security

Bypassing Windows 10 UAC for Unknown Publishers

It happens that some programs alert you in Windows 10 about Publisher: Unknown and expect you to possibly provide administrative credentials to even execute it.

Especially in corporate networks users likely don’t have this level of permissions and surely the IT department respective IT-Administrators going to be reluctant to grant administrative privileges when they are not absolutely necessary.

For this specific case, there is a possible workaround – try to start the program with the following CMD-command and see if you might be able to bypass this issue. I sure don’t recommend doing this just for any program, be sure that what you want to start is safe, but there are cases where this is necessary, cause you won’t want to alter the UAC (User Account Control) or permission level or the employee.

%windir%\System32\cmd.exe /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Program Files\Path\To\Your\Program.exe""

1	%windir%\System32\cmd.exe /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Program Files\Path\To\Your\Program.exe""

Of course, adjust the path to your program. Eventually the parameter __COMPAT_LAYER=RUNASINVOKER is likely to bypass this specific issue.

Note that this also depends on a few more variables, but it sure is worth a try.

Monitor group memberships in Active Directory with PRTG

There is at least one group you want to monitor for any membership changes in Active Directory / LDAP – the Domain Admins group. This is so important, as any changes to this group could cause great harm to your whole system. Of course there are other ways in but you for sure want to monitor at least the basic information of the amount of users in this group.

In order to do so, I wrote a PowerShell script that provides you the amount of members of any given group in Active Directory, as well as a text response (under the probe name and in some alerts if activated) of the sAMAccountName of each member in the group. This way you can hopefully right away determine the changed object, assuming you know what should be in there and what not.

If you have nested groups, you might wanna monitor them as well till you reach a user only level.

Create the script as always on your PRTG probing server in C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML and add a new EXE/Advanced XML sensor in PRTG. Select the script and provide at a bare minimum the parameter MonitoredGroup.

Parameter samples:

-MonitoredGroup “Domain Admins”
-MonitoredGroup “Domain Admins” -Server “MyDC.domain.local”

If you do not provide a server name, the system will try determine it on it’s own – default Domain-Membership etc..

Once the first run was successful you should review the results and set the upper and lower error limit on the PRTG sensor to the current amount of members. Any change then will cause the sensor to go in to error status and inform you therefor about the change.

param(
	[string]$Server = "",
	[string]$MonitoredGroup = ""
)
Import-Module ActiveDirectory

If ($Server.Length -gt 0) {
    $LDAPGroup = Get-ADGroupMember $MonitoredGroup -Server $Server
} Else {
    $LDAPGroup = Get-ADGroupMember $MonitoredGroup 
}

[string]$LDAPGroupMembers = ""
Foreach ($Member in $LDAPGroup){
    If ($LDAPGroupMembers.Length -gt 0) {$LDAPGroupMembers += ", "}
    $LDAPGroupMembers += $Member.SamAccountName
}

$XML = "<prtg>
            <result>
                <channel>Amound of Users in Group</channel>
                <value>"+ $LDAPGroup.count +"</value>
            </result>			
            <text>"+ $MonitoredGroup +" Members: " + $LDAPGroupMembers + "</text>
        </prtg>"
 
Function WriteXmlToScreen ([xml]$XML) #just to make it clean XML code...
{
	$StringWriter = New-Object System.IO.StringWriter;
	$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
	$XmlWriter.Formatting = "indented";
	$xml.WriteTo($XmlWriter);
	$XmlWriter.Flush();
	$StringWriter.Flush();
	Write-Output $StringWriter.ToString();
}
 
WriteXmlToScreen $XML;

param(

[string]$Server = "",

[string]$MonitoredGroup = ""

)

Import-Module ActiveDirectory

If ($Server.Length -gt 0) {

$LDAPGroup = Get-ADGroupMember $MonitoredGroup -Server $Server

} Else {

$LDAPGroup = Get-ADGroupMember $MonitoredGroup

}

[string]$LDAPGroupMembers = ""

Foreach ($Member in $LDAPGroup){

If ($LDAPGroupMembers.Length -gt 0) {$LDAPGroupMembers += ", "}

$LDAPGroupMembers += $Member.SamAccountName

}

$XML = "<prtg>

<channel>Amound of Users in Group</channel>

<value>"+ $LDAPGroup.count +"</value>

</result>

<text>"+ $MonitoredGroup +" Members: " + $LDAPGroupMembers + "</text>

</prtg>"

Function WriteXmlToScreen ([xml]$XML) #just to make it clean XML code...

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML;

October 13, 2020 by Florian Rossmark monitoring prtg scripts security server

Auditing network users against HR lists etc.

Auditing network users against HR lists – a topic that is often overlooked or causes some headache due to e.g. name variations, while it is so important to make sure that your Active Directory is a clean and up to date as possible.

There are big paid solutions out there, but unless you have the budget, resources and processes in place, you will need a simpler approach. Having worked in various sized businesses, let me make some suggestions here. Keep in mind, not all of it might be applicable or best for you, but I hope it will at least provide you some ideas and help to improve your network security.

Structured groups and rights

Before we begin – you should always make any effort to have a very well structured rights base. Avoid cross use of e.g. groups for mail distribution and NTFS file system access. It seems like a good idea until someone needs access to the NTFS path and boom he/she receives the group based communication as well. This is of course just one example. Structure your file systems and right assignments well. All of it can make all the difference. Don’t complicate things, keep it simple.

Monitoring Active Directory activity

What you want is something that constantly looks for any changes to Active Directory, at a bare minimum new users and deleted users as well as group-membership changes. There is some software out there to do this, some is free, often with limited functionality, some you need to buy. Personally I was working on a Windows Service to monitor Active Directory changes, but my time is limited and to this day I did not finish it. Having said this, the IT-Asset Management Database on this website actually has a module that does just this, it monitors the most important activities while it does actually a compare of gathered SQL data against current Active Directory information and eventually sends you a daily report about changes.

Such reports might not be perfect, as they don’t real-time monitor such activity, rather then only send you daily summary reports. Paessler PRTG in combination with either some default sensors or custom scripts like Group Membership change and password reset monitoring or the more specific script for group-membership monitoring are more then helpful. Monitor especially e.g. Domain Admins groups and other groups that would allow access to sensitive areas and data of your network. Such active alerts due to a network monitoring solutions might give you the chance to act fast.

Auditing your user base against HR (Human Resources) data

Again, there is software and solutions out there that can do this automatically or help you with your efforts. But often HR is simply using their Payroll platforms and depending on what they have, it won’t have the functionality you need or they are reluctant to implement such processes or possibly provide you access after all.

The main issue I came across is that there is a difference between the HR data and what the full name in your Active Directory (e.g.) is. You can’t further not just automate user name prediction based on any HR export data you have, cause there likely will be duplicate names as well, depending on how you create user names.

HR normally has an employee number, they should be able to provide this in any employee export to you. Now, Active Directory has actually some attributes that you easily can engage: EmployeeID, employeeNumber and employeeType. PowerShell is your friend, if you want to set them. I highly recommend to use PowerShell to some extend if you create new users. Look at the CheckLists in combination with employees in the IT-Asset Management Database as well for some hints and automation. Microsoft’s Set-ADUser PowerShell command will be helpful as well.

Eventually use a tool like the IT-Admins tool to read your users from your Active Directory and export to Excel. Once you have this, you compare the HR list against the Active Directory export. Don’t bother with VLOOKUP – research the use of INDEX/MATCH in Excel. Format both tables as tables in Excel and document your process, as this might depend a bit on what tools you engaged and how the eventual data looks like. You should end up comparing the HR employee number against the HR employee number stored and exported from Active Directory. This should give you a quick and clean overview. What you should be on the lookout for are those N/A error in Excel in the compare column, as well as possibly HR data that indicates a termination or change. You can go as far as compare the department information, again there are Active Directory attributes for this as well. Department names and department IDs.

If you want to go another step, start comparing group-membership as well. Export all the groups and members, again the IT-Admins Tool can help you here. View it possibly from both sides, the group and members view as well as user is member of groups view. Have the department owners take a look at it as well, they might want to see this.

And step three will be an NTFS rights review. Never ever should there be a user account directly used to assign rights in NTFS. This always should be done via groups. How ever, to review this I again recommend using the IT-Admins Tool, as this is actually designed to help you with the process and is able to export the needed data rather quick and simple.

Don’t forget your ERP systems and systems with Active Directory independent user bases

It is not always possible to rely on Active Directory as only source for your user base. Even if you can, the right assignment in e.g. your ERP system to functions likely is independent from Active Directory. Look in to any possibility of your ERP, either API’s or possibly dig in to the database (or where ever the data is stored), to find out about right changes (groups) and review those lists as well against HR information periodically.

Office 365

Oh – it is synchronized with Active Directory, right? Well – review it anyways. There might be a user object that is not synchronized and exists only in Office 365, groups as well. Review the rights to access certain administrative areas within Office 365.

You should definitive review third party users – especially Microsoft TEAMS and sharing e.g. SharePoint or OneDrive files and folders with outside of the organization will likely create some guest accounts. Keep an eye on those.

And then the third party applications – you need to keep an eye on those, as they can cause possible harm or gain access to sensible data. Users/Employees often will install them without reviewing them thoroughly, or they simply don’t realize they might have been there and share confidential data.

Account breach / compromise and API keys in Office 365 should also be something you want to keep a good eye on. Clicking on the wrong link (it will happen!), entering the password and it is to late. Don’t think a simple password reset will solve the issue. Don’t only rely on your MFA. Review does API keys especially in Office 365. What can happen is that the password is used right away to install an API based access to Office 365 that will then independently from password changes have access to the data. Keep an eye on those things as well!

September 25, 2020 by Florian Rossmark monitoring prtg security server

PRTG and Cisco ASA VPN monitoring

The default PRTG sensor for VPN connections on a Cisco ASA has a limited of 50 users connected, actually less. This is due to the limit of 50 channels per sensor.

These days IT departments everywhere likely exceed 50 VPN users everywhere.

Since I do not need to know who is connected, rather then the amount and load on the FW, I came up with a simple sensor and MAP in PRTG to show me the essentials.

Add a snmp custom sensor to your FW in PRTG and use the OID

1.3.6.1.4.1.9.9.392.1.3.1.0

This will give you a number of VPN connection. I am not 100% certain about the OID only being used for Cisco AnyConnect or other VPNs as well. I found it as a valid SNMP OID as I only use Cisco AnyConnect and my VPN tunnels aligned with this number.

Further did I add sensors for CPU / RAM and on the external interface of the FW to the map in PRTG to see the overall status and load.

Detailed information on the bandwidth are a different story, since this is more a passive point in time configuration, I don’t pull that in this map – I care about an average load picture not single pikes that only are temporarily. For this I have different approaches and sources. Mentioning this only for the big picture and cause you need to be aware of that.

Hope some find this helpful.

If you want the users that are online and offline – what is actually a big of a questionable thing due to data privacy concerns and a user not always needing to be on VPN in order to do work – you could create scrips to access more detailed SNMP data and balance this in various sensors. This is possible, but I do not recommend it. Another approach would be using the TEXT value in XML sensors and put the info there. Still, I think you might get to much data and need to ask yourself if this is even something you should collect/monitor.

Here a picture of my map as we barely started getting more home office people online.

PRTG Cisco ASA VPN users

Backlink to the Paessler PRTG KB, where this was discussed as well: https://kb.paessler.com/en/topic/64053-my-snmp-cisco-asa-vpn-users-sensor-shows-a-user-limit-error-why-what-can-i-do

March 19, 2020 by Florian Rossmark monitoring prtg security solutions

Amount of locked out accounts

It is a good to know how many of your user accounts are locked out right now… I would go as far as saying you should monitor this and have alert levels on it, cause this could indicate and reveal a brute-force like attack against your system.

Doing it manually in a PowerShell (assuming you have RSAT / Active-Directory PowerShell modules installed) can be done with the following command that will show you who is locked out and the calculated amount as well..

