Active Directory UserAccountControl Details
Reference: https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
Reference: https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
Take a domain running multiple versions of Windows domain controllers across multiple AD sites and replicating just fine, add Server 2019 as a DC to the mix, and what do you get? Say it with me now “DCs mostly replicating just fine but KCC re-evaluated connections and one DC is now spamming event 1645 and […]
So you’ve combed through 7 year old TechNet forum posts, cursed the limitations of Event Log Readers group when trying to use Get-WinEvent, and then tried to decipher SDDL to no avail. A treatment for all those woes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
function Add-EventLogAccess { [cmdletbinding(supportsshouldprocess=$true)] param( [ValidateScript({Get-ADObject -ld "(samaccountname=$_)"})] [string]$Identity, [ValidateSet('Application','Security','System')] [string]$LogName, [ValidateSet('RO','RW')] [string]$Permission ) try{ #get original permissions in SDDL format $origValue = ((wevtutil.exe gl $LogName | ? {$_ -match '^channelAccess'}) -split ': ')[-1].trim() #create new SDDL syntax switch($Permission){ 'RO' {$PermissionHex = '0x1'} 'RW' {$PermissionHex = '0x3'} } $ADsid = (Get-ADObject -ld "(samaccountname=$Identity)" -prop ObjectSid).ObjectSid.Value if($origValue -match $ADsid){write-host "$ADsid already set in SDDL, manual inspection required`nCurrent Value: $origValue" -f yellow; return} $newValue = "$origValue(A;;$PermissionHex;;;$ADsid)” write-host "CustomSD original value: $origValue" write-host "CustomSD new value: $newValue" $Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\$logName" if($PSCmdlet.ShouldProcess("$logname log with value $newValue","Set-ItemProperty")){ #NOTE removing customSD allows channelaccess to return to default, verified with wevutil.exe gl $LogName Set-ItemProperty -Path $path -Name 'CustomSD' -Value $newValue -Type string -ErrorAction Stop -Force $regACL = Get-Acl $Path if($regacl.Access | ? {$_.identityreference -like "*$Identity" -and $_.RegistryRights -eq 'ReadKey' -and $_.AccessControlType -eq 'Allow'}){ write-host "`n$Identity already has ability to read $Path" -f Yellow } else{ write-host "`nAdd $Identity permission to $path" -f Green $rule = New-Object System.Security.AccessControl.RegistryAccessRule($Identity,'ReadKey','ContainerInherit,ObjectInherit','None','Allow') $regACL.AddAccessRule($rule) Set-Acl -AclObject $regACL -Path $regACL.Path -ErrorAction Stop } } } catch{ throw $_ } } Add-EventLogAccess -Identity 'MY_AD_GROUP' -LogName Security -Permission RO |
The basic gist here is that the CustomSD registry value will contain your new permissions and […]
So the shiny and new Windows 10 v1809 has RSAT available as features on demand you can install simply using Add-WindowsCapability. Great! Unfortunately for me somewhere along the line my Windows 10 system, which had the 1803 RSAT tools installed, obtained standard Windows updates and the RSAT options were removed from Windows Features menu. I […]
I found that the latest version of PowerCLI 10 ran fine in 32-bit mode but VS Code, Powershell ISE, or Powershell console in 64-bit mode were unable to load the module. I would get the following errors when trying to import the newly installed module: Could not load file or assembly ‘log4net, Version=1.2.10.0, Culture=neutral, PublicKeyToken=692fbea5521e1304’ […]
Anyone that has ever queried for installed software knows that win32_Product is annoyingly slow. There are plenty of solutions out there to pull in all installed software, then filter, then act but I wanted something lightweight and could drill down to my target in a single function. The script below doesn’t validate that targetAttribute name is […]
While Get-MailboxStatistics can quickly show total mailbox size the format is terrible and calculated on the fly resulting in something like this: I used to throw multiple split commands at it to get the byte count, and while that worked, it was ugly. I’ve been on a regex kick recently and simplified the solution a […]
Ya know what grinds my gears? Getting a CSV of employees without a unique key column – no samaccountname, UPN, email, DistinguishedName, SID – nothing. Sometimes you’ll even get supplied with a column of <firstname><space><lastname> using 3rd party information that doesn’t mesh with AD info either. Nice. The function below can be used with an […]
If you’ve ever had the pleasure of working with the built-in O365 cmdlets for viewing and modifying licenses you’ve probably come across: Set-MsolUserLicense : Unable to assign this license because it is invalid. Use the Get-MsolAccountSku cmdlet to retrieve a list of valid licenses. In every instance I ran across this “error” it was because […]
For those that have more than 10 physical NICs on your hosts you may find existing CDP scripts lack a little when trying to sort by hostname and then NIC vmnic0 vmnic1 vmnic11 vmnic12 vmnic2 . . vmnicN Nothing like a little regex and built-in padding to get everything in order. Pass a vmhost host object […]