalModeLevel'" +Logging "FQDN RWDC With PDC FSMO...............: '$targetedADdomainRWDCFQDNWithPDCFSMOFQDN'" +Logging "DSA RWDC With PDC FSMO................: '$targetedADdomainRWDCFQDNWithPDCFSMONTDSSettingsObjectDN'" +Logging "Max TGT Lifetime (Hours)..............: '$targetedADdomainMaxTgtLifetimeHrs'" +Logging "Max TGT Lifetime Sourced From.........: '$targetedADdomainMaxTgtLifetimeHrsSourceGPO'" +Logging "Max Clock Skew (Minutes)..............: '$targetedADdomainMaxClockSkewMins'" +Logging "Max Clock Skew Sourced From...........: '$targetedADdomainMaxClockSkewMinsSourceGPO'" +Logging "" +Logging "Checking Domain Functional Mode of targeted AD domain '$targetedADdomainFQDN' is high enough..." + +# Check If The Domain Functional Level/Mode Of The AD Domain Is High Enough To Continue +If ($targetedADdomainDomainFunctionalModeLevel -ne "Unavailable" -And $targetedADdomainDomainFunctionalModeLevel -ge 3) { + # If The Domain Functional Level/Mode Of The AD Domain Is Equal Or Higher Than Windows Server 2008 (3), Then Continue + Logging "" "SUCCESS" + Logging "The specified AD domain '$targetedADdomainFQDN' has a Domain Functional Mode of 'Windows2008Domain (3)' or higher!..." "SUCCESS" + Logging "" "SUCCESS" + Logging "Continuing Script..." "SUCCESS" + Logging "" "SUCCESS" +} Else { + # If The Domain Functional Level/Mode Of The AD Domain Is Lower Than Windows Server 2008 (3) Or It Cannot Be Determined, Then Abort + Logging "" "ERROR" + Logging "It CANNOT be determined the specified AD domain '$targetedADdomainFQDN' has a Domain Functional Mode of 'Windows2008Domain (3)' or higher!..." "ERROR" + Logging "" "ERROR" + Logging "AD domains with Windows Server 2000/2003 DCs CANNOT do KDC PAC validation using the previous (N-1) KrbTgt Account Password" "ERROR" + Logging "like Windows Server 2008 and higher DCs are able to. Windows Server 2000/2003 DCs will only attempt it with the current (N)" "ERROR" + Logging "KrbTgt Account Password. That means that in the subset of KRB AP exchanges where KDC PAC validation is performed," "ERROR" + Logging "authentication issues could be experience because the target server gets a PAC validation error when asking the KDC (DC)" "ERROR" + Logging "to validate the KDC signature of the PAC that is inside the service ticket that was presented by the client to the server." "ERROR" + Logging "This problem would potentially persist for the lifetime of the service ticket(s). And by the way... for Windows Server" "ERROR" + Logging "2000/2003 support already ended years ago. Time to upgrade to higher version dude!" "ERROR" + Logging "Be aware though, when increasing the DFL from Windows Server 2003 to any higher level, the password of the KrbTgt Account" "ERROR" + Logging "will be reset automatically due to the introduction of AES encryption for Kerberos and the requirement to regenerate new" "ERROR" + Logging "keys for DES, RC4, AES128, AES256!" "ERROR" + Logging "" "ERROR" + Logging "Aborting Script..." "ERROR" + Logging "" "ERROR" + + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "ERROR" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "ERROR" + Logging " - TO: '$mailToRecipient'..." "ERROR" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "ERROR" + } + } + Logging "" "ERROR" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT +} + +### +# All Modes - Gathering Domain Controller Information And Testing Connectivity +### +Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" +Logging "GATHERING DOMAIN CONTROLLER INFORMATION AND TESTING CONNECTIVITY..." "HEADER" +Logging "" + +# Define An Empty List/Table That Will Contain All DCs In The AD Domain And Related Information +$tableOfDCsInADDomain = @() + +# Retrieve All The RWDCs In The AD Domain +#$listOfRWDCsInADDomain = $thisADDomain.ReplicaDirectoryServers +$listOfRWDCsInADDomain = $dcsInADDomain | Where-Object{$_."msDS-isRODC" -eq $false -Or $_.primaryGroupID -eq "516"} | ForEach-Object{$_.dnsHostName} + +# Set The Counters To Zero +$nrOfRWDCs = 0 +$nrOfReachableRWDCs = 0 +$nrOfUnReachableRWDCs = 0 + +# Execute For All RWDCs In The AD Domain If Any +If ($listOfRWDCsInADDomain) { + $listOfRWDCsInADDomain | ForEach-Object { + # Get The FQDN Of The RWDC + $rwdcFQDN = $null + $rwdcFQDN = $_ + + # Retrieve The Object Of The RWDC From AD + $rwdcObj = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$rwdcObj = Get-ADDomainController $rwdcFQDN -Server $targetedADdomainNearestRWDCFQDN + $targetSearchBase = "OU=Domain Controllers," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName) + $rwdcObj = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectClass=computer)(dNSHostName=$rwdcFQDN))" -PropertiesToLoad @("OperatingSystem", "serverReferenceBL") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For Domain Controller With 'dNSHostName=$rwdcFQDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$rwdcObj = Get-ADDomainController $rwdcFQDN -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds + $targetSearchBase = "OU=Domain Controllers," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName) + $rwdcObj = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectClass=computer)(dNSHostName=$rwdcFQDN))" -PropertiesToLoad @("OperatingSystem", "serverReferenceBL") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For Domain Controller With 'dNSHostName=$rwdcFQDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Define The Columns For The RWDCs In The AD Domain To Be Filled In + $tableOfDCsInADDomainObj = New-Object -TypeName System.Object + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Host Name" -Value $rwdcFQDN + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "PDC" -Value $(If (($tableOfADDomainsInADForest | Where-Object{$_.Name -eq $targetedADdomainFQDN}).PDCFsmoOwner -eq $rwdcFQDN) {$true} Else {$false}) + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Site Name" -Value $($rwdcObj.serverReferenceBL.Split(",")[2].Replace("CN=", "")) + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "DS Type" -Value "Read/Write" + $rwdcKrbTgtSamAccountName = $null + If ($modeOfOperationNr -eq 1 -Or $modeOfOperationNr -eq 2 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + # Use The PROD/REAL KrbTgt Account Of The RWDC + $rwdcKrbTgtSamAccountName = "krbtgt" + } + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 8 -Or $modeOfOperationNr -eq 9) { + # Use The TEST/BOGUS KrbTgt Account Of The RWDC + $rwdcKrbTgtSamAccountName = "krbtgt_TEST" + } + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Krb Tgt" -Value $rwdcKrbTgtSamAccountName + $rwdcKrbTgtObject = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$rwdcKrbTgtObject = Get-ADUser -LDAPFilter "(sAMAccountName=$rwdcKrbTgtSamAccountName)" -Properties * -Server $targetedADdomainNearestRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $rwdcKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$rwdcKrbTgtSamAccountName))" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For User Object With 'sAMAccountName=$rwdcKrbTgtSamAccountName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$rwdcKrbTgtObject = Get-ADUser -LDAPFilter "(sAMAccountName=$rwdcKrbTgtSamAccountName)" -Properties * -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $rwdcKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$rwdcKrbTgtSamAccountName))" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For User Object With 'sAMAccountName=$rwdcKrbTgtSamAccountName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + # Retrieve The Object Of The KrbTgt Account + If ($rwdcKrbTgtObject) { + # If The Object Of The KrbTgt Account Exists + # Retrieve The DN OF The Object + $rwdcKrbTgtObjectDN = $null + $rwdcKrbTgtObjectDN = $rwdcKrbTgtObject.DistinguishedName + + # Retrieve The Password Last Set Value Of The KrbTgt Account + $rwdcKrbTgtPwdLastSet = $null + $rwdcKrbTgtPwdLastSet = Get-Date $([datetime]::fromfiletime($rwdcKrbTgtObject.pwdLastSet)) -f "yyyy-MM-dd HH:mm:ss" + + # Set The Corresponding Value Of The RWDC In The Correct Column Of The Table + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Pwd Last Set" -Value $rwdcKrbTgtPwdLastSet + + # Retrieve The Metadata Of The Object, And More Specific Of The pwdLastSet Attribute Of That Object + $objectMetadata = $null + $objectMetadata = retrieveObjectMetadata $targetedADdomainNearestRWDCFQDN $rwdcKrbTgtObjectDN $localADforest $adminCrds + $objectMetadataAttribPwdLastSet = $null + $objectMetadataAttribPwdLastSet = $objectMetadata | Where-Object{$_.Name -eq "pwdLastSet"} + $objectMetadataAttribPwdLastSetOrgRWDCFQDN = $null + $objectMetadataAttribPwdLastSetOrgRWDCFQDN = If ($objectMetadataAttribPwdLastSet.OriginatingServer) {$objectMetadataAttribPwdLastSet.OriginatingServer} Else {"RWDC Demoted"} + $objectMetadataAttribPwdLastSetOrgTime = $null + $objectMetadataAttribPwdLastSetOrgTime = Get-Date $($objectMetadataAttribPwdLastSet.LastOriginatingChangeTime) -f "yyyy-MM-dd HH:mm:ss" + $objectMetadataAttribPwdLastSetVersion = $null + $objectMetadataAttribPwdLastSetVersion = $objectMetadataAttribPwdLastSet.Version + + # Set The Corresponding Value Of The RWDC In The Correct Column Of The Table + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Org RWDC" -Value $objectMetadataAttribPwdLastSetOrgRWDCFQDN + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Org Time" -Value $objectMetadataAttribPwdLastSetOrgTime + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Ver" -Value $objectMetadataAttribPwdLastSetVersion + } Else { + # If The Object Of The KrbTgt Account Does Not Exist + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Pwd Last Set" -Value "No Such Object" + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Org RWDC" -Value "No Such Object" + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Org