$s=Search-ADAccount -LockedOut |ft
$s
'CurrentCount: ' + $s.count

$s=Search-ADAccount -LockedOut |ft

'CurrentCount: ' + $s.count

Using PRTG you can add the following advanced script

Import-module activedirectory
$Count=-1

$Accounts = Search-ADAccount -LockedOut
$Count=$Accounts.Count

$Users = ""
foreach ($user in $Accounts) {
	if ($Users.Length -gt 0) {
		$Users += " / "
	}
	$Users += $user.SamAccountName
}

$XML =  "<prtg>"
$XML += "<result><channel>LDAP accounts locked out</channel><value>$Count</value><unit>Count</unit></result>"
$XML += "<text>$Users</text>"
$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)
{
    $StringWriter = New-Object System.IO.StringWriter;
    $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
    $XmlWriter.Formatting = "indented";
    $xml.WriteTo($XmlWriter);
    $XmlWriter.Flush();
    $StringWriter.Flush();
    Write-Output $StringWriter.ToString();
}

WriteXmlToScreen $XML

Import-module activedirectory

$Count=-1

$Accounts = Search-ADAccount -LockedOut

$Count=$Accounts.Count

$Users = ""

foreach ($user in $Accounts) {

if ($Users.Length -gt 0) {

$Users += " / "

}

$Users += $user.SamAccountName

}

$XML = "<prtg>"

$XML += "<result><channel>LDAP accounts locked out</channel><value>$Count</value><unit>Count</unit></result>"

$XML += "<text>$Users</text>"

$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML

After adding it as a sensor, it will create a single channel with the amount of locked out users. You should set error limits:

minimum error limit: 0
- the script returns -1 if an error occurred
maximum error limit: this depends on your user base – I would say about 5% of your users – no more.. depends as well on the lockout-duration in your security policy…

The advantage of the script in PRTG is – it always reports back additional text – the currently locked out SamAccount names.. respective user-names.. so in case it generates an error – you will see some more information…

Assuming there is a brute-force, you might see this sparking and going down – meaning someone tries to find an entry account… since the lockout attribute causes an emergency-replication of your domain-controllers (this attribute bypasses the regular replication interval) you can fire it relatively simply against your domain, the script just uses the current logon domain of the executing user.

October 25, 2019 by Florian Rossmark monitoring prtg security server

Search the Windows Security Eventlog for a string / text

Lately I had to search a lot through logs – as you can tell by all my postings… I just had to create yet another script that allows you to search through the Windows Security Eventlog – while the script is easily adjustable to other log types like application log or system log.

It’s not the most pretty script – but it certainly works. Don’t be surprised if the script takes it sweet time – it might be it needs to read through a lot of eventlog entries.

param(
    [string] $RemoteComputer = "",
    [string] $SearchString = "",
	[int] 	 $MaxAgeHours = 24,
    [bool]   $FullDetails = $false
)

$Query = @"
<QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*</Select>
  </Query>
</QueryList>
"@

if ($RemoteComputer.Length -gt 0){
	if ($FullDetails) {
		Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) -ComputerName $RemoteComputer |fl
	} else {
		Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) -ComputerName $RemoteComputer |ft
	}
} else {
	if ($FullDetails) {
		Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) |fl
	} else {
		Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) |ft
	}
}

param(

[string] $RemoteComputer = "",

[string] $SearchString = "",

[int] $MaxAgeHours = 24,

[bool] $FullDetails = $false

)

$Query = @"

</Query>

</QueryList>

if ($RemoteComputer.Length -gt 0){

if ($FullDetails) {

Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) -ComputerName $RemoteComputer |fl

} else {

Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) -ComputerName $RemoteComputer |ft

}

} else {

if ($FullDetails) {

Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) |fl

} else {

Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) |ft

}

August 7, 2019 by Florian Rossmark scripts security server

Active Directory password reset events and group change events

The script below uses the security event log on defined DCs within your Active Directory to export events related to certain activities. Eventually the script will export this even to an email and send it to you as a report – if needed.

As is – the script will specifically look for those events

4724 – a user password was reset by an administrator respective via Active Directory Users and Groups MMC (or similar)
4728 – a user was added to a security group
4729 – a user was removed from a security group

There are more events – specifically events related to adding/removing users from distribution groups etc. – for the purpose of for what I wrote the script, I did not need this. Still, I thought it is worth publishing this, as others might find it helpful.

To add more events – just adjust line 19 – eventually just add more “or EventID=1234” statements – should be rather easy… in theory you could build that out as a parameter as well and inject it via the script.

param(
    [string] $DomainControllers = "",
    [bool]   $FullDetails = $false,
    [int]    $HoursInThePast = 24,
    [bool]   $SendMail = $false,
    [string] $SMTPfrom = "",
    [string] $SMTPto = "",
    [string] $SMTPsubject = "",
    [string] $SMTPserver = ""
)

#4724 - user PW reset by admin
#4728 - user added to security group
#4729 - user removed from security group

$Query = @"
<QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4724 or EventID=4728 or EventID=4729)]]</Select>
  </Query>
</QueryList>
"@

If ($DomainControllers.Length -eq 0) {
    Import-Module ActiveDirectory
    $DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name
    ForEach($DC In $DomainControllers) {
        Write-Host "checking DC: $DC"
        $OutPut += "Export from DC: $DC" 
        $OutPut += ""
        If ($FullDetails) {
            $OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String
        } Else {
            $OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String
        }
    }
} Else {
    $DCs = $DomainControllers.Split(',')
    foreach ($DomainController in $DCs) {
        Write-Host "checking DC: $DomainController"
        $OutPut += "Export from DC: $DomainController" 
        $OutPut += ""
        If ($FullDetails) {
            $OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String
        } Else {
            $OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String
        }
    }
}

$OutPut

if ($SendMail) {
    Send-MailMessage -From $SMTPfrom -to $SMTPto -Subject $SMTPsubject -Body $OutPut -SmtpServer $SMTPserver
}

param(

[string] $DomainControllers = "",

[bool] $FullDetails = $false,

[int] $HoursInThePast = 24,

[bool] $SendMail = $false,

[string] $SMTPfrom = "",

[string] $SMTPto = "",

[string] $SMTPsubject = "",

[string] $SMTPserver = ""

)

#4724 - user PW reset by admin

#4728 - user added to security group

#4729 - user removed from security group

$Query = @"

<Select Path="Security">*[System[(EventID=4724 or EventID=4728 or EventID=4729)]]</Select>

</Query>

</QueryList>

If ($DomainControllers.Length -eq 0) {

Import-Module ActiveDirectory

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

ForEach($DC In $DomainControllers) {

Write-Host "checking DC: $DC"

$OutPut += "Export from DC: $DC"

$OutPut += ""

If ($FullDetails) {

$OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String

} Else {

$OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String

}

} Else {

$DCs = $DomainControllers.Split(',')

foreach ($DomainController in $DCs) {

Write-Host "checking DC: $DomainController"

$OutPut += "Export from DC: $DomainController"

$OutPut += ""

If ($FullDetails) {

$OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String

} Else {

$OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String

}

$OutPut

if ($SendMail) {

Send-MailMessage -From $SMTPfrom -to $SMTPto -Subject $SMTPsubject -Body $OutPut -SmtpServer $SMTPserver

}

August 1, 2019 by Florian Rossmark scripts security server

Find user account lockout events

There are various ways and tools to tackle this – in the end it boils down to a few facts

account lockouts are logged per domain controller – to be more specific – only on the DC where the lockout happened
- this can be complicated in bigger environments
the lockout event 4771 does not necessarily reveal the initial reason – but it should give you enough information about where it occurred to further investigate

The manual way via Eventlog / Eventviewer in Windows on a DC

right click on the SECURITY eventlog
select Filter Current Log
go to the register card XML
check the box Edit query manually
Insert the XML code below – make sure you replace the USERNAMEHERE value with the actual username
1. no domain
2. exact username
3. NOT case sensitive

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='USERNAMEHERE')]]</Select>
  </Query>
</QueryList>

<Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='USERNAMEHERE')]]</Select>

</Query>

</QueryList>

This results in to a filtered eventlog view for the event id 4771 and the username you specified.

Using PowerShell to automate this

PowerShell can execute a script that would give you the same output – I wrote the script below. It expects at least the parameter UserName – see below for more information.

UserName
- this parameter is mandatory – the exact username without the domain, this is NOT case sensitive
DomainController
- specify this to narrow it down to a single DC – otherwise all domain controllers will be contacted (might take a while)
FullDetails
- set it to $true if you want to see details – otherwise you get only the table format
Example
- Find-AccountLockoutOnDCForUser.ps1 -FullDetails $true -UserName JDoe

param(
    [string] $DomainController = "",
    [string] $UserName = "",
    [bool]   $FullDetails = $false
)

$Query = @"
<QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='$UserName')]]</Select>
  </Query>
</QueryList>
"@

If ($DomainController.Length -eq 0) {
    Import-Module ActiveDirectory
    $DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name
    ForEach($DC In $DomainControllers) {
        Write-Host "checking DC: $DC"
        If ($FullDetails) {
            Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | fl
        } Else {
            Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | ft
        }
    }
} Else {
    If ($FullDetails) {
        Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | fl
    } Else {
        Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | ft
    }
}

param(

[string] $DomainController = "",

[string] $UserName = "",

[bool] $FullDetails = $false

)

$Query = @"

<Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='$UserName')]]</Select>

</Query>

</QueryList>

If ($DomainController.Length -eq 0) {

Import-Module ActiveDirectory

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

ForEach($DC In $DomainControllers) {

Write-Host "checking DC: $DC"

If ($FullDetails) {

Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | fl

} Else {

Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | ft

}

} Else {

If ($FullDetails) {

Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | fl

} Else {

Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | ft

}

February 20, 2019 by Florian Rossmark scripts security server

APC network cards – fix logon issues

APC network cards – or the NIC of many APC devices like UPS and A/C – possibly even NetBotz (APC – aka. Schneider Eletric) tend to have an issue that the system is telling you in the browser that there is already a session active.

The reason is that they tend to keep the session online forever, if you don’t click on logoff before you close your browser etc.

What you will see is an error like this after you entered your valid credentials:

Notice

Someone is currently logged into the APC Management Web Server.

Please try again late

It is actually pretty easy to bypass this – you either use TELNET or SSH to logon to the system with the same credentials and then simply logout there.

While doing so – you logoff the user and you will be able to logon again.

November 21, 2018 by Florian Rossmark configuration security solutions

Monitor multiple website certificates with a single PRTG sensor

Due to a request on the PRTG KB of someone needing a single sensor that monitors multiple URLs for their certificate expiration I came up with the following script that is posted on this PRTG KB as well. The modified PowerShell script was provided there – it is mentioned it sourced from Stack Overflow – I found it on this link: https://stackoverflow.com/questions/28386579/modifying-ssl-cert-check-powershell-script-to-loop-through-multiple-sites

The result would look like this:

<PRTG>
  <result>
    <channel>google.com</channel>
    <value>66</value>
    <CustomUnit>days</CustomUnit>
    <LimitMinWarning>30</LimitMinWarning>
    <LimitMinError>5</LimitMinError>
  </result>
  <result>
    <channel>aol.com</channel>
    <value>143</value>
    <CustomUnit>days</CustomUnit>
    <LimitMinWarning>30</LimitMinWarning>
    <LimitMinError>5</LimitMinError>
  </result>
  <result>
    <channel>yahoo.com</channel>
    <value>96</value>
    <CustomUnit>days</CustomUnit>
    <LimitMinWarning>30</LimitMinWarning>
    <LimitMinError>5</LimitMinError>
  </result>
  <result>
    <channel>espn.com</channel>
    <value>-999</value>
    <CustomUnit>days</CustomUnit>
    <LimitMinWarning>30</LimitMinWarning>
    <LimitMinError>5</LimitMinError>
  </result>
  <text>Not reached pages: espn.com</text>
</PRTG>

<PRTG>

<channel>google.com</channel>

</result>

</result>

<channel>yahoo.com</channel>

</result>

</result>

<text>Not reached pages: espn.com</text>

</PRTG>

To make it more usable – you can input parameters from PRTG like this:

@("domain.com","domain2.com","domain3.com")

1	@("domain.com","domain2.com","domain3.com")

or this for limits – warning 60 and error 10 – you could name them but this should work as well…

@("domain.com","domain2.com","domain3.com") 60 10

1	@("domain.com","domain2.com","domain3.com") 60 10

And here is the modified script:

param(
    $WebsiteURLs= @("google.com","aol.com","yahoo.com","espn.com"),
    $LimitMinDaysWarning=30,
    $LimitMinDaysError=5
)

$WebsitePort=443
$Threshold=120
$Severe=30
$ID=0

$XML = "<PRTG>"
$TextError = ""
foreach ($WebsiteURL in $WebsiteURLs){
    $CommonName=$WebsiteURL
    $ID+=1
    Try{
        $Conn = New-Object System.Net.Sockets.TcpClient($WebsiteURL,$WebsitePort) 
        Try {
            $Stream = New-Object System.Net.Security.SslStream($Conn.GetStream(),$false, {
                param($sender, $certificate, $chain, $sslPolicyErrors) 
                return $true
            })
            $Stream.AuthenticateAsClient($CommonName) 

            $Cert = $Stream.Get_RemoteCertificate()
            $CN=(($cert.Subject -split "=")[1] -split ",")[0]
            $ValidTo = [datetime]::Parse($Cert.GetExpirationDatestring())