Time" -Value "No Such Object" + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Ver" -Value "No Such Object" + } + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "IP Address" -Value $(Try{(([System.Net.Dns]::GetHostEntry($rwdcfqdn)).AddressList | Where-Object{$_.AddressFamily -eq "InterNetwork"}).IPAddressToString} Catch {"Unknown"}) + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "OS Version" -Value $($rwdcObj.OperatingSystem) + # Define The Ports To Check Against + $ports = 389 # LDAP + + # Define The Connection Check To Be True Initially + $connectionCheckOK = $true + + # For Every Defined Port Check The Connection And Report + $ports | ForEach-Object { + # Set The Port To Check Against + $port = $null + $port = $_ + + # Test The Connection To The Server Using The Port + $connectionResult = $null + $connectionResult = portConnectionCheck $rwdcFQDN $port $connectionTimeout + If ($connectionResult -eq "ERROR") { + $connectionCheckOK = $false + } + } + If ($connectionCheckOK -eq $true) { + # If The Connection Check Is OK + # Connect To The RootDSE Of The RWDC + $rwdcRootDSEObj = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + $rwdcRootDSEObj = [ADSI]"LDAP://$rwdcFQDN/rootDSE" + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$rwdcFQDN' For 'rootDSE'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + $rwdcRootDSEObj = New-Object System.DirectoryServices.DirectoryEntry(("LDAP://$rwdcFQDN/rootDSE"), $adminUserAccountRemoteForest, $adminUserPasswordRemoteForest) + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$rwdcFQDN' For 'rootDSE' Using '$adminUserAccountRemoteForest'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($rwdcRootDSEObj.Path -eq $null) { + # If It Throws An Error Then The RWDC Is Not Available/Reachable And Increase The Counter Of Unreachable RWDCs + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Reachable" -Value $false + $nrOfUnReachableRWDCs += 1 + + } Else { + # If It Does Not Throw An Error Then The RWDC Is Available/Reachable And Increase The Counter Of Reachable RWDCs + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Reachable" -Value $true + $nrOfReachableRWDCs += 1 + } + } Else { + # If The Connection Check Is Not OK Then The RWDC Is Not Available/Reachable And Increase The Counter Of Unreachable RWDCs + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Reachable" -Value $false + $nrOfUnReachableRWDCs += 1 + } + #If ($rwdcObj.OperationMasterRoles -contains "PDCEmulator") { + If (($tableOfADDomainsInADForest | Where-Object{$_.Name -eq $targetedADdomainFQDN}).PDCFsmoOwner -eq $rwdcFQDN) { + # If The RWDC Is The RWDC With The PDC FSMO, Then Do Not Specify A Source RWDC As The RWDC With The PDC FSMO Is The Source Originating RWDC + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Source RWDC FQDN" -Value "N.A." + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Source RWDC DSA" -Value "N.A." + } Else { + # If The RWDC Is Not The RWDC With The PDC FSMO, Then Specify A Source RWDC Being The RWDC With The PDC FSMO As The Source Originating RWDC + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Source RWDC FQDN" -Value $targetedADdomainRWDCFQDNWithPDCFSMOFQDN + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Source RWDC DSA" -Value $targetedADdomainRWDCFQDNWithPDCFSMONTDSSettingsObjectDN + } + + # Increase The Counter For The Number Of RWDCs + $nrOfRWDCs += 1 + + # Add The Row For The RWDC To The Table + $tableOfDCsInADDomain += $tableOfDCsInADDomainObj + } +} + +# Retrieve All The RODCs In The AD Domain +#$listOfRODCsInADDomain = $thisADDomain.ReadOnlyReplicaDirectoryServers +$listOfRODCsInADDomain = $dcsInADDomain | Where-Object{$_."msDS-isRODC" -eq $true -Or $_.primaryGroupID -eq "521"} | ForEach-Object{$_.dnsHostName} + +# Set The Counters To Zero +$nrOfRODCs = 0 +$nrOfReachableRODCs = 0 +$nrOfUnReachableRODCs = 0 +$nrOfUnDetermined = 0 + +# Execute For All RODCs In The AD Domain +If ($listOfRODCsInADDomain) { + $listOfRODCsInADDomain | ForEach-Object { + # Get The FQDN Of The RODC + $rodcFQDN = $null + $rodcFQDN = $_ + + # Get The FQDN Of The RODC + $rodcObj = $null + $rodcObjACC = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$rodcObj = Get-ADDomainController $rodcFQDN -Server $targetedADdomainNearestRWDCFQDN + $targetSearchBaseACC = "OU=Domain Controllers," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName) + $rodcObjACC = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBaseACC -searchFilter "(&(objectClass=computer)(dNSHostName=$rodcFQDN))" -PropertiesToLoad @("OperatingSystem", "serverReferenceBL") + $targetSearchBaseDSA = "CN=Sites," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).configurationNamingContext.distinguishedName) + $rodcObjNTDSSettingsObjectDN = "CN=NTDS Settings," + $((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBaseDSA -searchFilter "(&(objectClass=server)(dNSHostName=$rodcFQDN))" -PropertiesToLoad @("distinguishedName")).distinguishedName) + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For Domain Controller With 'dNSHostName=$rodcFQDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$rodcObj = Get-ADDomainController $rodcFQDN -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds + $targetSearchBaseACC = "OU=Domain Controllers," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName) + $rodcObjACC = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBaseACC -searchFilter "(&(objectClass=computer)(dNSHostName=$rodcFQDN))" -PropertiesToLoad @("OperatingSystem", "serverReferenceBL") + $targetSearchBaseDSA = "CN=Sites," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).configurationNamingContext.distinguishedName) + $rodcObjNTDSSettingsObjectDN = "CN=NTDS Settings," + $((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBaseDSA -searchFilter "(&(objectClass=server)(dNSHostName=$rodcFQDN))" -PropertiesToLoad @("distinguishedName")).distinguishedName) + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For Domain Controller With 'dNSHostName=$rodcFQDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Define The Columns For The RODCs In The AD Domain To Be Filled In + $tableOfDCsInADDomainObj = New-Object -TypeName System.Object + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Host Name" -Value $rodcFQDN + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "PDC" -Value $false + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Site Name" -Value $(If ($rodcObjACC.OperatingSystem) {$rodcObjACC.serverReferenceBL.Split(",")[2].Replace("CN=", "")} Else {"Unknown"}) + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "DS Type" -Value "Read-Only" + $rodcKrbTgtSamAccountName = $null + If ($modeOfOperationNr -eq 1 -Or $modeOfOperationNr -eq 2 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + # Use The PROD/REAL KrbTgt Account Of The RODC + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$rodcKrbTgtSamAccountName = ((Get-ADObject $($rodcObj.ComputerObjectDN) -properties msDS-KrbTgtLink -Server $targetedADdomainNearestRWDCFQDN)."msDS-KrbTgtLink" | Get-ADObject -Server $targetedADdomainNearestRWDCFQDN).Name + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $rodcKrbTgtSamAccountName = (Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$($rodcObjACC.distinguishedName))" -PropertiesToLoad @("msDS-KrbTgtLink"))."msDS-KrbTgtLink"))" -PropertiesToLoad @("name"))."name" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' To Determine The KrbTgt Account In Use By '$rodcFQDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$rodcKrbTgtSamAccountName = ((Get-ADObject $($rodcObj.ComputerObjectDN) -properties msDS-KrbTgtLink -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds)."msDS-KrbTgtLink" | Get-ADObject -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds).Name + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $rodcKrbTgtSamAccountName = (Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$($rodcObjACC.distinguishedName))" -PropertiesToLoad @("msDS-KrbTgtLink"))."msDS-KrbTgtLink"))" -PropertiesToLoad @("name"))."name" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' To Determine The KrbTgt Account In Use By '$rodcFQDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + } + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 8 -Or $modeOfOperationNr -eq 9) { + # Use The TEST/BOGUS KrbTgt Account Of The RODC + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$rodcKrbTgtSamAccountName = $(((Get-ADObject $($rodcObj.ComputerObjectDN) -properties msDS-KrbTgtLink -Server $targetedADdomainNearestRWDCFQDN)."msDS-KrbTgtLink" | Get-ADObject -Server $targetedADdomainNearestRWDCFQDN).Name) + "_TEST" + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $rodcKrbTgtSamAccountName = $((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$($rodcObjACC.distinguishedName))" -PropertiesToLoad @("msDS-KrbTgtLink"))."msDS-KrbTgtLink"))" -PropertiesToLoad @("name"))."name") + "_TEST" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' To Determine The TEST KrbTgt Account In Use By '$rodcFQDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$rodcKrbTgtSamAccountName = $(((Get-ADObject $($rodcObj.ComputerObjectDN) -properties msDS-KrbTgtLink -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds)."msDS-KrbTgtLink" | Get-ADObject -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds).Name) + "_TEST" + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $rodcKrbTgtSamAccountName = $((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(distinguishedName=$($rodcObjACC.distinguishedName))" -PropertiesToLoad @("msDS-KrbTgtLink"))."msDS-KrbTgtLink"))" -PropertiesToLoad @("name"))."name") + "_TEST" + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' To Determine