            $ValidDays = $($ValidTo - [datetime]::Now).Days
            $MyFontColor="darkgreen"
            if ($ValidDays -lt $Threshold) {
                $MyFontColor="darkyellow"
            } 
            if ($ValidDays -lt $Severe) {
                $MyFontColor="red"
            }
            $XML += "<result><channel>$WebsiteURL</channel><value>$ValidDays</value><CustomUnit>days</CustomUnit><LimitMinWarning>$LimitMinDaysWarning</LimitMinWarning><LimitMinError>$LimitMinDaysError</LimitMinError></result>"
        } Catch { 
            Throw $_ 
        } Finally { 
            $Conn.close() 
        }
    } Catch {
        $XML += "<result><channel>$WebsiteURL</channel><value>-999</value><CustomUnit>days</CustomUnit><LimitMinWarning>$LimitMinDaysWarning</LimitMinWarning><LimitMinError>$LimitMinDaysError</LimitMinError></result>"
        If ($TextError.Length -gt 0) {
            $TextError += " / "
        }
        $TextError += "$WebsiteURL"
    }
}
If ($TextError.Length -gt 0) {
    $XML += "<text>Not reached pages: $TextError</text>"
}
$XML += "</PRTG>"

Function WriteXmlToScreen ([xml]$xml) #just to make it clean XML code...
{
    $StringWriter = New-Object System.IO.StringWriter;
    $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
    $XmlWriter.Formatting = "indented";
    $xml.WriteTo($XmlWriter);
    $XmlWriter.Flush();
    $StringWriter.Flush();
    Write-Output $StringWriter.ToString();
}
WriteXmlToScreen "$XML"

param(

$WebsiteURLs= @("google.com","aol.com","yahoo.com","espn.com"),

$LimitMinDaysWarning=30,

$LimitMinDaysError=5

)

$WebsitePort=443

$Threshold=120

$Severe=30

$ID=0

$XML = "<PRTG>"

$TextError = ""

foreach ($WebsiteURL in $WebsiteURLs){

$CommonName=$WebsiteURL

$ID+=1

Try{

$Conn = New-Object System.Net.Sockets.TcpClient($WebsiteURL,$WebsitePort)

Try {

$Stream = New-Object System.Net.Security.SslStream($Conn.GetStream(),$false, {

param($sender, $certificate, $chain, $sslPolicyErrors)

return $true

})

$Stream.AuthenticateAsClient($CommonName)

$Cert = $Stream.Get_RemoteCertificate()

$CN=(($cert.Subject -split "=")[1] -split ",")[0]

$ValidTo = [datetime]::Parse($Cert.GetExpirationDatestring())

$ValidDays = $($ValidTo - [datetime]::Now).Days

$MyFontColor="darkgreen"

if ($ValidDays -lt $Threshold) {

$MyFontColor="darkyellow"

}

if ($ValidDays -lt $Severe) {

$MyFontColor="red"

}

$XML += "<result><channel>$WebsiteURL</channel><value>$ValidDays</value><CustomUnit>days</CustomUnit><LimitMinWarning>$LimitMinDaysWarning</LimitMinWarning><LimitMinError>$LimitMinDaysError</LimitMinError></result>"

} Catch {

Throw $_

} Finally {

$Conn.close()

}

} Catch {

$XML += "<result><channel>$WebsiteURL</channel><value>-999</value><CustomUnit>days</CustomUnit><LimitMinWarning>$LimitMinDaysWarning</LimitMinWarning><LimitMinError>$LimitMinDaysError</LimitMinError></result>"

If ($TextError.Length -gt 0) {

$TextError += " / "

}

$TextError += "$WebsiteURL"

}

If ($TextError.Length -gt 0) {

$XML += "<text>Not reached pages: $TextError</text>"

}

$XML += "</PRTG>"

Function WriteXmlToScreen ([xml]$xml) #just to make it clean XML code...

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen "$XML"

November 9, 2018 by Florian Rossmark monitoring prtg scripts security web

Microsoft RADIUS / NPS SQL logging

An issue or question I see again and again – proper RADIUS logging with Microsoft NPS / Network Policy Server.

Let’s guide you through a few steps

Install a Microsoft SQL or if not available SQL Express
1. be aware – SQL Express has very tight database size limits and no SQL Agent – this might be an issue
Create a new database via SQL Management Studio in the SQL server
1. name it e.g. RADIUSLogging
run the SQL script from this Microsoft website in a new query window against this database (make sure it is not run against any other database by accident)
1. you could add a line like USE RADIUSLogging to prevent this – in the very top…
configure your RADIUS server to log to this SQL server and database
make sure you have fail-over logging to a text-file – to avoid issues in case your SQL DB grew to big or was not reachable for any reason
1. decide in the text-file configuration if you want to deny access if there is an issue or if you still want to proceed with the logon

Now you have RADIUS logging the information to a SQL database – actually a single table – and you can dig around in it. The IT-Assets database provides a front-end example for this – you don’t need to use it – but it might be of help – see here.

To interpret all those columns and values – look at the following links for additional information:

You will face the issue that the database will grow rapidly – depending on how many requests go to your RADIUS system etc… Keep an close eye on it – use a monitoring software like Paessler / PRTG to monitor the size and keep in mind that SQL Express might have size limits like 10 GB. The full version of Microsoft SQL has no such limits and further can you use SQL Agent to execute tasks. The following script can help you purging data from the RADIUS database to keep its size under control. You can use SQL Agent (not in SQL Express) to run it automatically or if you use SQL Express either run it manually or with another solution somehow automatically against the database delete older entries.

The script actually will purge data older then 14 days – you can adjust the days to your liking / needs.

DELETE FROM dbo.accounting_data
where datediff(day,dbo.accounting_data.timestamp,getdate()) >14

1 2	DELETE FROM dbo.accounting_data where datediff(day,dbo.accounting_data.timestamp,getdate()) >14

September 6, 2018 by Florian Rossmark configuration recommendations security server solutions

Enable SMBv1 on Windows 10 per GPO

SMBv1 is an insecure protocol that you should not use if by any means possible. Windows 10 has SMBv1 disabled by default. In order to enable it you would need to go to the Control Panel and activate the Windows Feature “SMB 1.0/CIFS File Sharing Support” and at a bare minim the “SMB 1.0/CIFS Client“. You actually might just want to do that cause you really shouldn’t add more SMBv1 servers to your network.

Before you proceed reading – if you really need to enable this protocol – please make sure your systems are all patched! Especially your target servers should be patched as well – assuming they are Windows XP / 2003 / Vista / 2008 / 7 / 2008 R2 / 8 / 8.1 / 2012 / 2012 R2 / 2016 and 10. I highly recommend to look at this Microsoft link: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010. Additionally do I want to mention that Windows XP and Windows 2003 can be patched as well – though they are not on the list of the previous link. Look at Microsoft KB4012598 for more information or use this download link https://www.microsoft.com/en-us/download/details.aspx?id=55245. I can not warn enough about SMBv1 – you open the doors for malware here that can bring down your network in minutes and cause huge damage!

Please note – I did not research in detail if other previous Windows versions did disabled SMBv1 already by default, this article might in any case apply to Windows 7, 8 and 8.1 as well and be applicable to Windows 2008, 2008 R2, 2012, 2012 R2 and 2016 as well as newer Windows versions to come.

Now, the issue with Windows 10 and SMBv1 disabled is that often old legacy Windows 2003 servers are around that can’t just be upgraded or replaced. In order to access any file share you would need to enable SMBv1 on the client workstations. This could sure be done by preparing your installation image etc. – but if you did not plan for this or want to have more granular control, you might consider using Group Policies / GPO to enabled this Windows Feature.

It is further worth noting that the easiest way to find the issue is not trying to access the UNC share via the server-name rather then directly typing in the IP address in your attempt. This way you actually get a way clearer error-message from Windows. I mention this, to show you and explain that there actually is a difference between trying to access a server-name and an IP address per UNC path – especially when it comes down to Windows 10 and the error messages you might see.

Officially enabling a Windows Feature is not supported per GPOs nor is there much information out there on how to enable SMBv1 per GPO. Having faced this challenge recently, I found a good working way that is pretty easy to implement.

enable the feature on 1x Windows 10 client
1. export / document the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10
2. copy the file %windir%\system32\drivers\mrxsmb10.sys
create a GPO
1. put the mrxsmb10.sys in the GPO or a central accessible file (the target computer account must be able to read the file! – I often put it in either NETLOGON or directly in the GPO / scripts folder)
2. Computer Configuration \ Preferences \ Windows Settings \ Files
  1. create a new entry to copy the file to the target system
  2. Source file: where you centrally placed the mrxsmb10.sys
  3. Destination file: %windir%\system32\drivers\mrxsmb10.sys
3. Computer Configuration \ Preferences \ Windows Settings \ Registry
  1. Create or import all the registry keys from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10

A registry hive export would look like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10]
"DisplayName"="@%systemroot%\\system32\\wkssvc.dll,-1004"
"ErrorControl"=dword:00000001
"Group"="Network"
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6d,00,72,00,78,00,73,00,6d,00,62,\
  00,31,00,30,00,2e,00,73,00,79,00,73,00,00,00
"Start"=dword:00000002
"Tag"=dword:00000006
"Type"=dword:00000002
"Description"="@%systemroot%\\system32\\wkssvc.dll,-1005"
"DependOnService"=hex(7):6d,00,72,00,78,00,73,00,6d,00,62,00,00,00,00,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10]

"DisplayName"="@%systemroot%\\system32\\wkssvc.dll,-1004"

"ErrorControl"=dword:00000001

"Group"="Network"

"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\

52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6d,00,72,00,78,00,73,00,6d,00,62,\

00,31,00,30,00,2e,00,73,00,79,00,73,00,00,00

"Start"=dword:00000002

"Tag"=dword:00000006

"Type"=dword:00000002

"Description"="@%systemroot%\\system32\\wkssvc.dll,-1005"

"DependOnService"=hex(7):6d,00,72,00,78,00,73,00,6d,00,62,00,00,00,00,00

Apply the GPO to your target systems / workstations and reboot them – after that you will be able to access the necessary shares. The downside is – you don’t really see the feature as enabled in the Windows-Features. It will work nevertheless.

August 3, 2018 by Florian Rossmark configuration security server solutions windows

Monitor user accounts in Active Directory with PRTG

The following script will read through your current Active Directory and filter for user accounts with the following specific conditions:

Lockedout users – please read below for further information about this
- all users that are lockedout
- must be an enabled user
- that is not expired
disabled users
- all users that have been disabled
expired users
- must be an enabled user
- the expiration date is set and past the current date
users with password never expires set
- must be an enabled user

This will give you a pure counter output per channel in an for PRTG Extended script sensor XML result.

But there is a theoretical flaw in one of the methods – the locked out users. Now, user accounts get locked out in Active Directory due to too many logon attempts with an invalid password. This causes Active Directory to set the lockedout bit in the object properties. The issue here is that this bit will not be set back to 0 after the defined lockout duration (GPO) is past, the property will only be set back to 0 once the lockout duration is passed and he successfully logged on.

This means, the counter might give you more results then currently true, it might count users that have been locked out but the lockout-duration passed – but they did not yet logon successfully. This is somehow a false positive, while not totally false. In any case, you need to be aware of this.

The script could be more efficient as well in the way it filters a few things, so far I optimized it as far as I could – the LockedOut value can not be set as a -Filter, in theory it might be possible to speed it up with a -Filter to the UserAccountControl (if that is even possible – not tested) – but I am not certain this would work. If you really want to speed it up you would need to work with -LDAPFilter – but this actually needs to completely replace the internal filter capabilities of Get-ADUser – you can’t use both – it is one or the other.

Import-Module ActiveDirectory

#you could add - filters, a OU limitation or a server against whom this would be executed.. see Get-ADUser options for more details
#$Server = ""
#$OU = ""
#Get-ADUser -Server $Server -Filter
#Get-ADUser -SearchBase $OU -Filter

#all locked users that aren't disabled or expired
$LockedOutUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {$_.lockedout -eq $True -and (($_.AccountExpirationDate -gt (Get-Date) -or ($_.AccountExpirationDate -eq $null)))} 

#all users that are disabled - this is a manual action in Active Directory
$DisabledUsers=Get-ADUser -Filter {Enabled -eq $False -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate

#all users that are not disabled but expired already
$ExpiredUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {(($_.AccountExpirationDate -lt (Get-Date) -and ($_.AccountExpirationDate -ne $null)))} 

#users with not expiring passwords and are enabled and not expired
$NotExpiringPWD=Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate 


If ($LockedOutUsers.count -eq $null -and $LockedOutUsers -eq $null){
    $cntLockedOutUsers=0
}Elseif ($LockedOutUsers.count -eq $null -and $LockedOutUsers -ne $null){
    $cntLockedOutUsers=1
}Else{
    $cntLockedOutUsers=@($LockedOutUsers.count)
}

If ($DisabledUsers.count -eq $null -and $DisabledUsers -eq $null){
    $cntDisabledUsers=0
}Elseif ($DisabledUsers.count -eq $null -and $DisabledUsers -ne $null){
    $cntDisabledUsers=1
}Else{
    $cntDisabledUsers=@($DisabledUsers.count)
}

If ($ExpiredUsers.count -eq $null -and $ExpiredUsers -eq $null){
    $cntExpiredUsers=0
}Elseif ($ExpiredUsers.count -eq $null -and $ExpiredUsers -ne $null){
    $cntExpiredUsers=1
}Else{
    $cntExpiredUsers=@($ExpiredUsers.count)
}

If ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -eq $null){
    $cntNotExpiringPWD=0
}Elseif ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -ne $null){
    $cntNotExpiringPWD=1
}Else{
    $cntNotExpiringPWD=@($NotExpiringPWD.count)
}

$XML += "<prtg>"
$XML += "<result>" 
$XML += "<channel>Locked Out Users</channel>" 
$XML += "<value>$cntLockedOutUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Disabled Users</channel>" 
$XML += "<value>$cntDisabledUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Expired Users - not disabled</channel>" 
$XML += "<value>$cntExpiredUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Users with password never expires</channel>" 
$XML += "<value>$cntNotExpiringPWD</value>" 
$XML += "</result>"
$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)
{
    $StringWriter = New-Object System.IO.StringWriter;
    $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
    $XmlWriter.Formatting = "indented";
    $xml.WriteTo($XmlWriter);
    $XmlWriter.Flush();
    $StringWriter.Flush();
    Write-Output $StringWriter.ToString();
}

WriteXmlToScreen $XML

Import-Module ActiveDirectory

#you could add - filters, a OU limitation or a server against whom this would be executed.. see Get-ADUser options for more details

#$Server = ""

#$OU = ""

#Get-ADUser -Server $Server -Filter

#Get-ADUser -SearchBase $OU -Filter

#all locked users that aren't disabled or expired

$LockedOutUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {$_.lockedout -eq $True -and (($_.AccountExpirationDate -gt (Get-Date) -or ($_.AccountExpirationDate -eq $null)))}

#all users that are disabled - this is a manual action in Active Directory

$DisabledUsers=Get-ADUser -Filter {Enabled -eq $False -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate

#all users that are not disabled but expired already

$ExpiredUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {(($_.AccountExpirationDate -lt (Get-Date) -and ($_.AccountExpirationDate -ne $null)))}

#users with not expiring passwords and are enabled and not expired

$NotExpiringPWD=Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate

If ($LockedOutUsers.count -eq $null -and $LockedOutUsers -eq $null){

$cntLockedOutUsers=0

}Elseif ($LockedOutUsers.count -eq $null -and $LockedOutUsers -ne $null){

$cntLockedOutUsers=1

}Else{

$cntLockedOutUsers=@($LockedOutUsers.count)

}

If ($DisabledUsers.count -eq $null -and $DisabledUsers -eq $null){

$cntDisabledUsers=0

}Elseif ($DisabledUsers.count -eq $null -and $DisabledUsers -ne $null){

$cntDisabledUsers=1

}Else{

$cntDisabledUsers=@($DisabledUsers.count)

}

If ($ExpiredUsers.count -eq $null -and $ExpiredUsers -eq $null){

$cntExpiredUsers=0

}Elseif ($ExpiredUsers.count -eq $null -and $ExpiredUsers -ne $null){

$cntExpiredUsers=1

}Else{

$cntExpiredUsers=@($ExpiredUsers.count)

}

If ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -eq $null){

$cntNotExpiringPWD=0

}Elseif ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -ne $null){

$cntNotExpiringPWD=1

}Else{

$cntNotExpiringPWD=@($NotExpiringPWD.count)

}

$XML += "<prtg>"

$XML += "<result>"

$XML += "<channel>Locked Out Users</channel>"

$XML += "<value>$cntLockedOutUsers</value>"

$XML += "</result>"

$XML += "<result>"

$XML += "<channel>Disabled Users</channel>"

$XML += "<value>$cntDisabledUsers</value>"

$XML += "</result>"

$XML += "<result>"

$XML += "<channel>Expired Users - not disabled</channel>"

$XML += "<value>$cntExpiredUsers</value>"

$XML += "</result>"

$XML += "<result>"

$XML += "<channel>Users with password never expires</channel>"

$XML += "<value>$cntNotExpiringPWD</value>"

$XML += "</result>"

$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML

This script updated with a corrected version as of February 2019 and was also posted in the PRTG knowledge base here.

July 19, 2018 by Florian Rossmark monitoring prtg scripts security server

Password expiration notifications for end users

Today I wanted to share a script with you that allows you to inform your users per email that their password will expire or even is expired and reminds them about your password policies like complex passwords and how to chose a password. This is a simple VBScript and can easily be adjusted. The email will be generated from a file, in this case a HTML file that you provide. You can adjust the content of this HTML file as you need it. There are sure many commercial solutions out there that can do more then this script, but if you want to save the money and are satisfied with the provided options, this sure can be a good alternative.

Let me mention one thing about passwords first – most of us live with the usual policy that passwords should be changed periodically and need to be of a certain length and complexity. We all live with the daily calls of the help-desk about forgotten passwords, not changed passwords (pretty much why I wrote the script) and so on – what changed was a new recommendation in late 2017 or early 2018 that actually is based on statistics and data and now says – yes – complex passwords and certain lengths – but do not enforce periodic changes of those passwords due to this actually resulting in to less secure passwords while users might only change a number or even write those passwords more likely down and therefor compromising the whole attempt to secure the system.

Anyways – the next few lines will explain the parameters you can adjust in the top section of the VBS script – further below I will post the script and an example HTML file so you can start right away.

The options are between the lines 7 and 61 – don’t be scared – most of them are pretty simple to understand and are actually explained in the script itself. You should not need to modify anything outside those two lines.

About the parameter naming convention and possible values:

starting with str as strings – those expect text-markers and alphanumeric values “text”
starting with int as integer values – those are direct numeric values – e.g. 123
starting with bol are boolean values – those can be either TRUE or FALSE – meaning on or off

Here are the options you can set:

strSMTPServer: SMTP mail server DNS name or IP address
intSMTPServerPort: SMTP mail server port – normally 25
strFrom: SMTP mail from address
strToAdmin: SMTP mail to address for administrator emails
strAdminMailSubject: subject for mail to administrators
strUserMailSubjectExpired: subject for mails to user when password is expired
strUserMailSubjectWillExpire: subject for mail to user when password will expire – the exact word REPLACEWITHDAYS will be replaced by the days left value so mention it in the subject line if you want to see the value there
strBodyURL: URL or full file-path (HTML file path e.g. file://) to import for body, the entire content of this URL/FILE will be imported to the body of the email and should explain ways how to change the password
strAttachment: full file-path to an attachment for the email to the users / leave empty if no attachment
strLDAPSortColumn: per default: pwdLastSet / sort column for LDAP query
intStartWithPWexpiresInDays: If the passwords expires in days N or less, the script will inform the user – keep in mind – if you run the script daily, those users will get an email every day once their password will expire in less then the indicated days. 5 is sure a good start.
bolIgnoreDisabledAccounts: Disabled accounts should always be ignored
bolInformAdminAboutPWexpires: this will inform the admin about expiring passwords
bolInformAdminAboutPWisExpired: this will inform the admin about accounts with expired passwords
bolInformAdminAboutPWneverExpires: this will inform the admin about accounts with password set to never expire
bolInformAdminAboutUserCantChangePW: this will inform the admin about users who are not allowed to change their password
bolInformAdminAboutAccountDisabled: this will inform the admin about disabled accounts found – this would have been done in ADS by an administrator
bolInformAdminAboutExpiredUserAccount: this will inform the admin if the user account has an expiration date and the account is expired
bolInformAdminAboutAccountWithoutEMail: this will inform the admin about accounts without a set email address
bolInformAdminAboutStillGoodPasswords: this will inform the admin about users/passwords that are still valid
bolInformAdminAboutIgnoredUsersExcludedByGroup: this will inform the admin about users that have been ignored by the strGroupsExclude filter
Please Note: the status account locked will not be checked, this should be corrected automatically by the default security GPO instead (will be in most cases by default)
strSearchOUs: Filter Priority 1 – only users in those OU paths will be processed. Use LDAP DN like: “OU=Folder,OU=Folder,DC=Domain,DC=local”, you do not need to include the DC=Domain,DC=local – the script will add this information if necessary. Use | (pipe) if you want to add more then one LDAP DN path. Leave empty (“”) to disable this filter
strGroupsExclude : Filter Priority 2 – if the user object is still not excluded, this group exclude filter will be applied. If the user is member of one of those groups (if multiple groups are defined), he will be ignored. Use | (pipe) if you want to add more then one GroupName. Leave empty (“”) to disable this filter. Example: “Group Number1|GroupNumber2”
strGroupsInclude: Filter Priority 3 – if the user object is still not excluded, this group Include filter will be applied. The user has to be a member of one of those groups (if multiple groups are defined). Use | (pipe) if you want to add more then one GroupName. Leave empty (“”) to disable this filter. Example: “Group Number1|GroupNumber2”
bolDebug: set TRUE for script-output, highly recommended to execute the Script in CMD with CSCRIPT <ScriptName> so you see it in a command window instead of dialog boxes.
bolAttachDebugToAdminMail: the debug output will be attached to the admin-mail (independent from bolDebug)
bolTestDebugOutputToConsoleOnly: this will disable the mail.send – only output to the CMD will be generated, please enable bolDebug
bolRedirectMailToAdmin: this will redirect all mails to the admin, instead of sending them to the user – the subject line will include the user-mail address in this case – this allows you to do a real test and actually see what would be send out to whom – without actually sending the emails to the end user
bolAdminMailOnly: this will send the admin-mail only, no user mail will be generated

'This VBScript will run aggainst the ActiveDirectory Domain the executing User is a Member of. 
'The executing User does not need to be an Domain-Administrator of any kind, a simply User is able to read the necessary information from ActiveDirectory
'
'Please configure the following Options - the Script does not accept or expect any Start-Parameter
'
'Version 2.2 - 04/12/2017: Florian Rossmark
'---------------------------------- START OPTIONS ----------------------------------

Const strSMTPServer = "relay.domain.com" 'SMTP Mail-Server to use
Const intSMTPServerPort = 25 'SMTP Mail-Server connection Port Number
Const strFrom = "pwdscript@domain.com" 'SMTP Mail From Address
Const strToAdmin = "helpdesk@domain.com" 'SMTP Mail To Address for Administrator 
Const strAdminMailSubject = "Company Name - User Password Script Results to Admin" 'Subject for Mail to Admin
Const strUserMailSubjectExpired = "Your password has expired!" 'Subject for Mail to User when Password is expired
Const strUserMailSubjectWillExpire = "Your password will expire in REPLACEWITHDAYS days" 'Subject for Mail to User when Password will expire - the exact word REPLACEWITHDAYS will be replaced by the days left value
Const strBodyURL = "file://C:/scripts/PWD/PWDExpire.html" 'URL or full file-path (HTML) to import for Body, the entire content of this URL/FILE will be imported to the Body of the email and should explain ways how to change the password
Const strAttachment = "" 'full File-Path to an attachment for the email to the users / leave empty if no attachment

Const strLDAPSortColumn = "pwdLastSet" 'per default: pwdLastSet / sort column for LDAP query

Const intStartWithPWexpiresInDays = 5 'If the Passwords expires in days N or less, the script will inform the user

Const bolIgnoreDisabledAccounts = True 'Disabled accounts should always be ignored

Const bolInformAdminAboutPWexpires = True 'This will inform the Admin about expiring passwords
Const bolInformAdminAboutPWisExpired = True 'This will inform the Admin about accounts with expired Passwords
Const bolInformAdminAboutPWneverExpires = True 'This will inform the Admin about accounts with password set to never expire
Const bolInformAdminAboutUserCantChangePW = True 'This will inform the Admin about users who are not allowed to change their password
Const bolInformAdminAboutAccountDisabled = True 'This will inform the Admin about disabled accounts found - this would have been done in ADS by an administrator
Const bolInformAdminAboutExpiredUserAccount = True 'This will inform the admin if the User Account has an expiration date and the account is expired
Const bolInformAdminAboutAccountWithoutEMail = True 'This will inform the Admin about accounts without a set email address
Const bolInformAdminAboutStillGoodPasswords = True 'This will inform the Admin about Users/Passwords that are still valid
Const bolInformAdminAboutIgnoredUsersExcludedByGroup = True 'This will inform the Admin about Users that have been ignored by the strGroupsExclude filter
'Please Note: Status Account Locked will not be checked, this should be corrected automatically by the Default Security GPO instead (will be in most cases by default)

'Filter Priority 1 - only Users in those OU Paths will be processed
'Use LDAP DN like: "OU=Folder,OU=Folder,DC=Domain,DC=local", you do not need to include the DC=Domain,DC=local - the Script will add this information if necessary
'Use | (pipe) if you want to add more then one LDAP DN Path
'Leave empty ("") to disable this filter
Const strSearchOUs = "" '"OU=Users,OU=Site,DC=domain,DC=local"