The TEST KrbTgt Account In Use By '$rodcFQDN' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + } + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Krb Tgt" -Value $rodcKrbTgtSamAccountName + # Retrieve The Object Of The KrbTgt Account + $rodcKrbTgtObject = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$rodcKrbTgtObject = Get-ADUser -LDAPFilter "(sAMAccountName=$rodcKrbTgtSamAccountName)" -Properties * -Server $targetedADdomainNearestRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $rodcKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$rodcKrbTgtSamAccountName))" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For User Object With 'sAMAccountName=$rodcKrbTgtSamAccountName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$rodcKrbTgtObject = Get-ADUser -LDAPFilter "(sAMAccountName=$rodcKrbTgtSamAccountName)" -Properties * -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $rodcKrbTgtObject = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$rodcKrbTgtSamAccountName))" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For User Object With 'sAMAccountName=$rodcKrbTgtSamAccountName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($rodcKrbTgtObject) { + # If The Object Of The KrbTgt Account Exists + # Retrieve The DN OF The Object + $rodcKrbTgtObjectDN = $null + $rodcKrbTgtObjectDN = $rodcKrbTgtObject.DistinguishedName + + # Retrieve The Password Last Set Value Of The KrbTgt Account + $rodcKrbTgtPwdLastSet = $null + $rodcKrbTgtPwdLastSet = Get-Date $([datetime]::fromfiletime($rodcKrbTgtObject.pwdLastSet)) -f "yyyy-MM-dd HH:mm:ss" + + # Set The Corresponding Value Of The RODC In The Correct Column Of The Table + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Pwd Last Set" -Value $rodcKrbTgtPwdLastSet + + # Retrieve The Metadata Of The Object, And More Specific Of The pwdLastSet Attribute Of That Object + $objectMetadata = $null + $objectMetadata = retrieveObjectMetadata $targetedADdomainNearestRWDCFQDN $rodcKrbTgtObjectDN $localADforest $adminCrds + $objectMetadataAttribPwdLastSet = $null + $objectMetadataAttribPwdLastSet = $objectMetadata | Where-Object{$_.Name -eq "pwdLastSet"} + $objectMetadataAttribPwdLastSetOrgRWDCFQDN = $null + $objectMetadataAttribPwdLastSetOrgRWDCFQDN = If ($objectMetadataAttribPwdLastSet.OriginatingServer) {$objectMetadataAttribPwdLastSet.OriginatingServer} Else {"RWDC Demoted"} + $objectMetadataAttribPwdLastSetOrgTime = $null + $objectMetadataAttribPwdLastSetOrgTime = Get-Date $($objectMetadataAttribPwdLastSet.LastOriginatingChangeTime) -f "yyyy-MM-dd HH:mm:ss" + $objectMetadataAttribPwdLastSetVersion = $null + $objectMetadataAttribPwdLastSetVersion = $objectMetadataAttribPwdLastSet.Version + + # Set The Corresponding Value Of The RODC In The Correct Column Of The Table + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Org RWDC" -Value $objectMetadataAttribPwdLastSetOrgRWDCFQDN + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Org Time" -Value $objectMetadataAttribPwdLastSetOrgTime + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Ver" -Value $objectMetadataAttribPwdLastSetVersion + } Else { + # If The Object Of The KrbTgt Account Does Not Exist + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Pwd Last Set" -Value "No Such Object" + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Org RWDC" -Value "No Such Object" + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Org Time" -Value "No Such Object" + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Ver" -Value "No Such Object" + } + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "IP Address" -Value $(Try{(([System.Net.Dns]::GetHostEntry($rodcfqdn)).AddressList | Where-Object{$_.AddressFamily -eq "InterNetwork"}).IPAddressToString} Catch {"Unknown"}) + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "OS Version" -Value $($rodcObjACC.OperatingSystem) + # Define The Ports To Check Against + $ports = 389 # LDAP + + # Define The Connection Check To Be True Initially + $connectionCheckOK = $true + + # For Every Defined Port Check The Connection And Report + $failedPorts = @() + $ports | ForEach-Object { + # Set The Port To Check Against + $port = $null + $port = $_ + + # Test The Connection To The Server Using The Port + $connectionResult = $null + $connectionResult = portConnectionCheck $rodcFQDN $port $connectionTimeout + If ($connectionResult -eq "ERROR") { + $failedPorts += $port + $connectionCheckOK = $false + } + } + If ($connectionCheckOK -eq $true) { + # If The Connection Check Is OK + # Connect To The RootDSE Of The RODC + $rodcRootDSEObj = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + $rodcRootDSEObj = [ADSI]"LDAP://$rodcFQDN/rootDSE" + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$rodcFQDN' For 'rootDSE'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + $rodcRootDSEObj = New-Object System.DirectoryServices.DirectoryEntry(("LDAP://$rodcFQDN/rootDSE"), $adminUserAccountRemoteForest, $adminUserPasswordRemoteForest) + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$rodcFQDN' For 'rootDSE' Using '$adminUserAccountRemoteForest'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($rodcRootDSEObj.Path -eq $null) { + # If It Throws An Error Then The RODC Is Not Available/Reachable And Increase The Counter Of Unreachable RODCs + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Reachable" -Value $false + $nrOfUnReachableRODCs += 1 + } Else { + # If It Does Not Throw An Error Then The RWDC Is Available/Reachable And Increase The Counter Of Reachable RODCs + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Reachable" -Value $true + $nrOfReachableRODCs += 1 + } + } Else { + # If The Connection Check Is Not OK Then The RWDC Is Not Available/Reachable And Increase The Counter Of Unreachable RODCs + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Reachable" -Value $false + $nrOfUnReachableRODCs += 1 + } + If ($rodcObjACC.OperatingSystem) { + # If The RODC Has An Operating System Specified, Then It Is Most Likely A Windows RODC + If ($tableOfDCsInADDomainObj.Reachable -eq $true) { + # If The RODC Is Available/Reachable + # Define An LDAP Query With A Search Base And A Filter To Determine The DSA DN Of The Source RWDC Of The RODC + $dsDirSearcher = $null + $dsDirSearcher = New-Object DirectoryServices.DirectorySearcher([ADSI]"") + $dsDirSearcher.SearchRoot = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + $dsDirSearcher.SearchRoot = "LDAP://$rodcFQDN/$rodcObjNTDSSettingsObjectDN" + } + If ($localADforest -eq $false -And $adminCrds) { + $dsDirSearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry(("LDAP://$rodcFQDN/$rodcObjNTDSSettingsObjectDN"), $adminUserAccountRemoteForest, $adminUserPasswordRemoteForest) + } + $dsDirSearcher.Filter = $null + #$dsDirSearcher.Filter = "(&(objectClass=nTDSConnection)(ms-DS-ReplicatesNCReason=*))" + $dsDirSearcher.Filter = "(&(objectClass=nTDSConnection)(options:1.2.840.113556.1.4.803:=64))" # Targeting The CO Called "CN=RODC Connection (SYSVOL),CN=NTDS Settings,CN=,CN=Servers,CN=,CN=Sites,CN=Configuration,DC=,DC=" ONLY + $sourceRWDCsNTDSSettingsObjectDN = $null + Try { + $sourceRWDCsNTDSSettingsObjectDN = $dsDirSearcher.FindAll().Properties.fromserver + } Catch { + Logging "" "ERROR" + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Logging "Error Querying AD Against '$rodcFQDN' For Object '$rodcObjNTDSSettingsObjectDN'..." "ERROR" + } + If ($localADforest -eq $false -And $adminCrds) { + Logging "Error Querying AD Against '$rodcFQDN' For Object '$rodcObjNTDSSettingsObjectDN' Using '$($adminCrds.UserName)'..." "ERROR" + } + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + + # For Every DSA DN Of The Source RWDC Retrieved + $sourceRWDCsNTDSSettingsObjectDN | ForEach-Object { + $sourceRWDCNTDSSettingsObjectDN = $null + $sourceRWDCNTDSSettingsObjectDN = $_ + + # Strip "CN=NTDS Settings," To End Up With The Server Object DN + $sourceRWDCServerObjectDN = $null + $sourceRWDCServerObjectDN = $sourceRWDCNTDSSettingsObjectDN.SubString(("CN=NTDS Settings,").Length) + + # Connect To The Server Object DN + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + $sourceRWDCServerObjectObj = ([ADSI]"LDAP://$targetedADdomainNearestRWDCFQDN/$sourceRWDCServerObjectDN") + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$targetedADdomainNearestRWDCFQDN' For Object '$sourceRWDCServerObjectDN'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + $sourceRWDCServerObjectObj = New-Object System.DirectoryServices.DirectoryEntry(("LDAP://$targetedADdomainNearestRWDCFQDN/$sourceRWDCServerObjectDN"), $adminUserAccountRemoteForest, $adminUserPasswordRemoteForest) + } Catch { + Logging "" "ERROR" + Logging "Error Connecting To '$targetedADdomainNearestRWDCFQDN' For Object '$sourceRWDCServerObjectDN' Using '$adminUserAccountRemoteForest'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # The HostName Of Source RWDC Used By The RODC - Set The Corresponding Value Of The RODC In The Correct Column Of The Table + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Source RWDC FQDN" -Value $sourceRWDCServerObjectObj.dnshostname[0] + + # The DSA DN Of Source RWDC Used By The RODC - Set The Corresponding Value Of The RODC In The Correct Column Of The Table + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Source RWDC DSA" -Value $sourceRWDCsNTDSSettingsObjectDN[0] + } + } Else { + # If The RODC Is Available/Reachable + # Set The Corresponding Value Of The RODC In The Correct Column Of The Table + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Source RWDC FQDN" -Value "RODC Unreachable" + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Source RWDC DSA" -Value "RODC Unreachable" + } + } Else { + # If The RODC Does Not Have An Operating System Specified, Then It Is Most Likely Not A Windows RODC + # Set The Corresponding Value Of The RODC In The Correct Column Of The Table + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Source RWDC FQDN" -Value "Unknown" + $tableOfDCsInADDomainObj | Add-Member -MemberType NoteProperty -Name "Source RWDC DSA" -Value "Unknown" + } + If ($rodcObjACC.OperatingSystem) { + # If The RODC Has An Operating System Specified, Then It Is Most Likely A Windows RODC, Therefore Increase The Counter For Real RODCs + $nrOfRODCs += 1 + } Else { + # If The RODC Does Not Have An Operating System Specified, Then It Is Most Likely Not A Windows RODC, Therefore Increase The Counter For Unknown RODCs + $nrOfUnDetermined += 1 + } + # Add The Row For The RODC To The Table + $tableOfDCsInADDomain += $tableOfDCsInADDomainObj + } +} + +# Sort The Table With DCs In The AD Domain In The Order "DS Type" (Read/Write At The Top), Then If It Is The PDC Or Not (PDC At The Top), Then If It Is Reachable Or Not (Reachable At the Top) +$tableOfDCsInADDomain = $tableOfDCsInADDomain | Sort-Object -Property @{Expression = "DS Type"; Descending = $False}, @{Expression = "PDC"; Descending = $True}, @{Expression = "Reachable"; Descending = $True} + +# Determine The Number Of DCs Based Upon The Number Of RWDCs And The Number Of RODCs +$nrOfDCs = $nrOfRWDCs + $nrOfRODCs + +# Display The Information +Logging "" "REMARK" +Logging "List Of Domain Controllers In AD Domain '$targetedADdomainFQDN'..." +Logging "" "REMARK" +Logging "$($tableOfDCsInADDomain | Format-Table * -Autosize | Out-String)" +Logging "" "REMARK" +Logging "REMARKS:" "REMARK" +Logging " - 'N.A.' in the columns 'Source RWDC FQDN' and 'Source RWDC DSA' means the RWDC is considered as the master for this script." "REMARK" +Logging " - 'RODC Unreachable' in the columns 'Source RWDC FQDN' and 'Source RWDC DSA' means the RODC cannot be reached to determine its replicating source" "REMARK" +Logging " RWDC/DSA. The unavailability can be due to firewalls/networking or the RODC actually being down." "REMARK" +Logging " - 'Unknown' in various columns means that an RODC was found that may not be a true Windows Server RODC. It may be an appliance acting as an RODC." "REMARK" +Logging " - 'RWDC Demoted' in the column 'Org RWDC' means the RWDC existed once, but it does not exist anymore as it has been decommissioned in the past." "REMARK" +Logging " This is normal." "REMARK" +Logging " - 'No Such Object' in the columns 'Pwd Last Set', 'Org RWDC', 'Org Time' or 'Ver' means the targeted object was not found in the AD domain." "REMARK" +Logging " Although this is possible for any targeted object, this is most likely the case when targeting the KrbTgt TEST/BOGUS accounts and if those" "REMARK" +Logging " do not exist yet. This may also occur for an appliance acting as an RODC as in that case no KrbTgt TEST/BOGUS account is created." "REMARK" +$krbTgtAADname = "krbtgt_AzureAD" +Try { + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + #$krbTgtAAD = Get-ADUser -Filter "name -eq '$krbTgtAADname'" -SearchBase $("DC=" + $targetedADdomainFQDN.Replace(".",",DC=")) -Server $targetedADdomainNearestRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $krbTgtAAD = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(name=$krbTgtAADname))" + } + If ($localADforest -eq $false -And $adminCrds) { + #$krbTgtAAD = Get-ADUser -Filter "name -eq '$krbTgtAADname'" -SearchBase $("DC=" + $targetedADdomainFQDN.Replace(".",",DC=")) -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $krbTgtAAD = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(name=$krbTgtAADname))" + } +} Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' To Determine If An Azure AD KrbTgt Account Existed..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" +} +If ($krbTgtAAD) { + Logging "" "REMARK" + Logging "WARNING:" "WARNING" + Logging " - In this AD domain '$targetedADdomainFQDN' the special purpose krbtgt account '$krbTgtAADname' for Azure AD was found (not listed in the table above though!)!" "WARNING" + Logging " - DO NOT reset the password of this krbtgt account in any way except using the official method to reset the password and rotate the keys" "WARNING" + Logging " (See: - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises)" "WARNING" + Logging " - To reset the password and rotate the keys of the krbtgt account '$krbTgtAADname' perform the following steps:" "WARNING" + Logging " * Go to an Azure AD Connect server (v1.4.32.0 or later)" "WARNING" + Logging " * Open a PowerShell Command Prompt window" "WARNING" + Logging " * In that window execute the following commands:" "WARNING" + Logging "" "WARNING" + Logging " # Import The PowerShell Module For Azure AD Kerberos Server" "WARNING" + Logging " Import-Module `"C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1`"" "WARNING" + Logging "" "WARNING" + Logging " # AD Domain/Enterprise Admin Credentials" "WARNING" + Logging " `$adDomainAdminAccount = Read-Host `"AD Admin Account`"" "WARNING" + Logging " `$adDomainAdminPassword = Read-Host `"AD Admin Account Password`" -AsSecureString" "WARNING" + Logging " `$secureAdDomainAdminPassword = ConvertTo-SecureString `$adDomainAdminPassword -AsPlainText -Force" "WARNING" + Logging " `$adDomainAdminCreds = New-Object System.Management.Automation.PSCredential `$adDomainAdminAccount, `$secureAdDomainAdminPassword" "WARNING" + Logging "" "WARNING" + Logging " # Azure AD Global Admin Credentials" "WARNING" + Logging " `$aadDomainAdminAccount = Read-Host `"Azure AD Admin Account`"" "WARNING" + Logging " `$aadDomainAdminPassword = Read-Host `"Azure AD Admin Account Password`" -AsSecureString" "WARNING" + Logging " [string]`$aadDomainAdminPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR(`$aadDomainAdminPassword))" "WARNING" + Logging " `$secureAadDomainAdminPassword = ConvertTo-SecureString `$aadDomainAdminPassword -AsPlainText -Force" "WARNING" + Logging " `$aadDomainAdminCreds = New-Object System.Management.Automation.PSCredential `$aadDomainAdminAccount, `$secureAadDomainAdminPassword" "WARNING" + Logging "" "WARNING" + Logging " # Check the CURRENT status of the Azure AD Kerberos Server object in Active Directory" "WARNING" + Logging " Get-AzureADKerberosServer -Domain $targetedADdomainFQDN -DomainCredential `$adDomainAdminCreds -CloudCredential `$aadDomainAdminCreds" "WARNING" + Logging "" "WARNING" + Logging " # Reset the password and rotate the keys" "WARNING" + Logging " Set-AzureADKerberosServer -Domain $targetedADdomainFQDN -DomainCredential `$adDomainAdminCreds -CloudCredential `$aadDomainAdminCreds -RotateServerKey" "WARNING" + Logging "" "WARNING" + Logging " # Check the NEW status of the Azure AD Kerberos Server object in Active Directory" "WARNING" + Logging " Get-AzureADKerberosServer -Domain $targetedADdomainFQDN -DomainCredential `$adDomainAdminCreds -CloudCredential `$aadDomainAdminCreds" "WARNING" + Logging "" "WARNING" + Logging " REMARK: Make sure the 'KeyVersion' value matches the 'CloudKeyVersion' value and the 'KeyUpdatedOn' value matches the 'CloudKeyUpdatedOn' value!" "WARNING" +} +Logging "" "REMARK" +Logging "" "REMARK" +Logging "" "REMARK" +Logging " --> Found [$nrOfDCs] Real DC(s) In AD Domain..." "REMARK" +Logging "" "REMARK" +Logging " --> Found [$nrOfRWDCs] RWDC(s) In AD Domain..." "REMARK" +Logging " --> Found [$nrOfReachableRWDCs] Reachable RWDC(s) In AD Domain..." "REMARK" +Logging " --> Found [$nrOfUnReachableRWDCs] UnReachable RWDC(s) In AD Domain..." "REMARK" +Logging "" "REMARK" +Logging " --> Found [$nrOfRODCs] RODC(s) In AD Domain..." "REMARK" +Logging " --> Found [$nrOfReachableRODCs] Reachable RODC(s) In AD Domain..." "REMARK" +Logging " --> Found [$nrOfUnReachableRODCs] UnReachable RODC(s) In AD Domain..." "REMARK" +Logging " --> Found [$nrOfUnDetermined] Undetermined RODC(s) In AD Domain..." "REMARK" +Logging "" "REMARK" + +### +# Mode 2 And 3 And 4 and 5 And 6 And 8 And 9 Only - Making Sure The RWDC With The PDC FSMO And The Nearest RWDC Are Reachable/Available +### +If ($modeOfOperationNr -eq 2 -Or $modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6 -Or $modeOfOperationNr -eq 8 -Or $modeOfOperationNr -eq 9) { + If (($tableOfDCsInADDomain | Where-Object{$_.PDC -eq $true}).Reachable -eq $false) { + Logging "" "ERROR" + Logging " --> The RWDC With The PDC FSMO Role '$targetedADdomainRWDCFQDNWithPDCFSMOFQDN' IS NOT Reachable For The Ports '$($ports -join ', ')'..." "ERROR" + Logging "" "ERROR" + + $abortDueToUnreachable = $true + } + + If (($tableOfDCsInADDomain | Where-Object{$_."Host Name" -eq $targetedADdomainNearestRWDCFQDN}).Reachable -eq $false) { + Logging "" "ERROR" + Logging " --> The Nearest RWDC '$targetedADdomainNearestRWDCFQDN' IS NOT Reachable For The Ports '$($ports -join ', ')'..." "ERROR" + Logging "" "ERROR" + + $abortDueToUnreachable = $true + } + + If ($abortDueToUnreachable -eq $true) { + Logging "" "ERROR" + Logging " --> Due To Unavailability Issues Of The RWDC With The PDC FSMO Role And/Or The Nearest RWDC, The Script Cannot Continue ..." "ERROR" + Logging " --> Both The RWDC With The PDC FSMO Role And The The Nearest RWDC MUST Be Available/Reachable..." "ERROR" + Logging "" "ERROR" + Logging "Aborting Script..." "ERROR" + Logging "" "ERROR" + + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "ERROR" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "ERROR" + Logging " - TO: '$mailToRecipient'..." "ERROR" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "ERROR" + } + } + Logging "" "ERROR" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } +} + +### +# Mode 2 And 3 And 4 and 5 And 6 Only - Selecting The KrbTgt Account To Target And Scope If Applicable (Only Applicable To RODCs) +### +If ($modeOfOperationNr -eq 2 -Or $modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" + Logging "SELECT THE SCOPE OF THE KRBTGT ACCOUNT(S) TO TARGET..." "HEADER" + Logging "" + Logging "Which KrbTgt account do you want to target?" + Logging "" + Logging " - 1 - Scope of KrbTgt in use by all RWDCs in the AD Domain" + Logging "" + If ($nrOfRODCs -gt 0) { + Logging " - 2 - Scope of KrbTgt in use by specific RODC - Single/Multiple RODC(s) in the AD Domain" + Logging "" + Logging " - 3 - Scope of KrbTgt in use by specific RODC - All RODCs in the AD Domain" + Logging "" + } + Logging "" + Logging " - 0 - Exit Script" + Logging "" + Switch ($targetKrbTgtAccountScope) { + "allRWDCs" {$targetKrbTgtAccountNr = 1} + "specificRODCs" { $targetKrbTgtAccountNr = 2} + "allRODCs" {$targetKrbTgtAccountNr = 3} + Default {$targetKrbTgtAccountNr = $null} + } + If ($null -eq $targetKrbTgtAccountNr) { + Logging "Please specify the scope of KrbTgt Account to target: " "ACTION-NO-NEW-LINE" + $targetKrbTgtAccountNr = Read-Host + } Else { + Logging "Please specify the scope of KrbTgt Account to target: $targetKrbTgtAccountNr" "ACTION" + } + Logging "" + + # If Anything Else Than The Allowed/Available Non-Zero KrbTgt Accounts, Abort The Script + If (($targetKrbTgtAccountNr -ne 1 -And $targetKrbTgtAccountNr -ne 2 -And $targetKrbTgtAccountNr -ne 3) -Or $targetKrbTgtAccountNr -notmatch "^[\d\.]