'Filter Priority 2 - if the User Object is still not excluded, this Group Exclude filter will be applied
'If the user is member of one of those groups (if multiple groups are defined), he will be ignored
'Use | (pipe) if you want to add more then one GroupName
'Leave empty ("") to disable this filter
'Example: "Group Number1|GroupNumber2"
Const strGroupsExclude = "No Password notification emails"

'Filter Priority 3 - if the User Object is still not excluded, this Group Include filter will be applied
'The user has to be a member of one of those groups (if multiple groups are defined)
'Use | (pipe) if you want to add more then one GroupName
'Leave empty ("") to disable this filter
'Example: "Group Number1|GroupNumber2"
Const strGroupsInclude = ""

Const bolDebug = True 'Set TRUE for Script-Output, highly recommended to execute the Script in CMD with CSCRIPT <ScriptName>
Const bolAttachDebugToAdminMail = False 'The Debug Output will be attached to the Admin-Mail (independent from bolDebug)
Const bolTestDebugOutputToConsoleOnly = False 'This will disable the Mail.Send - only output to the CMD will be generated, please enable bolDebug 
Const bolRedirectMailToAdmin = True 'This will redirect all Mails to the Admin, instead of sending them to the User - the Subject line will include the User-Mail Address in this case
Const bolAdminMailOnly = False 'This will send the Admin-Mail only, no User Mail will be generated
'---------------------------------- END OPTIONS ----------------------------------

'---------------------------------- Script starts here ----------------------------------
'---------------------------------- please do not modify after this line ----------------------------------

'Reference: https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx
Const ADS_UF_DONT_EXPIRE_PASSWD = 65536
Const ADS_UF_PASSWD_CANT_CHANGE = 64
Const ADS_UF_PASSWORD_EXPIRED = 8388608
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"

'A few Global Variables for the Admin-Mail
Dim strAdminPWexpires, strAdminPWisExpired, strAdminPWneverExpires, strAdminUserCantChangePW, strAdminAccountDisabled, strAdminExpiredUserAccount, strAdminAccountWithoutEMail, strAdminPWstillGood, strAdminIgnoredUsersExcludedByGroup
Dim strAdminErrorUsers
Dim strAdminDebug

SearchADS() 'Let's Start the actual process

'starts the actual search procedure - in a sub so it is easier to keep overview of the script
Sub SearchADS()

Dim objADSRoot, objADSDomain, objADSConnection, objADSCommand, objMaxPWDage, objUser
Dim intMaxPWDage, intDaysLeft
Dim bolProcessUser
Dim cntArray
Dim arrSearchOUs, arrGroupsExclude, arrGroupsInclude
Dim iADSCommand
Dim strFirstFoundGroupMembership

arrGroupsExclude = Split(strGroupsExclude, "|")
arrGroupsInclude = Split(strGroupsInclude, "|")

'Connect to ADS and get Users
Set objADSRoot = GetObject("LDAP://rootDSE") 
Set objADSDomain = GetObject("LDAP://" & objADSRoot.Get("defaultNamingContext"))
Set objMaxPWDage = objADSDomain.Get("maxPwdAge") 'please note, this script can't obey the latest ADS multible password GPO rules, it will only follow the standard with only one password rule
intMaxPWDage = CCur((objMaxPWDage.HighPart * 2 ^ 32) + objMaxPWDage.LowPart) / CCur(-864000000000) 
If Not intMaxPWDage > 0 Then 'Passwords won't expire at all
ScriptDebug("intMaxPWDage is set to: " & intMaxPWDage & " - Script stopped")
SendEmailNotification True, "", True, 0, "intMaxPWDage is incorrect, please check ADS configuration. Script aborded" 'Inform that there is no expiration configuration in Active Directory
Exit Sub 'Stop the Sub / End the Search
End If
Set objADSConnection = CreateObject("ADODB.Connection")
objADSConnection.Open "Provider=ADsDSOObject;"
Set objADSCommand = CreateObject("ADODB.Command")
objADSCommand.ActiveConnection = objADSConnection
If Not Len(strSearchOUs) > 0 Then
ReDim arrSearchOUs(0) 'we still need an array to run the For Next 
arrSearchOUs(0) = ""
Else
arrSearchOUs = Split(strSearchOUs, "|")
End If
For iADSCommand = 0 To UBound(arrSearchOUs) 'we already filter OUs if necessary - filter priority 1
If Len(strSearchOUs) > 0 Then 'we need everytime a new objADSDomain to set the Filter based on the OU
If Not Right(arrSearchOUs(iADSCommand),Len(objADSRoot.Get("defaultNamingContext"))) = objADSRoot.Get("defaultNamingContext") Then
If Not Right(arrSearchOUs(iADSCommand),1) = "'" Then
arrSearchOUs(iADSCommand) = arrSearchOUs(iADSCommand) & ","
End If
arrSearchOUs(iADSCommand) = arrSearchOUs(iADSCommand) & objADSRoot.Get("defaultNamingContext")
End If
ScriptDebug("Searching LDAP Path: " & arrSearchOUs(iADSCommand))
Set objADSDomain = GetObject("LDAP://" & arrSearchOUs(iADSCommand))
End If
'samAccountType=805306368 / this is the correct value for USERS only - a search for the ObjectClass USER will also list Contacts
objADSCommand.CommandText = "<" & objADSDomain.ADsPath & ">;(&(samAccountType=805306368));userAccountControl,sAMAccountName,givenName,sn,mail,distinguishedName,lockoutTime;subtree"
objADSCommand.Properties("Sort on") = strLDAPSortColumn
Set rs = objADSCommand.Execute
If Not rs.EOF Then
Do While Not rs.EOF
ScriptDebug("") 'Empty Line before each run for easier to read output
ScriptDebug("PROCESSING USER: " & NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ")")
intDaysLeft = 0
bolProcessUser = True

'Priority 2 - Exclude the following groups
If Len(strGroupsExclude) > 0 Then 
strFirstFoundGroupMembership = "" 'just to make sure, lets clean the variable
If IsUserInGroup(rs("distinguishedName"), arrGroupsExclude, strFirstFoundGroupMembership) Then 'User is Member of the Group, we ignore him
ScriptDebug("..USER IS MEMBER OF EXCLUDED GROUP: " & strFirstFoundGroupMembership & " - IGNORING USER")
bolProcessUser = False
'old info - 'We don't inform the Admin in this case, would be done over the Debug Info
If bolInformAdminAboutIgnoredUsersExcludedByGroup Then
strAdminIgnoredUsersExcludedByGroup = AddAdminInfoTo(strAdminIgnoredUsersExcludedByGroup, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage) * -1)), True) 'Add to Admin Info
End If
End If
End If

'Priority 3 - Include the following groups
If bolProcessUser Then 'do we still go on with this User?
If Len(strGroupsInclude) > 0 Then
strFirstFoundGroupMembership = "" 'just to make sure, lets clean the variable
If Not IsUserInGroup(rs("distinguishedName"), arrGroupsInclude, strFirstFoundGroupMembership) Then 'User is Member of the Group, we ignore him
ScriptDebug("..USER IS NOT A MEMBER OF ANY OF THE INCLUDED GROUPS - IGNORING USER")
bolProcessUser = False
'old info - 'We don't inform the Admin in this case, would be done over the Debug Info
If bolInformAdminAboutIgnoredUsersExcludedByGroup Then
strAdminIgnoredUsersExcludedByGroup = AddAdminInfoTo(strAdminIgnoredUsersExcludedByGroup, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage) * -1)), True) 'Add to Admin Info
End If 
Else 'User will be noramlly proccessed, we still inform about it in the Script-Debug
ScriptDebug("..USER IS MEMBER OF INCLUDED GROUP: " & strFirstFoundGroupMembership & " - PROCESSING USER")
End If 
End If
End If

'Priority 4 - disabled account? this would have been done by an administrator
If bolProcessUser Then 'do we still go on with this User?
If IsAccountDisabled(rs("distinguishedName")) Then 'Account is disabled
ScriptDebug("..DISABLED USER ACCOUNT FOUND")
If bolIgnoreDisabledAccounts Then 'do we ignore this Account?
bolProcessUser = False
End If
If bolInformAdminAboutAccountDisabled Then
'strAdminAccountDisabled = AddAdminInfoTo(strAdminAccountDisabled, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ")") 'Add to Admin Info
strAdminAccountDisabled = AddAdminInfoTo(strAdminAccountDisabled, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), ""), True) 'Add to Admin Info
End If
End If
End If

'Priority 5 - Will User Account expire? (we only check if it is expired, if yes we take action)
If bolProcessUser Then 'do we still go on with this User?
If IsUserAccountExpired(rs("distinguishedName"), dtmExpiration) Then
bolProcessUser = False
ScriptDebug("..USER ACCOUNT IS EXPIRED SINCE: " & dtmExpiration)
If bolInformAdminAboutExpiredUserAccount Then
'strAdminExpiredUserAccount = AddAdminInfoTo(strAdminExpiredUserAccount, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ") - User expired since: " & dtmExpiration) 'Add to Admin Info
strAdminExpiredUserAccount = AddAdminInfoTo(strAdminExpiredUserAccount, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat(dtmExpiration), True) 'Add to Admin Info
End If
End If
End If

'Priority 6 - password never expires? this would have been done by an administrator
If bolProcessUser Then 'do we still go on with this User?
If PasswordDoesExpire(rs("userAccountControl")) Then 'Password does not expire
ScriptDebug("..USER WITH PASSWORD WILL NOT EXPIRE FOUND")
bolProcessUser = False
If bolInformAdminAboutPWneverExpires Then
'strAdminPWneverExpires = AddAdminInfoTo(strAdminPWneverExpires, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ")") 'Add to Admin Info
strAdminPWneverExpires = AddAdminInfoTo(strAdminPWneverExpires, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), ""), True) 'Add to Admin Info
End If
End If 
End If

'Priority 7 - User can't even change the password? this would have been done by an administrator
If bolProcessUser Then 'do we still go on with this User?
If UserCantChangePassword(rs("distinguishedName")) Then 'User can't change Password
ScriptDebug("..USER WITH CAN'T CHANGE PASSWORD FOUND")
bolProcessUser = False
If bolInformAdminAboutUserCantChangePW Then
'strAdminUserCantChangePW = AddAdminInfoTo(strAdminUserCantChangePW, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ")") 'Add to Admin Info
strAdminUserCantChangePW = AddAdminInfoTo(strAdminUserCantChangePW, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), ""), True) 'Add to Admin Info
End If
End If
End If

'Priority 8 - User does not have an EMail Address? can't inform User if PW is about to expire what shall we do?
If bolProcessUser Then 'do we still go on with this User?
If Not Len(NZ(rs("mail"), "")) > 0 Then 'User is missing email address
ScriptDebug("..USER WITHOUT EMAIL ADDRESS FOUND")
bolProcessUser = False
If bolInformAdminAboutAccountWithoutEMail Then
'strAdminAccountWithoutEMail = AddAdminInfoTo(strAdminAccountWithoutEMail, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ") - Days Left: " & (GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage) * -1)) 'Add to Admin Info
strAdminAccountWithoutEMail = AddAdminInfoTo(strAdminAccountWithoutEMail, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage) * -1)), True) 'Add to Admin Info
End If
End If 
End If

'Priority 9 - now we check the Password Age and take action
If bolProcessUser Then 'do we still go on with this User?
If PasswordIsExpired(rs("userAccountControl")) Then 'The Password is already expired? We need to take action / this will be double checked later on with a calculation
ScriptDebug("..PASSWORD IS EXPIRED")
SendEmailNotification False, NZ(rs("mail"), ""), True, 0, "" 'Inform the USER about the expired Password 
If bolInformAdminAboutPWisExpired Then
'strAdminPWisExpired = AddAdminInfoTo(strAdminPWisExpired, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ")") 'Add to Admin Info
strAdminPWisExpired = AddAdminInfoTo(strAdminPWisExpired, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage) * -1)), True) 'Add to Admin Info
End If
Else 'Password is not expired yet, how many days does the User have left?
Set objUser = GetObject("LDAP://" & rs("distinguishedName"))

intDaysLeft = GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage)