+$") { + Logging " --> Chosen Scope KrbTgt Account Target: 0 - Exit Script..." "REMARK" + Logging "" + + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + # Mail The Log File With The Results + Logging "" "WARNING" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "WARNING" + Logging " - TO: '$mailToRecipient'..." "WARNING" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "WARNING" + } + } + Logging "" "WARNING" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } + + # If KrbTgt Account Scope 1 + If ($targetKrbTgtAccountNr -eq 1) { + $targetKrbTgtAccountDescription = "1 - Scope of KrbTgt in use by all RWDCs in the AD Domain..." + } + + # If KrbTgt Account Scope 2 + If ($targetKrbTgtAccountNr -eq 2) { + $targetKrbTgtAccountDescription = "2 - Scope of KrbTgt in use by specific RODC - Single/Multiple RODC(s) in the AD Domain..." + } + + # If KrbTgt Account Scope 3 + If ($targetKrbTgtAccountNr -eq 3) { + $targetKrbTgtAccountDescription = "3 - Scope of KrbTgt in use by specific RODC - All RODCs in the AD Domain..." + } + Logging " --> Chosen Scope KrbTgt Account Target: $targetKrbTgtAccountDescription" "REMARK" + Logging "" + + # Use The RWDC With The PDC FSMO Role To Represent All RWDCs In The AD Domain + If ($targetKrbTgtAccountNr -eq 1) { + $targetDCFQDNList = $tableOfDCsInADDomain | Where-Object{$_.PDC -eq $true} + } + + # Present List Of RODCs When Option 2 Or 3 Is Chosen To Make It Easier To Chose From + # Specify A Comma Separated List Of FQDNs Of RODCs To Target (Single/Multiple) + If ($targetKrbTgtAccountNr -eq 2) { + Logging "" "REMARK" + Logging "List Of Read-Only Domain Controllers In AD Domain '$targetedADdomainFQDN'..." + Logging "" "REMARK" + Logging "$($tableOfDCsInADDomain | Where-Object{$_.'DS Type' -eq 'Read-Only'} | Format-Table 'Host Name','DS Type','Krb Tgt','Pwd Last Set','Reachable' -Autosize | Out-String)" + Logging "" "REMARK" + + If ($targetRODCFQDNList.Length -eq 0) { + Logging "Specify a single, or comma-separated list of FQDNs of RODCs for which the KrbTgt Account Password must be reset: " "ACTION-NO-NEW-LINE" + $targetDCFQDNList = Read-Host + $targetDCFQDNList = $targetDCFQDNList.Split(",") + } Else { + $targetDCFQDNList = $targetRODCFQDNList + } + Logging "" + Logging " --> Specified RODCs:" "REMARK" + $targetDCFQDNList | ForEach-Object { + Logging " * $($_)" "REMARK" + } + Logging "" + } +} + +### +# Mode 2/3/5 - Simulation Mode AND Mode 4/6 - Real Reset Mode +### +If ($modeOfOperationNr -eq 2 -Or $modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + # Mode 2 - Simulation Mode - TEMPORARY CANARY OBJECT + If ($modeOfOperationNr -eq 2) { + Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" + Logging "SIMULATION MODE (MODE $modeOfOperationNr) - CREATING/REPLICATING TEMPORARY CANARY OBJECT TO TEST REPLICATION CONVERGENCE" "HEADER" + Logging "SCOPE: $targetKrbTgtAccountDescription" "HEADER" + Logging "" + } + + # Mode 3 - Simulation Mode - SCOPED TEST/BOGUS KRBTGT ACCOUNT(S) + If ($modeOfOperationNr -eq 3) { + Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" + Logging "SIMULATION MODE (MODE $modeOfOperationNr) - RESETTING PASSWORD OF SCOPED TEST/BOGUS KRBTGT ACCOUNT(S) (WHAT IF MODE)" "HEADER" + Logging "SCOPE: $targetKrbTgtAccountDescription" "HEADER" + Logging "" + } + + # Mode 4 - Real Reset Mode - SCOPED TEST/BOGUS KRBTGT ACCOUNT(S) + If ($modeOfOperationNr -eq 4) { + Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" + Logging "REAL RESET MODE (MODE $modeOfOperationNr) - RESETTING PASSWORD OF SCOPED TEST/BOGUS KRBTGT ACCOUNT(S)" "HEADER" + Logging "SCOPE: $targetKrbTgtAccountDescription" "HEADER" + Logging "" + } + + # Mode 5 - Simulation Mode - SCOPED PROD/REAL KRBTGT ACCOUNT(S) + If ($modeOfOperationNr -eq 5) { + Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" + Logging "SIMULATION MODE (MODE $modeOfOperationNr) - RESETTING PASSWORD OF SCOPED PROD/REAL KRBTGT ACCOUNT(S) (WHAT IF MODE)" "HEADER" + Logging "SCOPE: $targetKrbTgtAccountDescription" "HEADER" + Logging "" + } + + # Mode 6 - Real Reset Mode - SCOPED PROD/REAL KRBTGT ACCOUNT(S) + If ($modeOfOperationNr -eq 6) { + Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" + Logging "REAL RESET MODE (MODE $modeOfOperationNr) - RESETTING PASSWORD OF SCOPED PROD/REAL KRBTGT ACCOUNT(S)" "HEADER" + Logging "SCOPE: $targetKrbTgtAccountDescription" "HEADER" + Logging "" + } + + # Asking Confirmation To Continue Or Not + $continueOrStop = $null + If ($argsCount -gt 0 -And $continueOps) { + $continueOrStop = "CONTINUE" + Logging "Do you really want to continue and execute 'Mode $modeOfOperationNr'? [CONTINUE | STOP]: $continueOrStop" "ACTION" + } Else { + Logging "Do you really want to continue and execute 'Mode $modeOfOperationNr'? [CONTINUE | STOP]: " "ACTION-NO-NEW-LINE" + $continueOrStop = Read-Host + } + + # Any Confirmation Not Equal To CONTINUE Will Be Equal To STOP + If ($continueOrStop.ToUpper() -ne "CONTINUE") { + $continueOrStop = "STOP" + } + Logging "" + Logging " --> Chosen: $continueOrStop" "REMARK" + Logging "" + + # Any Confirmation Not Equal To CONTINUE Will Abort The Script + If ($continueOrStop.ToUpper() -ne "CONTINUE") { + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "WARNING" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "WARNING" + Logging " - TO: '$mailToRecipient'..." "WARNING" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "WARNING" + } + } + Logging "" "WARNING" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } + + # For The KrbTgt Account Scope Of All RWDCs + If ($targetKrbTgtAccountNr -eq 1) { + # Collection Of DCs To Process + $collectionOfDCsToProcess = @() + $collectionOfDCsToProcess += $targetDCFQDNList + } + + # For The KrbTgt Account Scope Of Specified, But Individual RODCs + If ($targetKrbTgtAccountNr -eq 2) { + # Collection Of Reachable RODCs + $collectionOfRODCsToProcessReachable = @() + $collectionOfRODCsToProcessReachable += $tableOfDCsInADDomain | Where-Object{$_."DS Type" -eq "Read-Only" -And $_.Reachable -eq $true -And $_."Source RWDC FQDN" -ne "Unknown" -And $_."Source RWDC FQDN" -ne "RODC Unreachable" -And $targetDCFQDNList -contains $_."Host Name"} + + # Collection Of UnReachable RODCs + $collectionOfRODCsToProcessUnReachable = @() + $collectionOfRODCsToProcessUnReachable += $tableOfDCsInADDomain | Where-Object{$_."DS Type" -eq "Read-Only" -And $_.Reachable -eq $false -And $_."Source RWDC FQDN" -eq "RODC Unreachable" -And $targetDCFQDNList -contains $_."Host Name"} + + # Collection Of Unknown RODCs + [string[]]$collectionOfRODCsToProcessUnknown = @() + $collectionOfRODCsToProcessUnknown += $tableOfDCsInADDomain | Where-Object{$_."DS Type" -eq "Read-Only" -And $_.Reachable -eq $false -And $_."Source RWDC FQDN" -eq "Unknown" -And $targetDCFQDNList -contains $_."Host Name"} + + # Collection Of DCs To Process + $collectionOfDCsToProcess = @() + $collectionOfDCsToProcess += $collectionOfRODCsToProcessReachable + $collectionOfDCsToProcess += $collectionOfRODCsToProcessUnReachable + + # Collection Of DCs NOT To Process + $collectionOfDCsNotToProcess = @() + $collectionOfDCsNotToProcess += $collectionOfRODCsToProcessUnknown + } + + # For The KrbTgt Account Scope Of Each Individual RODCs + If ($targetKrbTgtAccountNr -eq 3) { + # Collection Of Reachable RODCs + $collectionOfRODCsToProcessReachable = @() + $collectionOfRODCsToProcessReachable += $tableOfDCsInADDomain | Where-Object{$_."DS Type" -eq "Read-Only" -And $_.Reachable -eq $true -And $_."Source RWDC FQDN" -ne "Unknown" -And $_."Source RWDC FQDN" -ne "RODC Unreachable"} + + # Collection Of UnReachable RODCs + $collectionOfRODCsToProcessUnReachable = @() + $collectionOfRODCsToProcessUnReachable += $tableOfDCsInADDomain | Where-Object{$_."DS Type" -eq "Read-Only" -And $_.Reachable -eq $false -And $_."Source RWDC FQDN" -eq "RODC Unreachable"} + + # Collection Of Unknown RODCs + $collectionOfRODCsToProcessUnknown = @() + $collectionOfRODCsToProcessUnknown += $tableOfDCsInADDomain | Where-Object{$_."DS Type" -eq "Read-Only" -And $_.Reachable -eq $false -And $_."Source RWDC FQDN" -eq "Unknown"} + + # Collection Of DCs To Process + $collectionOfDCsToProcess = @() + $collectionOfDCsToProcess += $collectionOfRODCsToProcessReachable + $collectionOfDCsToProcess += $collectionOfRODCsToProcessUnReachable + + # Collection Of DCs NOT To Process + $collectionOfDCsNotToProcess = @() + $collectionOfDCsNotToProcess += $collectionOfRODCsToProcessUnknown + } + + # If Any DC Exists In The List, Process it + If ($collectionOfDCsToProcess.Length -gt 0) { + $collectionOfDCsToProcess | ForEach-Object { + # The DC Object In The List To Process + $dcToProcess = $null + $dcToProcess = $_ + + # Retrieve The sAMAccountName Of The KrbTgt Account In Use By The DC(s) + $krbTgtSamAccountName = $null + $krbTgtSamAccountName = $dcToProcess."Krb Tgt" + + # Retrieve The KrbTgt Account Object DN + $krbTgtObjectDN = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$krbTgtObjectDN = (Get-ADUser -LDAPFilter "(sAMAccountName=$krbTgtSamAccountName)" -Server $targetedADdomainNearestRWDCFQDN).DistinguishedName + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $krbTgtObjectDN = (Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$krbTgtSamAccountName))").DistinguishedName + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For User Object With 'sAMAccountName=$krbTgtSamAccountName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$krbTgtObjectDN = (Get-ADUser -LDAPFilter "(sAMAccountName=$krbTgtSamAccountName)" -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds).DistinguishedName + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $krbTgtObjectDN = (Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$krbTgtSamAccountName))").DistinguishedName + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For User Object With 'sAMAccountName=$krbTgtSamAccountName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # Present The Information Of The KrbTgt Account Scope Being Processed + Logging "+++++" "REMARK" + Logging "+++ Processing KrbTgt Account....: '$krbTgtSamAccountName' | '$krbTgtObjectDN' +++" "REMARK" + If ($targetKrbTgtAccountNr -eq 1) { + Logging "+++ Used By RWDC.................: 'All RWDCs' +++" "REMARK" + } + If ($targetKrbTgtAccountNr -eq 2 -Or $targetKrbTgtAccountNr -eq 3) { + Logging "+++ Used By RODC.................: '$($dcToProcess."Host Name")' (Site: $($dcToProcess."Site Name")) +++" "REMARK" + } + Logging "+++++" "REMARK" + Logging "" "REMARK" + + # Determine The HostName Of The Source RWDC + If ($targetKrbTgtAccountNr -eq 1) { + $targetedADdomainSourceRWDCFQDN = $null + $targetedADdomainSourceRWDCFQDN = $dcToProcess."Host Name" + } + If ($targetKrbTgtAccountNr -eq 2 -Or $targetKrbTgtAccountNr -eq 3) { + $targetedADdomainDCToProcessReachability = $null + $targetedADdomainDCToProcessReachability = $dcToProcess.Reachable + + $targetedADdomainSourceRWDCFQDN = $null + $targetedADdomainSourceRWDCFQDN = $dcToProcess."Source RWDC FQDN" + + If ($targetedADdomainDCToProcessReachability -eq $false -Or $targetedADdomainSourceRWDCFQDN -eq "RODC Unreachable" -Or $targetedADdomainSourceRWDCFQDN -eq "Unknown") { + $targetedADdomainSourceRWDCFQDN = ($tableOfDCsInADDomain | Where-Object{$_.PDC -eq $True})."Host Name" + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + #$dcToProcess."Source RWDC DSA" = (Get-ADDomainController $targetedADdomainSourceRWDCFQDN -Server $targetedADdomainSourceRWDCFQDN).NTDSSettingsObjectDN + $targetSearchBase = "CN=Sites," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName) + $dcToProcess."Source RWDC DSA" = "CN=NTDS Settings," + $((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectClass=server)(dNSHostName=$targetedADdomainSourceRWDCFQDN))" -PropertiesToLoad @("distinguishedName")).distinguishedName) + } + If ($localADforest -eq $false -And $adminCrds) { + #$dcToProcess."Source RWDC DSA" = (Get-ADDomainController $targetedADdomainSourceRWDCFQDN -Server $targetedADdomainSourceRWDCFQDN -Credential $adminCrds).NTDSSettingsObjectDN + $targetSearchBase = "CN=Sites," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName) + $dcToProcess."Source RWDC DSA" = "CN=NTDS Settings," + $((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectClass=server)(dNSHostName=$targetedADdomainSourceRWDCFQDN))" -PropertiesToLoad @("distinguishedName")).distinguishedName) + } + } Else { + $targetedADdomainSourceRWDCReachability = $null + $targetedADdomainSourceRWDCReachability = ($tableOfDCsInADDomain | Where-Object{$_."Host Name" -eq $targetedADdomainSourceRWDCFQDN}).Reachable + If ($targetedADdomainSourceRWDCReachability -eq $false) { + $targetedADdomainSourceRWDCFQDN = ($tableOfDCsInADDomain | Where-Object{$_.PDC -eq $True})."Host Name" + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + #$dcToProcess."Source RWDC DSA" = (Get-ADDomainController $targetedADdomainSourceRWDCFQDN -Server $targetedADdomainSourceRWDCFQDN).NTDSSettingsObjectDN + $targetSearchBase = "CN=Sites," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName) + $dcToProcess."Source RWDC DSA" = "CN=NTDS Settings," + $((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectClass=server)(dNSHostName=$targetedADdomainSourceRWDCFQDN))" -PropertiesToLoad @("distinguishedName")).distinguishedName) + } + If ($localADforest -eq $false -And $adminCrds) { + #$dcToProcess."Source RWDC DSA" = (Get-ADDomainController $targetedADdomainSourceRWDCFQDN -Server $targetedADdomainSourceRWDCFQDN -Credential $adminCrds).NTDSSettingsObjectDN + $targetSearchBase = "CN=Sites," + $((Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName) + $dcToProcess."Source RWDC DSA" = "CN=NTDS Settings," + $((Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainSourceRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectClass=server)(dNSHostName=$targetedADdomainSourceRWDCFQDN))" -PropertiesToLoad @("distinguishedName")).distinguishedName) + } + } + } + } + + # Retrieve Details Of The Source RWDC + $targetedADdomainSourceRWDCIsPDC = $null + $targetedADdomainSourceRWDCIsPDC = ($tableOfDCsInADDomain | Where-Object{$_."Host Name" -eq $targetedADdomainSourceRWDCFQDN}).PDC + $targetedADdomainSourceRWDCDSType = $null + $targetedADdomainSourceRWDCDSType = ($tableOfDCsInADDomain | Where-Object{$_."Host Name" -eq $targetedADdomainSourceRWDCFQDN})."DS Type" + $targetedADdomainSourceRWDCSiteName = $null + $targetedADdomainSourceRWDCSiteName = ($tableOfDCsInADDomain | Where-Object{$_."Host Name" -eq $targetedADdomainSourceRWDCFQDN})."Site Name" + $targetedADdomainSourceRWDCIPAddress = $null + $targetedADdomainSourceRWDCIPAddress = ($tableOfDCsInADDomain | Where-Object{$_."Host Name" -eq $targetedADdomainSourceRWDCFQDN})."IP Address" + $targetedADdomainSourceRWDCReachability = $null + $targetedADdomainSourceRWDCReachability = ($tableOfDCsInADDomain | Where-Object{$_."Host Name" -eq $targetedADdomainSourceRWDCFQDN}).Reachable + + # Only Continue If The Source RWDC Is Available/Reachable To Process The Change + If ($targetedADdomainSourceRWDCReachability -eq $true) { + # If Mode 2, Execute The Creation Of the Temporary Canary Object, And Abort The Script If That Fails + If ($modeOfOperationNr -eq 2) { + $targetObjectToCheckDN = $null + $targetObjectToCheckDN = createTempCanaryObject $targetedADdomainSourceRWDCFQDN $krbTgtSamAccountName $execDateTimeCustom1 $localADforest $adminCrds + If (!$targetObjectToCheckDN) { + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "WARNING" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "WARNING" + Logging " - TO: '$mailToRecipient'..." "WARNING" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "WARNING" + } + } + Logging "" "WARNING" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } + } + + # If Mode 3, Simulate Password Reset Of KrbTgt TEST/BOGUS Accounts (No Password Reset/WhatIf Mode) + # If Mode 4, Do A Real Password Reset Of KrbTgt TEST/BOGUS Accounts (Password Reset!) + # If Mode 5, Simulate Password Reset Of KrbTgt PROD/REAL Accounts (No Password Reset/WhatIf Mode) + # If Mode 6, Do A Real Password Reset Of KrbTgt PROD/REAL Accounts (Password Reset!) + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 5 -Or $modeOfOperationNr -eq 6) { + # Retrieve The KrbTgt Account Object + $targetObjectToCheck = $null + If ($localADforest -eq $true -Or ($localADforest -eq $false -And !$adminCrds)) { + Try { + #$targetObjectToCheck = Get-ADUser -LDAPFilter "(sAMAccountName=$krbTgtSamAccountName)" -Properties * -Server $targetedADdomainNearestRWDCFQDN + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos)).defaultNamingContext.distinguishedName + $targetObjectToCheck = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$krbTgtSamAccountName))" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For User Object With 'sAMAccountName=$krbTgtSamAccountName'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + If ($localADforest -eq $false -And $adminCrds) { + Try { + #$targetObjectToCheck = Get-ADUser -LDAPFilter "(sAMAccountName=$krbTgtSamAccountName)" -Properties * -Server $targetedADdomainNearestRWDCFQDN -Credential $adminCrds + $targetSearchBase = (Get-RootDSE -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds)).defaultNamingContext.distinguishedName + $targetObjectToCheck = Find-LdapObject -LdapConnection $(Get-LdapConnection -LdapServer:$targetedADdomainNearestRWDCFQDN -EncryptionType Kerberos -Credential $adminCrds) -searchBase $targetSearchBase -searchFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$krbTgtSamAccountName))" -PropertiesToLoad @("pwdlastset") + } Catch { + Logging "" "ERROR" + Logging "Error Querying AD Against '$targetedADdomainNearestRWDCFQDN' For User Object With 'sAMAccountName=$krbTgtSamAccountName' Using '$($adminCrds.UserName)'..." "ERROR" + Logging "" "ERROR" + Logging "Exception Type......: $($_.Exception.GetType().FullName)" "ERROR" + Logging "" "ERROR" + Logging "Exception Message...: $($_.Exception.Message)" "ERROR" + Logging "" "ERROR" + Logging "Error On Script Line: $($_.InvocationInfo.ScriptLineNumber)" "ERROR" + Logging "" "ERROR" + } + } + + # If The KrbTgt Account Object Was Found + If ($targetObjectToCheck) { + # If The KrbTgt Account