If intDaysLeft <= 0 Then 'we have a number of days left
If intStartWithPWexpiresInDays >= (intDaysLeft * -1) Then 'User is to be informed, his days left are less then defined
ScriptDebug("..PASSWORD FOR USER WILL EXPIRE IN: " & (intDaysLeft * -1) & " DAYS")
SendEmailNotification False, NZ(rs("mail"), ""), False, (intDaysLeft * -1), "" 'Inform the USER that the Password will expire
If bolInformAdminAboutPWexpires Then
'strAdminPWexpires = AddAdminInfoTo(strAdminPWexpires, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ") - Days Left: " & (intDaysLeft * -1)) 'Add to Admin Info
strAdminPWexpires = AddAdminInfoTo(strAdminPWexpires, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((intDaysLeft * -1)), True) 'Add to Admin Info
End If
Else 'User has more days left then needed by Script Configuration
'we do not need to take action - we do not even send Mail to the Admin
ScriptDebug("..USER PASSWORD IS STILL GOOD - DAYS LEFT: " & (intDaysLeft * -1))
If bolInformAdminAboutStillGoodPasswords Then
'strAdminPWstillGood = AddAdminInfoTo(strAdminPWstillGood, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ") - Days Left: " & (intDaysLeft * -1)) 'Add to Admin Info
strAdminPWstillGood = AddAdminInfoTo(strAdminPWstillGood, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((intDaysLeft * -1)), True) 'Add to Admin Info
End If
End If
Else 'Password is already expired and needs to be changed now / second check, first one might not give the needed information
ScriptDebug("..PASSWORD IS EXPIRED FOR: " & (intDaysLeft * -1) & " DAYS")
SendEmailNotification False, NZ(rs("mail"), ""), True, 0, "" 'Inform the USER about the expired Password 
If bolInformAdminAboutPWisExpired Then
'strAdminPWisExpired = AddAdminInfoTo(strAdminPWisExpired, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ") - Days expired: " & (intDaysLeft * -1)) 'Add to Admin Info
strAdminPWisExpired = AddAdminInfoTo(strAdminPWisExpired, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((intDaysLeft * -1)), True) 'Add to Admin Info
End If
End If

Set objUser = Nothing 'to make sure the Object is release
End If
End If 

rs.MoveNext
Loop
End If
Set rs = Nothing
Next 'Next from arrSearchOUs
Set objADSCommand = Nothing
Set objADSConnection = Nothing
Set objADSDomain = Nothing
Set objADSRoot = Nothing

ScriptDebug("")
ScriptDebug("SCRIPT ENDED SUCCESSFULLY => Sending Admin Mail")
SendEmailNotification True, "", True, 0, GenerateAdminMailBody 'Send the final admin notification with the requested information

End Sub

'Function returns days left for Password of User-Object (uses default Value intDaysLeft)
Function GetPWDaysLeft(strDistinguishedName, strGivenName, strSN, strsAMAccountName, intDaysLeft, intMaxPWDage)

Dim objUser

Set objUser = GetObject("LDAP://" & strDistinguishedName)

On Error Resume Next
'intDaysLeft will be negative, like a countdown, T minus DAYS
intDaysLeft = DateDiff("d", objUser.PasswordLastChanged, Now) - intMaxPWDage
If Err Then
If Err.Number = &h8000500d Then 'PWD was just changed
intDaysLeft = intMaxPWDage
ScriptDebug("..USER PASSWORD WAS JUST CHANGED")
'we don't send any Mails about this
Else 'unexpexted Error occured - this shouldn't happen at all!
ScriptDebug("..UNEXPECTED ERROR (UserPasswordLastChanged)")
'strAdminErrorUsers = AddAdminInfoTo(strAdminErrorUsers, strGivenName & " " & strSN & " (" & strsAMAccountName & ")") 'Add to Admin Info
strAdminErrorUsers = AddAdminInfoTo(strAdminErrorUsers, strGivenName & "</td><td>" & strSN & "</td><td>" & strsAMAccountName, True) 'Add to Admin Info
End If
End If
Err.Clear
On Error Goto 0

Set objUser = Nothing

GetPWDaysLeft = Round(intDaysLeft, 0)

End Function

Function IsUserAccountExpired(distinguishedName, dtmExpirationDate)

Dim bolReturn
Dim objUser
Dim dtmAccountExpiration

bolReturn = False

If NZ(distinguishedName, "") <> "" Then
Set objUser = GetObject("LDAP://" & distinguishedName)
On Error Resume Next
dtmAccountExpiration = objUser.AccountExpirationDate
If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then 'Account has no expiration date specified
'we do nothing - not even a debug message
Else 'Account has expireation date
If DateDiff("d", dtmAccountExpiration, Now) > 0 Then
bolReturn = True
dtmExpirationDate = dtmAccountExpiration
End If 
End If
On Error Goto 0
Set objUser = Nothing
End If

IsUserAccountExpired = bolReturn

End Function

'Is the User Member of one of the Groups in the Array? Give back first GroupName found if possible
Function IsUserInGroup(distinguishedName, arrGroups, FirstFoundGroupMembership)

Dim objUser, objGroup
Dim i
Dim strGroupName
Dim bolFound

bolFound = False
If NZ(distinguishedName, "") <> "" Then
Set objUser = GetObject("LDAP://" & distinguishedName)
On Error Resume Next
For Each objGroup In objUser.GetEx("memberOf")
strGroupName = Split(objGroup,",")(0)
strGroupName = Right(strGroupName, (Len(strGroupName)-3))
For i = 0 To UBound(arrGroups)
If LCase(strGroupName) = LCase(arrGroups(i)) Then
bolFound = True
FirstFoundGroupMembership = strGroupName
IsUserInGroup = True
Exit For
End If
Next
If bolFound Then
Exit For
End If
Next
On Error Goto 0
Set objUser = Nothing
Else
IsUserInGroup = False 'couldn't find User distinguishedName - not really possible
End If

End Function

'Is the Password Expired?
Function PasswordIsExpired(userAccountControl)
If NZ(userAccountControl, "") <> "" Then
If ADS_UF_PASSWORD_EXPIRED And userAccountControl Then
PasswordIsExpired = True
Else
PasswordIsExpired = False
End If
Else
PasswordIsExpired = False
End If
End Function

'Is the User able to change to Password?
Function UserCantChangePassword(distinguishedName)

Dim bolReturn
Dim objUser, objSD, objDACL, objACE

bolReturn = False
If NZ(distinguishedName, "") <> "" Then
On Error Resume Next
Set objUser = GetObject("LDAP://" & distinguishedName)
Set objSD = objUser.Get("nTSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
For Each objACE in objDACL
If objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT And LCase(objACE.ObjectType) = CHANGE_PASSWORD_GUID Then
bolReturn = True
Exit For
End If
Next
Set objDACL = Nothing
Set objSD = Nothing
Set objUser = Nothing
On Error Goto 0
End If
UserCantChangePassword = bolReturn

End Function

'Does the Account PW expire or not?
Function PasswordDoesExpire(userAccountControl)
If NZ(userAccountControl, "") <> "" Then
If ADS_UF_DONT_EXPIRE_PASSWD And userAccountControl Then
PasswordDoesExpire = True
Else
PasswordDoesExpire = False
End If
Else
PasswordDoesExpire = False
End If
End Function

'Account Disabled or not
Function IsAccountDisabled(distinguishedName)

Dim bolReturn
Dim objUser

bolReturn = False
If NZ(distinguishedName, "") <> "" Then
On Error Resume Next
Set objUser = GetObject("LDAP://" & distinguishedName)
bolReturn = objUser.AccountDisabled 
Set objUser = Nothing
On Error Goto 0
End If
IsAccountDisabled = bolReturn

End Function

'NZ equivalent to VBA
Function NZ(Value,alternativeValue)
If IsNull(Value) Then
NZ = alternativeValue
Else
NZ = Value
End If
End Function

'Adds the Information as needed to the specified Variable as a new Line and returns the complete new string
Function AddAdminInfoTo(CurrentString, NewTextLine, IsTable)
If Not Len(NZ(CurrentString, "")) > 0 Then
'AddAdminInfoTo = NewTextLine
If Not IsTable Then
AddAdminInfoTo = NewTextLine
Else
AddAdminInfoTo = CurrentString & "<tr><td>" & Replace(NewTextLine, vbNewLine, "") & "</td></tr>"
End If 
Else
'AddAdminInfoTo = CurrentString & vbNewLine & NewTextLine
If Not IsTable Then
AddAdminInfoTo = CurrentString & vbNewLine & NewTextLine
Else
AddAdminInfoTo = CurrentString & "<tr><td>" & Replace(NewTextLine, vbNewLine, "") & "</td></tr>"
End If
End If
End Function

'Reformatts the Days-Left into a special div tag if it is negative/positive
Function AdminInfoDaysLeftHTMLFormat(DaysLeft)
If DaysLeft > 0 Then
AdminInfoDaysLeftHTMLFormat = "<div class=""dayspositive"">" & DaysLeft & "</div>"
Else
AdminInfoDaysLeftHTMLFormat = "<div class=""daysnegative"">" & DaysLeft & "</div>"
End If
End Function

'Generates the Mail-Body for the Admin Mail
Function GenerateAdminMailBody()

Dim strReturn
strReturn = ""

strReturn = strReturn & "<style>" & vbNewLine
strReturn = strReturn & "table { font-family: Calibri; font-size: 11pt; }" & vbNewLine
strReturn = strReturn & "th { font: bold; background-color: light-blue; }" & vbNewLine
strReturn = strReturn & "th, td { border-bottom: 1px solid black; text-align: left; }" & vbNewLine
strReturn = strReturn & "tr:nth-child(even) { background-color: #f2f2f2; }" & vbNewLine
strReturn = strReturn & "tr:hover { background-color: #f5f5f5 }" & vbNewLine
strReturn = strReturn & "td.right { text-align: right; }" & vbNewLine
strReturn = strReturn & "div.dayspositive { }" & vbNewLine
strReturn = strReturn & "div.daysnegative { color: #FF0000; font: bold; }" & vbNewLine
strReturn = strReturn & "h1 { font: bold; font-size: 12pt; text-decoration: underline; }" & vbNewLine
strReturn = strReturn & "</style>" & vbNewLine

If Len(NZ(strAdminErrorUsers, "")) > 0 Then
'strReturn = strReturn & "<u>THE FOLLOWING USERS GENERATED SCRIPT ERRORS:</u>" & vbNewLine
strReturn = strReturn & "<h1>USERS THAT GENERATED SCRIPT ERRORS:</h1>" & vbNewLine
'strReturn = strReturn & strAdminErrorUsers & vbNewLine 
strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th></tr>" & strAdminErrorUsers & "</table><br><br>"
strReturn = strReturn & vbNewLine & vbNewLine
End If

If bolInformAdminAboutPWexpires And Len(NZ(strAdminPWexpires,"")) > 0 Then
'strReturn = strReturn & "<u>THE FOLLOWING PASSWORDS WILL EXPIRE:</u>" & vbNewLine
strReturn = strReturn & "<h1>NOTIFIED USERS WITH EXPIRING PASSWORDS:</h1>" & vbNewLine
'strReturn = strReturn & strAdminPWexpires & vbNewLine
strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminPWexpires & "</table><br><br>"
strReturn = strReturn & vbNewLine & vbNewLine
End If

If bolInformAdminAboutPWisExpired And Len(NZ(strAdminPWisExpired,"")) > 0 Then
'strReturn = strReturn & "<u>THE FOLLOWING PASSWORDS ARE EXPIRED ALREADY:</u>" & vbNewLine
strReturn = strReturn & "<h1>NOTIFIED USERS WITH EXPIRED PASSWORDS:</h1>" & vbNewLine
'strReturn = strReturn & strAdminPWisExpired & vbNewLine 
strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminPWisExpired & "</table><br><br>" 
strReturn = strReturn & vbNewLine & vbNewLine
End If

If bolInformAdminAboutAccountWithoutEMail And Len(NZ(strAdminAccountWithoutEMail,"")) > 0 Then
'strReturn = strReturn & "<u>THE FOLLOWING USER ACCOUNTS DON'T HAVE A VALID EMAIL ADDRESS:</u>" & vbNewLine
strReturn = strReturn & "<h1>USER ACCOUNTS WITH NO VALID EMAIL ADDRESS:</h1>" & vbNewLine
'strReturn = strReturn & strAdminAccountWithoutEMail & vbNewLine 
strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminAccountWithoutEMail & "</table><br><br>"
strReturn = strReturn & vbNewLine & vbNewLine
End If 

If bolInformAdminAboutPWneverExpires And Len(NZ(strAdminPWneverExpires,"")) > 0 Then
'strReturn = strReturn & "<u>THE FOLLOWING PASSWORDS NEVER EXPIRE:</u>" & vbNewLine
strReturn = strReturn & "<h1>PASSWORD NEVER EXPIRES USERS:</h1>" & vbNewLine
'strReturn = strReturn & strAdminPWneverExpires & vbNewLine 
strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th></tr>" & strAdminPWneverExpires & "</table><br><br>"
strReturn = strReturn & vbNewLine & vbNewLine
End If 

If bolInformAdminAboutUserCantChangePW And Len(NZ(strAdminUserCantChangePW,"")) > 0 Then
'strReturn = strReturn & "<u>THE FOLLOWING USERS CAN'T CHANGE THEIR PASSWORDS:</u>" & vbNewLine
strReturn = strReturn & "<h1>THE FOLLOWING USERS CAN'T CHANGE THEIR PASSWORDS:</h1>" & vbNewLine
'strReturn = strReturn & strAdminUserCantChangePW & vbNewLine 
strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th></tr>" & strAdminUserCantChangePW & "</table><br><br>"
strReturn = strReturn & vbNewLine & vbNewLine
End If