Object Exists (You're In Deep Sh!t If The Account Does Not Exist! :-)) + # Retrieve The DN Of The KrbTgt Account Object + $targetObjectToCheckDN = $null + $targetObjectToCheckDN = $targetObjectToCheck.DistinguishedName + + # Retrieve The Metadata Of The Object, And More Specific Of The pwdLastSet Attribute Of That Object + $objectMetadata = $null + $objectMetadata = retrieveObjectMetadata $targetedADdomainNearestRWDCFQDN $targetObjectToCheckDN $localADforest $adminCrds + $objectMetadataAttribPwdLastSet = $null + $objectMetadataAttribPwdLastSet = $objectMetadata | Where-Object{$_.Name -eq "pwdLastSet"} + $objectMetadataAttribPwdLastSetOrgRWDCFQDN = $null + $objectMetadataAttribPwdLastSetOrgRWDCFQDN = If ($objectMetadataAttribPwdLastSet.OriginatingServer) {$objectMetadataAttribPwdLastSet.OriginatingServer} Else {"RWDC Demoted"} + $objectMetadataAttribPwdLastSetOrgTime = $null + $objectMetadataAttribPwdLastSetOrgTime = Get-Date $($objectMetadataAttribPwdLastSet.LastOriginatingChangeTime) -f "yyyy-MM-dd HH:mm:ss" + $objectMetadataAttribPwdLastSetVersion = $null + $objectMetadataAttribPwdLastSetVersion = $objectMetadataAttribPwdLastSet.Version + + # Retrieve The Password Last Set Of The KrbTgt Account Object + $targetObjectToCheckPwdLastSet = $null + $targetObjectToCheckPwdLastSet = Get-Date $([datetime]::fromfiletime($targetObjectToCheck.pwdLastSet)) + + # If Mode 3, Do A WHAT IF Password Reset Of KrbTgt TEST/BOGUS Accounts (No Password Reset!) + # If Mode 5, Do A WHAT IF Password Reset Of KrbTgt PROD/REAL Accounts (No Password Reset!) + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 5) { + Logging " --> According To RWDC.....................: '$targetedADdomainNearestRWDCFQDN'" + Logging " --> Previous Password Set Date/Time.......: '$(Get-Date $targetObjectToCheckPwdLastSet -f 'yyyy-MM-dd HH:mm:ss')'" + Logging " --> Originating RWDC Previous Change......: '$objectMetadataAttribPwdLastSetOrgRWDCFQDN'" + Logging " --> Originating Time Previous Change......: '$objectMetadataAttribPwdLastSetOrgTime'" + Logging " --> Current Version Of Attribute Value....: '$objectMetadataAttribPwdLastSetVersion'" + Logging "" + Logging "REMARK: What If Mode! NO PASSWORD RESET HAS OCCURED!" "REMARK" + Logging "" + } + + # If Mode 4, Do A Real Password Reset Of KrbTgt TEST/BOGUS Accounts (Password Reset!) + # If Mode 6, Do A Real Password Reset Of KrbTgt PROD/REAL Accounts (Password Reset!) + If ($modeOfOperationNr -eq 4 -Or $modeOfOperationNr -eq 6) { + # Calculate The Expiration Date/Time Of N-1 Kerberos Tickets + $expirationTimeForNMinusOneKerbTickets = $null + $expirationTimeForNMinusOneKerbTickets = (($targetObjectToCheckPwdLastSet.AddHours($targetedADdomainMaxTgtLifetimeHrs)).AddMinutes($targetedADdomainMaxClockSkewMins)).AddMinutes($targetedADdomainMaxClockSkewMins) + + # Check If It Advisable To Reset The Password Or Not. + # If YES, Just Continue + # If NO, Ask For Acknowledgement + $okToReset = $null + If ($expirationTimeForNMinusOneKerbTickets -lt [DateTime]::Now) { + # Allow The Password Reset To Occur Without Questions If The Expiration Date/Time Of N-1 Kerberos Tickets Is Earlier Than The Current Time + $okToReset = $True + } Else { + # Allow The Password Reset To Occur After Confirnation Only If The Expiration Date/Time Of N-1 Kerberos Tickets Is Equal Or Later Than The Current Time + Logging " --> According To RWDC.....................: '$targetedADdomainNearestRWDCFQDN'" + Logging " --> Previous Password Set Date/Time.......: '$(Get-Date $targetObjectToCheckPwdLastSet -f 'yyyy-MM-dd HH:mm:ss')'" + Logging " --> Date/Time N-1 Kerberos Tickets........: '$(Get-Date $expirationTimeForNMinusOneKerbTickets -f 'yyyy-MM-dd HH:mm:ss')'" + Logging " --> Date/Time Now.........................: '$(Get-Date $([DateTime]::Now) -f 'yyyy-MM-dd HH:mm:ss')'" + Logging " --> Max TGT Lifetime (Hours)..............: '$targetedADdomainMaxTgtLifetimeHrs'" + Logging " --> Max Clock Skew (Minutes)..............: '$targetedADdomainMaxClockSkewMins'" + Logging " --> Originating RWDC Previous Change......: '$objectMetadataAttribPwdLastSetOrgRWDCFQDN'" + Logging " --> Originating Time Previous Change......: '$objectMetadataAttribPwdLastSetOrgTime'" + Logging " --> Current Version Of Attribute Value....: '$objectMetadataAttribPwdLastSetVersion'" + Logging "" + $continueOrStop = $null + If ($targetKrbTgtAccountNr -eq 1) { + If ($argsCount -gt 0) { + $continueOrStop = "STOP" + Logging " --> Resetting KrbTgt Accnt Password Means.: 'MAJOR DOMAIN WIDE IMPACT'" "WARNING" + Logging "" "WARNING" + Logging "What do you want to do? [CONTINUE | STOP]: $continueOrStop" "ACTION" + } Else { + Logging " --> Resetting KrbTgt Accnt Password Means.: 'MAJOR DOMAIN WIDE IMPACT'" "WARNING" + Logging "" "WARNING" + Logging "What do you want to do? [CONTINUE | STOP]: " "ACTION-NO-NEW-LINE" + $continueOrStop = Read-Host + } + } + If ($targetKrbTgtAccountNr -eq 2 -Or $targetKrbTgtAccountNr -eq 3) { + If ($argsCount -gt 0) { + $continueOrStop = "STOP" + Logging " --> Resetting KrbTgt Accnt Password Means.: 'MAJOR IMPACT FOR RESOURCES SERVICED BY $($dcToProcess."Host Name")' (Site: $($dcToProcess."Site Name"))" "WARNING" + Logging "" "WARNING" + Logging "What do you want to do? [CONTINUE | SKIP | STOP]: $continueOrStop" "ACTION" + } Else { + Logging " --> Resetting KrbTgt Accnt Password Means.: 'MAJOR IMPACT FOR RESOURCES SERVICED BY $($dcToProcess."Host Name")' (Site: $($dcToProcess."Site Name"))" "WARNING" + Logging "" "WARNING" + Logging "What do you want to do? [CONTINUE | SKIP | STOP]: " "ACTION-NO-NEW-LINE" + $continueOrStop = Read-Host + } + } + + If ($targetKrbTgtAccountNr -eq 1) { + # Any Confirmation Not Equal To CONTINUE Will Be Equal To STOP + If ($continueOrStop.ToUpper() -ne "CONTINUE") { + $continueOrStop = "STOP" + } + } + If ($targetKrbTgtAccountNr -eq 2 -Or $targetKrbTgtAccountNr -eq 3) { + # Any Confirmation Not Equal To CONTINUE And Not Equal To SKIP And Not Equal To STOP Will Be Equal To STOP + If ($continueOrStop.ToUpper() -ne "CONTINUE" -And $continueOrStop.ToUpper() -ne "SKIP" -And $continueOrStop.ToUpper() -ne "STOP") { + $continueOrStop = "STOP" + } + } + + Logging "" + If ($continueOrStop.ToUpper() -eq "CONTINUE") { + # If The Confirmation Equals CONTINUE Allow The Password Reset To Continue + $okToReset = $True + } Else { + # If The Confirmation Does Not Equal CONTINUE Do Not Allow The Password Reset To Continue. Abort + $okToReset = $False + } + Logging " --> Chosen: $continueOrStop" "REMARK" + Logging "" + } + If ($okToReset -eq $true) { + # If OK To Reset Then Execute The Password Reset Of The KrbTgt Account + setPasswordOfADAccount $targetedADdomainSourceRWDCFQDN $krbTgtSamAccountName $localADforest $adminCrds + } Else { + # If Not OK To Reset Then Abort + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "WARNING" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "WARNING" + Logging " - TO: '$mailToRecipient'..." "WARNING" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "WARNING" + } + } + Logging "" "WARNING" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } + } + # If Mode 3, Do A WHAT IF Password Reset Of KrbTgt TEST/BOGUS Accounts (No Password Reset!) + # If Mode 5, Do A WHAT IF Password Reset Of KrbTgt PROD/REAL Accounts (No Password Reset!) + If ($modeOfOperationNr -eq 3 -Or $modeOfOperationNr -eq 5) { + + } + } Else { + # If The KrbTgt Account Object Does Not Exist (You're In Deep Sh!t If The Account Does Not Exist! :-)) + Logging " --> KrbTgt Account With sAMAccountName '$krbTgtSamAccountName' Does NOT Exist! Skipping..." "ERROR" + Logging "" "ERROR" + } + } + } Else { + # If The Source RWDC Is NOT Reachable + Logging "" + Logging "The RWDC '$targetedADdomainSourceRWDCFQDN' To Make The Change On Is Not Reachable/Available..." "ERROR" + Logging "" + } + + # If The DN Of The Target Object To Check (Temp Canary Object Or KrbTgt Account, Depends On The Mode Chosen) Was Determined/Found + If ($targetObjectToCheckDN) { + # Retrieve/Define The Start List With RWDCs To Check + If ($targetKrbTgtAccountNr -eq 1) { + $listOfDCsToCheckObjectOnStart = $null + $listOfDCsToCheckObjectOnStart = ($tableOfDCsInADDomain | Where-Object{$_."DS Type" -eq "Read/Write"}) + } + If ($targetKrbTgtAccountNr -eq 2 -Or $targetKrbTgtAccountNr -eq 3) { + $listOfDCsToCheckObjectOnStart = @() + $listOfDCsToCheckObjectOnStart += $tableOfDCsInADDomain | Where-Object{$_."Host Name" -eq $targetedADdomainSourceRWDCFQDN} + $listOfDCsToCheckObjectOnStart += $dcToProcess + } + + # Define The End List With RWDCs That Have Been Checked. Now Only Contains The Source RWDC. While Looping Through The Start List And Determing The Object Has Replicated, DCs Are Added To The End List + $listOfDCsToCheckObjectOnEnd = @() + + # Define The Columns For The RWDCs In The AD Domain To Be Filled In + $listOfDCsToCheckObjectOnEndSourceRWDCObj = "" | Select-Object "Host Name", PDC, "Site Name", "DS Type", "IP Address", Reachable, "Source RWDC FQDN", Time + + # Set The Corresponding Value Of The RWDC In The Correct Column Of The Table + $listOfDCsToCheckObjectOnEndSourceRWDCObj."Host Name" = $null + $listOfDCsToCheckObjectOnEndSourceRWDCObj."Host Name" = $targetedADdomainSourceRWDCFQDN + + # Set The Corresponding Value Of The RWDC In The Correct Column Of The Table + $listOfDCsToCheckObjectOnEndSourceRWDCObj.PDC = $null + $listOfDCsToCheckObjectOnEndSourceRWDCObj.PDC = $targetedADdomainSourceRWDCIsPDC + + # Set The Corresponding Value Of The RWDC In The Correct Column Of The Table + $listOfDCsToCheckObjectOnEndSourceRWDCObj."DS Type" = $null + $listOfDCsToCheckObjectOnEndSourceRWDCObj."DS Type" = $targetedADdomainSourceRWDCDSType + + # Set The Corresponding Value Of The RWDC In The Correct Column Of The Table + $listOfDCsToCheckObjectOnEndSourceRWDCObj."Site Name" = $null + $listOfDCsToCheckObjectOnEndSourceRWDCObj."Site Name" = $targetedADdomainSourceRWDCSiteName + + # Set The Corresponding Value Of The RWDC In The Correct Column Of The Table + $listOfDCsToCheckObjectOnEndSourceRWDCObj."IP Address" = $null + $listOfDCsToCheckObjectOnEndSourceRWDCObj."IP Address" = $targetedADdomainSourceRWDCIPAddress + + # Set The Corresponding Value Of The RWDC In The Correct Column Of The Table + $listOfDCsToCheckObjectOnEndSourceRWDCObj.Reachable = $null + $listOfDCsToCheckObjectOnEndSourceRWDCObj.Reachable = $targetedADdomainSourceRWDCReachability + + # Set The Corresponding Value Of The RWDC In The Correct Column Of The Table + $listOfDCsToCheckObjectOnEndSourceRWDCObj."Source RWDC FQDN" = "N.A." + + # Set The Corresponding Value Of The RWDC In The Correct Column Of The Table + $listOfDCsToCheckObjectOnEndSourceRWDCObj.Time = 0.00 + + # Add The Row For The RWDC To The Table + $listOfDCsToCheckObjectOnEnd += $listOfDCsToCheckObjectOnEndSourceRWDCObj + + # Execute The Check AD Replication Convergence Function For The Targeted Object To Check + checkADReplicationConvergence $targetedADdomainFQDN $targetedADdomainSourceRWDCFQDN $targetObjectToCheckDN $listOfDCsToCheckObjectOnStart $listOfDCsToCheckObjectOnEnd $modeOfOperationNr $localADforest $adminCrds + } + } + + # If Any DC Object Exists In The Unknown DC List + If ($collectionOfDCsNotToProcess) { + Logging "+++++" "REMARK" + Logging "+++ The Following Look Like DCs, But May Not Be Real DCs..." "REMARK" + Logging "+++++" "REMARK" + Logging "" "REMARK" + + # For Every Unknown DC + $collectionOfDCsNotToProcess | ForEach-Object { + $dcToProcess = $null + $dcToProcess = $_ + Logging "$($dcToProcess | Format-Table * | Out-String)" + Logging "" + } + Logging "" + } + } +} + +### +# Mode 8 - Create TEST KrbTgt Accounts +### +If ($modeOfOperationNr -eq 8) { + Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" + Logging "CREATE TEST KRBTGT ACCOUNTS (MODE 8)..." "HEADER" + Logging "" + + # Asking Confirmation To Continue Or Not + Logging "Do you really want to continue and execute 'Mode $modeOfOperationNr'? [CONTINUE | STOP]: " "ACTION-NO-NEW-LINE" + $continueOrStop = Read-Host + + # Any Confirmation Not Equal To CONTINUE Will Be Equal To STOP + If ($continueOrStop.ToUpper() -ne "CONTINUE") { + $continueOrStop = "STOP" + } + Logging "" + Logging " --> Chosen: $continueOrStop" "REMARK" + Logging "" + + # Any Confirmation Not Equal To CONTINUE Will Abort The Script + If ($continueOrStop.ToUpper() -ne "CONTINUE") { + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "WARNING" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "WARNING" + Logging " - TO: '$mailToRecipient'..." "WARNING" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "WARNING" + } + } + Logging "" "WARNING" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } + + # Retrieve The FQDN Of The RWDC With The PDC FSMO To Create The TEST/BOGUS KrbTgt Account Objects + $targetedADdomainSourceRWDCFQDN = $null + $targetedADdomainSourceRWDCFQDN = ($tableOfDCsInADDomain | Where-Object{$_.PDC -eq $True})."Host Name" + + # Determine The KrbTgt Account In Use By The RWDC with The PDC FSMO (Representative For All RWDCs In The AD Domain) + $krbTgtSamAccountName = $null + $krbTgtSamAccountName = ($tableOfDCsInADDomain | Where-Object{$_.PDC -eq $True})."Krb Tgt" + Logging "+++++" "REMARK" + Logging "+++ Create Test KrbTgt Account...: '$krbTgtSamAccountName' +++" "REMARK" + Logging "+++ Used By RWDC.................: 'All RWDCs' +++" "REMARK" + Logging "+++++" "REMARK" + Logging "" "REMARK" + + # Execute The Creation Test KrbTgt Accounts Function To Create The TEST/BOGUS KrbTgt Account For RWDCs + createTestKrbTgtADAccount $targetedADdomainSourceRWDCFQDN $targetedADdomainSourceRWDCFQDN $krbTgtSamAccountName "RWDC" $targetedADdomainDomainSID $localADforest $adminCrds + + # For All RODCs In The AD Domain That Do Not Have An Unknown RWDC Specfied + $tableOfDCsInADDomain | Where-Object{$_."DS Type" -eq "Read-Only" -And $_."Source RWDC FQDN" -ne "Unknown"} | ForEach-Object { + # Retrieve The RODC Object In The List + $rodcToProcess = $null + $rodcToProcess = $_ + + # Retrieve The sAMAccountName Of The KrbTgt Account In Use By The RODC + $krbTgtSamAccountName = $null + $krbTgtSamAccountName = $rodcToProcess."Krb Tgt" + + # Retrieve The HostName Of The RODC + $rodcFQDNTarget = $null + $rodcFQDNTarget = $rodcToProcess."Host Name" + + # Retrieve The SiteName Of The RODC + $rodcSiteTarget = $null + $rodcSiteTarget = $rodcToProcess."Site Name" + Logging "+++++" "REMARK" + Logging "+++ Create Test KrbTgt Account...: '$krbTgtSamAccountName' +++" "REMARK" + Logging "+++ Used By RODC.................: '$rodcFQDNTarget' (Site: $rodcSiteTarget) +++" "REMARK" + Logging "+++++" "REMARK" + Logging "" "REMARK" + + # Execute The Create Test KrbTgt Accounts Function To Create The TEST/BOGUS KrbTgt Account For Each RODC + createTestKrbTgtADAccount $targetedADdomainSourceRWDCFQDN $rodcFQDNTarget $krbTgtSamAccountName "RODC" $targetedADdomainDomainSID $localADforest $adminCrds + } +} + +### +# Mode 9 - Cleanup TEST KrbTgt Accounts +### +If ($modeOfOperationNr -eq 9) { + Logging "------------------------------------------------------------------------------------------------------------------------------------------------------" "HEADER" + Logging "CLEANUP TEST KRBTGT ACCOUNTS (MODE 9)..." "HEADER" + Logging "" + + # Asking Confirmation To Continue Or Not + Logging "Do you really want to continue and execute 'Mode $modeOfOperationNr'? [CONTINUE | STOP]: " "ACTION-NO-NEW-LINE" + $continueOrStop = Read-Host + + # Any Confirmation Not Equal To CONTINUE Will Be Equal To STOP + If ($continueOrStop.ToUpper() -ne "CONTINUE") { + $continueOrStop = "STOP" + } + Logging "" + Logging " --> Chosen: $continueOrStop" "REMARK" + Logging "" + + # Any Confirmation Not Equal To CONTINUE Will Abort The Script + If ($continueOrStop.ToUpper() -ne "CONTINUE") { + # Mail The Log File With The Results + If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "WARNING" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "WARNING" + Logging " - TO: '$mailToRecipient'..." "WARNING" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "WARNING" + } + } + Logging "" "WARNING" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile + } + + EXIT + } + + # Retrieve The FQDN Of The RWDC With The PDC FSMO To Delete The TEST/BOGUS KrbTgt Account Objects + $targetedADdomainSourceRWDCFQDN = $null + $targetedADdomainSourceRWDCFQDN = ($tableOfDCsInADDomain | Where-Object{$_.PDC -eq $True})."Host Name" + + # Determine The KrbTgt Account In Use By The RWDC with The PDC FSMO (Representative For All RWDCs In The AD Domain) + $krbTgtSamAccountName = $null + $krbTgtSamAccountName = ($tableOfDCsInADDomain | Where-Object{$_.PDC -eq $True})."Krb Tgt" + Logging "+++++" "REMARK" + Logging "+++ Delete Test KrbTgt Account...: '$krbTgtSamAccountName' +++" "REMARK" + Logging "+++ Used By RWDC.................: 'All RWDCs' +++" "REMARK" + Logging "+++++" "REMARK" + Logging "" "REMARK" + + # Execute The Delete Test KrbTgt Accounts Function To Delete The TEST/BOGUS KrbTgt Account For RWDCs. There Is No Need To Force Deletion Of The Object On All The Other DCs As In Time It Will Be Deleted + deleteTestKrbTgtADAccount $targetedADdomainSourceRWDCFQDN $krbTgtSamAccountName $localADforest $adminCrds + + # For All RODCs In The AD Domain That Do Not Have An Unknown RWDC Specfied + $tableOfDCsInADDomain | Where-Object{$_."DS Type" -eq "Read-Only" -And $_."Source RWDC FQDN" -ne "Unknown"} | ForEach-Object { + # Retrieve The RODC Object In The List + $rodcToProcess = $null + $rodcToProcess = $_ + + # Retrieve The sAMAccountName Of The KrbTgt Account In Use By The RODC + $krbTgtSamAccountName = $null + $krbTgtSamAccountName = $rodcToProcess."Krb Tgt" + + # Retrieve The HostName Of The RODC + $rodcFQDNTarget = $null + $rodcFQDNTarget = $rodcToProcess."Host Name" + + # Retrieve The SiteName Of The RODC + $rodcSiteTarget = $null + $rodcSiteTarget = $rodcToProcess."Site Name" + Logging "+++++" "REMARK" + Logging "+++ Delete Test KrbTgt Account...: '$krbTgtSamAccountName' +++" "REMARK" + Logging "+++ Used By RODC.................: '$rodcFQDNTarget' (Site: $rodcSiteTarget) +++" "REMARK" + Logging "+++++" "REMARK" + Logging "" "REMARK" + + # Execute The Delete Test KrbTgt Accounts Function To Delete The TEST/BOGUS KrbTgt Account For Each RODC. There Is No Need To Force Deletion Of The Object On All The Other DCs As In Time It Will Be Deleted + deleteTestKrbTgtADAccount $targetedADdomainSourceRWDCFQDN $krbTgtSamAccountName $localADforest $adminCrds + } +} + +# Display The Full Path To The Log File +Logging "" +Logging "Log File Path...: $logFilePath" "REMARK" +Logging "" + +# Mail The Log File With The Results +If ($argsCount -gt 0 -And $sendMailWithLogFile) { + Logging "" "REMARK" + Logging "The Log File '$logFilePath' Has Been Mailed To The Following Recipients..." "REMARK" + Logging " - TO: '$mailToRecipient'..." "REMARK" + If ($mailCcRecipients.Length -gt 0) { + $mailCcRecipients | ForEach-Object { + Logging " - CC: '$($_)'..." "REMARK" + } + } + Logging "" "REMARK" + + $mailAttachments = @() + $mailAttachments += $logFilePath + sendMailMessage $smtpServer $smtpPort $smtpCredsUserName $smtpCredsPassword $mailFromSender $mailToRecipient $mailCcRecipients $mailPriority $mailSubject $mailBody $mailAttachments $mailSignAndEncryptDllFile $mailSign $mailSignAndEncryptCertLocation $mailSignAndEncryptCertThumbprint $mailSignAndEncryptCertPFXFile $mailSignAndEncryptCertPFXPassword $mailEncrypt $mailEncryptCertLocation $mailEncryptCertThumbprint $mailEncryptCertCERFile +} \ No newline at end of file