If bolInformAdminAboutAccountDisabled And Len(NZ(strAdminAccountDisabled,"")) > 0 Then
'strReturn = strReturn & "<u>THE FOLLOWING USER ACCOUNTS ARE DISABLED:</u>" & vbNewLine
strReturn = strReturn & "<h1>DISABLED USER ACCOUNTS:</h1>" & vbNewLine
'strReturn = strReturn & strAdminAccountDisabled & vbNewLine 
strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th></tr>" & strAdminAccountDisabled & "</table><br><br>"
strReturn = strReturn & vbNewLine & vbNewLine
End If

If bolInformAdminAboutExpiredUserAccount And Len(NZ(strAdminExpiredUserAccount,"")) > 0 Then
'strReturn = strReturn & "<u>THE FOLLOWING USER ACCOUNTS ARE EXPIRED:</u>" & vbNewLine
strReturn = strReturn & "<h1>EXPIRED USER ACCOUNTS:</h1>" & vbNewLine
'strReturn = strReturn & strAdminExpiredUserAccount & vbNewLine 
strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminExpiredUserAccount & "</table><br><br>"
strReturn = strReturn & vbNewLine & vbNewLine
End If 

If bolInformAdminAboutIgnoredUsersExcludedByGroup And Len(NZ(strAdminIgnoredUsersExcludedByGroup,"")) > 0 Then
strReturn = strReturn & "<h1>EXCLUDED USER ACCOUNTS (GROUP-FILTER):</h1>" & vbNewLine
strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminIgnoredUsersExcludedByGroup & "</table><br><br>"
strReturn = strReturn & vbNewLine & vbNewLine
End If

If bolInformAdminAboutStillGoodPasswords And Len(NZ(strAdminPWstillGood,"")) > 0 Then
'strReturn = strReturn & "<u>THE FOLLOWING USER ACCOUNTS HAVE VALID PASSWORDS:</u>" & vbNewLine
strReturn = strReturn & "<h1>THE FOLLOWING USER ACCOUNTS HAVE VALID PASSWORDS:</h1>" & vbNewLine
'strReturn = strReturn & strAdminPWstillGood & vbNewLine 
strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminPWstillGood & "</table><br><br>"
strReturn = strReturn & vbNewLine & vbNewLine
End If

If bolAttachDebugToAdminMail Then
'strReturn = strReturn & "<u>DEBUG OUTPUT:</u>" & vbNewLine
strReturn = strReturn & "<h1>DEBUG OUTPUT:</h1>" & vbNewLine
'strReturn = strReturn & strAdminDebug & vbNewLine
strReturn = strReturn & Replace(strAdminDebug, vbNewLine, "<br>") & vbNewLine
End If

GenerateAdminMailBody = "<div style=""font-family: calibri; font-size: 11pt;"">" & strReturn & "</div>"

End Function

'Sends out EMails, to the User (False, UserMailAddress, True or False, DaysLeft for Password, "") or the Admin (TRUE, "", True or False, 0, AdminTextBody)
Sub SendEmailNotification(AdminMail, UserMailAddress, IsExpired, DaysLeft, AdminTextBody)

Dim objMail

Set objMail = CreateObject("CDO.Message")

objMail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 
objMail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = strSMTPServer
objMail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = intSMTPServerPort 
objMail.Configuration.Fields.Update 

objMail.From = strFrom

If AdminMail Then 'is Admin Mail
objMail.Subject = strAdminMailSubject 
objMail.To = strToAdmin
'objMail.TextBody = AdminTextBody
'objMail.HTMLBody = Replace(AdminTextBody, vbNewLine, "<br>")
objMail.HTMLBody = AdminTextBody
Else 'is User Mail
If Not bolAdminMailOnly Then 'only the Admin Mail will be send
If IsExpired Then 
objMail.Subject = strUserMailSubjectExpired
Else
objMail.Subject = Replace(strUserMailSubjectWillExpire, "REPLACEWITHDAYS", DaysLeft)
End If
If bolRedirectMailToAdmin Then 'redirect Mails to Admin - add User Mail Address to Subject
objMail.To = strToAdmin
objMail.Subject = objMail.Subject & " - REDIRECTED TO ADMIN INSTEAD OF: " & UserMailAddress
Else
objMail.To = UserMailAddress
End If
objMail.CreateMHTMLBody strBodyURL
End If
End If

If Not bolTestDebugOutputToConsoleOnly Then
If Len(strAttachment) > 0 Then 'we do have an attachment to add?
objMail.AddAttachment strAttachment
End If
If bolAdminMailOnly Then 'only Admin Mail?
If AdminMail Then 'Then only if it is the Admin Mail
objMail.Send
End If
Else 'User Mail as well as Admin Mail
objMail.Send
End If
Else
ScriptDebug("=>DEBUG ONLY MODE - A EMAIL WOULD HAVE BEEN SEND TO: " & objMail.To & " - Subject: " & objMail.Subject)
End If

Set objMail = Nothing

End Sub

'Any Debug-Information will be proccessed here, easier to do it central and being able to change it to a LogFile or what ever...
Sub ScriptDebug(strDebugMessage)
If bolDebug Then
WScript.Echo strDebugMessage
End If
If bolAttachDebugToAdminMail Then
strAdminDebug = AddAdminInfoTo(strAdminDebug, strDebugMessage, False)
End If 
End Sub

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

'This VBScript will run aggainst the ActiveDirectory Domain the executing User is a Member of.

'The executing User does not need to be an Domain-Administrator of any kind, a simply User is able to read the necessary information from ActiveDirectory

'Please configure the following Options - the Script does not accept or expect any Start-Parameter

'Version 2.2 - 04/12/2017: Florian Rossmark

'---------------------------------- START OPTIONS ----------------------------------

Const strSMTPServer = "relay.domain.com" 'SMTP Mail-Server to use

Const intSMTPServerPort = 25 'SMTP Mail-Server connection Port Number

Const strFrom = "pwdscript@domain.com" 'SMTP Mail From Address

Const strToAdmin = "helpdesk@domain.com" 'SMTP Mail To Address for Administrator

Const strAdminMailSubject = "Company Name - User Password Script Results to Admin" 'Subject for Mail to Admin

Const strUserMailSubjectExpired = "Your password has expired!" 'Subject for Mail to User when Password is expired

Const strUserMailSubjectWillExpire = "Your password will expire in REPLACEWITHDAYS days" 'Subject for Mail to User when Password will expire - the exact word REPLACEWITHDAYS will be replaced by the days left value

Const strBodyURL = "file://C:/scripts/PWD/PWDExpire.html" 'URL or full file-path (HTML) to import for Body, the entire content of this URL/FILE will be imported to the Body of the email and should explain ways how to change the password

Const strAttachment = "" 'full File-Path to an attachment for the email to the users / leave empty if no attachment

Const strLDAPSortColumn = "pwdLastSet" 'per default: pwdLastSet / sort column for LDAP query

Const intStartWithPWexpiresInDays = 5 'If the Passwords expires in days N or less, the script will inform the user

Const bolIgnoreDisabledAccounts = True 'Disabled accounts should always be ignored

Const bolInformAdminAboutPWexpires = True 'This will inform the Admin about expiring passwords

Const bolInformAdminAboutPWisExpired = True 'This will inform the Admin about accounts with expired Passwords

Const bolInformAdminAboutPWneverExpires = True 'This will inform the Admin about accounts with password set to never expire

Const bolInformAdminAboutUserCantChangePW = True 'This will inform the Admin about users who are not allowed to change their password

Const bolInformAdminAboutAccountDisabled = True 'This will inform the Admin about disabled accounts found - this would have been done in ADS by an administrator

Const bolInformAdminAboutExpiredUserAccount = True 'This will inform the admin if the User Account has an expiration date and the account is expired

Const bolInformAdminAboutAccountWithoutEMail = True 'This will inform the Admin about accounts without a set email address

Const bolInformAdminAboutStillGoodPasswords = True 'This will inform the Admin about Users/Passwords that are still valid

Const bolInformAdminAboutIgnoredUsersExcludedByGroup = True 'This will inform the Admin about Users that have been ignored by the strGroupsExclude filter

'Please Note: Status Account Locked will not be checked, this should be corrected automatically by the Default Security GPO instead (will be in most cases by default)

'Filter Priority 1 - only Users in those OU Paths will be processed

'Use LDAP DN like: "OU=Folder,OU=Folder,DC=Domain,DC=local", you do not need to include the DC=Domain,DC=local - the Script will add this information if necessary

'Use | (pipe) if you want to add more then one LDAP DN Path

'Leave empty ("") to disable this filter

Const strSearchOUs = "" '"OU=Users,OU=Site,DC=domain,DC=local"

'Filter Priority 2 - if the User Object is still not excluded, this Group Exclude filter will be applied

'If the user is member of one of those groups (if multiple groups are defined), he will be ignored

'Use | (pipe) if you want to add more then one GroupName

'Leave empty ("") to disable this filter

'Example: "Group Number1|GroupNumber2"

Const strGroupsExclude = "No Password notification emails"

'Filter Priority 3 - if the User Object is still not excluded, this Group Include filter will be applied

'The user has to be a member of one of those groups (if multiple groups are defined)

'Use | (pipe) if you want to add more then one GroupName

'Leave empty ("") to disable this filter

'Example: "Group Number1|GroupNumber2"

Const strGroupsInclude = ""

Const bolDebug = True 'Set TRUE for Script-Output, highly recommended to execute the Script in CMD with CSCRIPT <ScriptName>

Const bolAttachDebugToAdminMail = False 'The Debug Output will be attached to the Admin-Mail (independent from bolDebug)

Const bolTestDebugOutputToConsoleOnly = False 'This will disable the Mail.Send - only output to the CMD will be generated, please enable bolDebug

Const bolRedirectMailToAdmin = True 'This will redirect all Mails to the Admin, instead of sending them to the User - the Subject line will include the User-Mail Address in this case

Const bolAdminMailOnly = False 'This will send the Admin-Mail only, no User Mail will be generated

'---------------------------------- END OPTIONS ----------------------------------

'---------------------------------- Script starts here ----------------------------------

'---------------------------------- please do not modify after this line ----------------------------------

'Reference: https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx

Const ADS_UF_DONT_EXPIRE_PASSWD = 65536

Const ADS_UF_PASSWD_CANT_CHANGE = 64

Const ADS_UF_PASSWORD_EXPIRED = 8388608

Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6

Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"

'A few Global Variables for the Admin-Mail

Dim strAdminPWexpires, strAdminPWisExpired, strAdminPWneverExpires, strAdminUserCantChangePW, strAdminAccountDisabled, strAdminExpiredUserAccount, strAdminAccountWithoutEMail, strAdminPWstillGood, strAdminIgnoredUsersExcludedByGroup

Dim strAdminErrorUsers

Dim strAdminDebug

SearchADS() 'Let's Start the actual process

'starts the actual search procedure - in a sub so it is easier to keep overview of the script

Sub SearchADS()

Dim objADSRoot, objADSDomain, objADSConnection, objADSCommand, objMaxPWDage, objUser

Dim intMaxPWDage, intDaysLeft

Dim bolProcessUser

Dim cntArray

Dim arrSearchOUs, arrGroupsExclude, arrGroupsInclude

Dim iADSCommand

Dim strFirstFoundGroupMembership

arrGroupsExclude = Split(strGroupsExclude, "|")

arrGroupsInclude = Split(strGroupsInclude, "|")

'Connect to ADS and get Users

Set objADSRoot = GetObject("LDAP://rootDSE")

Set objADSDomain = GetObject("LDAP://" & objADSRoot.Get("defaultNamingContext"))

Set objMaxPWDage = objADSDomain.Get("maxPwdAge") 'please note, this script can't obey the latest ADS multible password GPO rules, it will only follow the standard with only one password rule

intMaxPWDage = CCur((objMaxPWDage.HighPart * 2 ^ 32) + objMaxPWDage.LowPart) / CCur(-864000000000)

If Not intMaxPWDage > 0 Then 'Passwords won't expire at all

ScriptDebug("intMaxPWDage is set to: " & intMaxPWDage & " - Script stopped")

SendEmailNotification True, "", True, 0, "intMaxPWDage is incorrect, please check ADS configuration. Script aborded" 'Inform that there is no expiration configuration in Active Directory

Exit Sub 'Stop the Sub / End the Search

End If

Set objADSConnection = CreateObject("ADODB.Connection")

objADSConnection.Open "Provider=ADsDSOObject;"

Set objADSCommand = CreateObject("ADODB.Command")

objADSCommand.ActiveConnection = objADSConnection

If Not Len(strSearchOUs) > 0 Then

ReDim arrSearchOUs(0) 'we still need an array to run the For Next

arrSearchOUs(0) = ""

Else

arrSearchOUs = Split(strSearchOUs, "|")

End If

For iADSCommand = 0 To UBound(arrSearchOUs) 'we already filter OUs if necessary - filter priority 1

If Len(strSearchOUs) > 0 Then 'we need everytime a new objADSDomain to set the Filter based on the OU

If Not Right(arrSearchOUs(iADSCommand),Len(objADSRoot.Get("defaultNamingContext"))) = objADSRoot.Get("defaultNamingContext") Then

If Not Right(arrSearchOUs(iADSCommand),1) = "'" Then

arrSearchOUs(iADSCommand) = arrSearchOUs(iADSCommand) & ","

End If

arrSearchOUs(iADSCommand) = arrSearchOUs(iADSCommand) & objADSRoot.Get("defaultNamingContext")

End If

ScriptDebug("Searching LDAP Path: " & arrSearchOUs(iADSCommand))

Set objADSDomain = GetObject("LDAP://" & arrSearchOUs(iADSCommand))

End If

'samAccountType=805306368 / this is the correct value for USERS only - a search for the ObjectClass USER will also list Contacts

objADSCommand.CommandText = "<" & objADSDomain.ADsPath & ">;(&(samAccountType=805306368));userAccountControl,sAMAccountName,givenName,sn,mail,distinguishedName,lockoutTime;subtree"

objADSCommand.Properties("Sort on") = strLDAPSortColumn

Set rs = objADSCommand.Execute

If Not rs.EOF Then

Do While Not rs.EOF

ScriptDebug("") 'Empty Line before each run for easier to read output

ScriptDebug("PROCESSING USER: " & NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ")")

intDaysLeft = 0

bolProcessUser = True

'Priority 2 - Exclude the following groups

If Len(strGroupsExclude) > 0 Then

strFirstFoundGroupMembership = "" 'just to make sure, lets clean the variable

If IsUserInGroup(rs("distinguishedName"), arrGroupsExclude, strFirstFoundGroupMembership) Then 'User is Member of the Group, we ignore him

ScriptDebug("..USER IS MEMBER OF EXCLUDED GROUP: " & strFirstFoundGroupMembership & " - IGNORING USER")

bolProcessUser = False

'old info - 'We don't inform the Admin in this case, would be done over the Debug Info

If bolInformAdminAboutIgnoredUsersExcludedByGroup Then

strAdminIgnoredUsersExcludedByGroup = AddAdminInfoTo(strAdminIgnoredUsersExcludedByGroup, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage) * -1)), True) 'Add to Admin Info

End If

'Priority 3 - Include the following groups

If bolProcessUser Then 'do we still go on with this User?

If Len(strGroupsInclude) > 0 Then

strFirstFoundGroupMembership = "" 'just to make sure, lets clean the variable

If Not IsUserInGroup(rs("distinguishedName"), arrGroupsInclude, strFirstFoundGroupMembership) Then 'User is Member of the Group, we ignore him

ScriptDebug("..USER IS NOT A MEMBER OF ANY OF THE INCLUDED GROUPS - IGNORING USER")

bolProcessUser = False

'old info - 'We don't inform the Admin in this case, would be done over the Debug Info

If bolInformAdminAboutIgnoredUsersExcludedByGroup Then

End If

Else 'User will be noramlly proccessed, we still inform about it in the Script-Debug

ScriptDebug("..USER IS MEMBER OF INCLUDED GROUP: " & strFirstFoundGroupMembership & " - PROCESSING USER")

End If

'Priority 4 - disabled account? this would have been done by an administrator

If bolProcessUser Then 'do we still go on with this User?

If IsAccountDisabled(rs("distinguishedName")) Then 'Account is disabled

ScriptDebug("..DISABLED USER ACCOUNT FOUND")

If bolIgnoreDisabledAccounts Then 'do we ignore this Account?

bolProcessUser = False

End If

If bolInformAdminAboutAccountDisabled Then

'strAdminAccountDisabled = AddAdminInfoTo(strAdminAccountDisabled, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ")") 'Add to Admin Info

strAdminAccountDisabled = AddAdminInfoTo(strAdminAccountDisabled, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), ""), True) 'Add to Admin Info

End If

'Priority 5 - Will User Account expire? (we only check if it is expired, if yes we take action)

If bolProcessUser Then 'do we still go on with this User?

If IsUserAccountExpired(rs("distinguishedName"), dtmExpiration) Then

bolProcessUser = False

ScriptDebug("..USER ACCOUNT IS EXPIRED SINCE: " & dtmExpiration)

If bolInformAdminAboutExpiredUserAccount Then

'strAdminExpiredUserAccount = AddAdminInfoTo(strAdminExpiredUserAccount, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ") - User expired since: " & dtmExpiration) 'Add to Admin Info

strAdminExpiredUserAccount = AddAdminInfoTo(strAdminExpiredUserAccount, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat(dtmExpiration), True) 'Add to Admin Info

End If

'Priority 6 - password never expires? this would have been done by an administrator

If bolProcessUser Then 'do we still go on with this User?

If PasswordDoesExpire(rs("userAccountControl")) Then 'Password does not expire

ScriptDebug("..USER WITH PASSWORD WILL NOT EXPIRE FOUND")

bolProcessUser = False

If bolInformAdminAboutPWneverExpires Then

'strAdminPWneverExpires = AddAdminInfoTo(strAdminPWneverExpires, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ")") 'Add to Admin Info

strAdminPWneverExpires = AddAdminInfoTo(strAdminPWneverExpires, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), ""), True) 'Add to Admin Info

End If

'Priority 7 - User can't even change the password? this would have been done by an administrator

If bolProcessUser Then 'do we still go on with this User?

If UserCantChangePassword(rs("distinguishedName")) Then 'User can't change Password

ScriptDebug("..USER WITH CAN'T CHANGE PASSWORD FOUND")

bolProcessUser = False

If bolInformAdminAboutUserCantChangePW Then

'strAdminUserCantChangePW = AddAdminInfoTo(strAdminUserCantChangePW, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ")") 'Add to Admin Info

strAdminUserCantChangePW = AddAdminInfoTo(strAdminUserCantChangePW, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), ""), True) 'Add to Admin Info

End If

'Priority 8 - User does not have an EMail Address? can't inform User if PW is about to expire what shall we do?

If bolProcessUser Then 'do we still go on with this User?

If Not Len(NZ(rs("mail"), "")) > 0 Then 'User is missing email address

ScriptDebug("..USER WITHOUT EMAIL ADDRESS FOUND")

bolProcessUser = False

If bolInformAdminAboutAccountWithoutEMail Then

'strAdminAccountWithoutEMail = AddAdminInfoTo(strAdminAccountWithoutEMail, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ") - Days Left: " & (GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage) * -1)) 'Add to Admin Info

strAdminAccountWithoutEMail = AddAdminInfoTo(strAdminAccountWithoutEMail, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage) * -1)), True) 'Add to Admin Info

End If

'Priority 9 - now we check the Password Age and take action

If bolProcessUser Then 'do we still go on with this User?

If PasswordIsExpired(rs("userAccountControl")) Then 'The Password is already expired? We need to take action / this will be double checked later on with a calculation

ScriptDebug("..PASSWORD IS EXPIRED")

SendEmailNotification False, NZ(rs("mail"), ""), True, 0, "" 'Inform the USER about the expired Password

If bolInformAdminAboutPWisExpired Then

'strAdminPWisExpired = AddAdminInfoTo(strAdminPWisExpired, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ")") 'Add to Admin Info

strAdminPWisExpired = AddAdminInfoTo(strAdminPWisExpired, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage) * -1)), True) 'Add to Admin Info

End If

Else 'Password is not expired yet, how many days does the User have left?

Set objUser = GetObject("LDAP://" & rs("distinguishedName"))

intDaysLeft = GetPWDaysLeft(rs("distinguishedName"), NZ(rs("givenName"), ""), NZ(rs("sn"), ""), NZ(rs("sAMAccountName"), ""), intDaysLeft, intMaxPWDage)

If intDaysLeft <= 0 Then 'we have a number of days left

If intStartWithPWexpiresInDays >= (intDaysLeft * -1) Then 'User is to be informed, his days left are less then defined

ScriptDebug("..PASSWORD FOR USER WILL EXPIRE IN: " & (intDaysLeft * -1) & " DAYS")

SendEmailNotification False, NZ(rs("mail"), ""), False, (intDaysLeft * -1), "" 'Inform the USER that the Password will expire

If bolInformAdminAboutPWexpires Then

'strAdminPWexpires = AddAdminInfoTo(strAdminPWexpires, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ") - Days Left: " & (intDaysLeft * -1)) 'Add to Admin Info

strAdminPWexpires = AddAdminInfoTo(strAdminPWexpires, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((intDaysLeft * -1)), True) 'Add to Admin Info

End If

Else 'User has more days left then needed by Script Configuration

'we do not need to take action - we do not even send Mail to the Admin

ScriptDebug("..USER PASSWORD IS STILL GOOD - DAYS LEFT: " & (intDaysLeft * -1))

If bolInformAdminAboutStillGoodPasswords Then

'strAdminPWstillGood = AddAdminInfoTo(strAdminPWstillGood, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ") - Days Left: " & (intDaysLeft * -1)) 'Add to Admin Info

strAdminPWstillGood = AddAdminInfoTo(strAdminPWstillGood, NZ(rs("givenName"), "") & "</td><td>" & NZ(rs("sn"), "") & "</td><td>" & NZ(rs("sAMAccountName"), "") & "</td><td class=""right"">" & AdminInfoDaysLeftHTMLFormat((intDaysLeft * -1)), True) 'Add to Admin Info

End If

Else 'Password is already expired and needs to be changed now / second check, first one might not give the needed information

ScriptDebug("..PASSWORD IS EXPIRED FOR: " & (intDaysLeft * -1) & " DAYS")

SendEmailNotification False, NZ(rs("mail"), ""), True, 0, "" 'Inform the USER about the expired Password

If bolInformAdminAboutPWisExpired Then

'strAdminPWisExpired = AddAdminInfoTo(strAdminPWisExpired, NZ(rs("givenName"), "") & " " & NZ(rs("sn"), "") & " (" & NZ(rs("sAMAccountName"), "") & ") - Days expired: " & (intDaysLeft * -1)) 'Add to Admin Info

End If

Set objUser = Nothing 'to make sure the Object is release

End If

rs.MoveNext

Loop

End If

Set rs = Nothing

Next 'Next from arrSearchOUs

Set objADSCommand = Nothing

Set objADSConnection = Nothing

Set objADSDomain = Nothing

Set objADSRoot = Nothing

ScriptDebug("")

ScriptDebug("SCRIPT ENDED SUCCESSFULLY => Sending Admin Mail")

SendEmailNotification True, "", True, 0, GenerateAdminMailBody 'Send the final admin notification with the requested information

End Sub

'Function returns days left for Password of User-Object (uses default Value intDaysLeft)

Function GetPWDaysLeft(strDistinguishedName, strGivenName, strSN, strsAMAccountName, intDaysLeft, intMaxPWDage)

Dim objUser

Set objUser = GetObject("LDAP://" & strDistinguishedName)

On Error Resume Next

'intDaysLeft will be negative, like a countdown, T minus DAYS

intDaysLeft = DateDiff("d", objUser.PasswordLastChanged, Now) - intMaxPWDage

If Err Then

If Err.Number = &h8000500d Then 'PWD was just changed

intDaysLeft = intMaxPWDage

ScriptDebug("..USER PASSWORD WAS JUST CHANGED")

'we don't send any Mails about this

Else 'unexpexted Error occured - this shouldn't happen at all!

ScriptDebug("..UNEXPECTED ERROR (UserPasswordLastChanged)")

'strAdminErrorUsers = AddAdminInfoTo(strAdminErrorUsers, strGivenName & " " & strSN & " (" & strsAMAccountName & ")") 'Add to Admin Info

strAdminErrorUsers = AddAdminInfoTo(strAdminErrorUsers, strGivenName & "</td><td>" & strSN & "</td><td>" & strsAMAccountName, True) 'Add to Admin Info

End If

Err.Clear

On Error Goto 0

Set objUser = Nothing

GetPWDaysLeft = Round(intDaysLeft, 0)

End Function

Function IsUserAccountExpired(distinguishedName, dtmExpirationDate)

Dim bolReturn

Dim objUser

Dim dtmAccountExpiration

bolReturn = False

If NZ(distinguishedName, "") <> "" Then

Set objUser = GetObject("LDAP://" & distinguishedName)

On Error Resume Next

dtmAccountExpiration = objUser.AccountExpirationDate

If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then 'Account has no expiration date specified

'we do nothing - not even a debug message

Else 'Account has expireation date

If DateDiff("d", dtmAccountExpiration, Now) > 0 Then

bolReturn = True

dtmExpirationDate = dtmAccountExpiration

End If

On Error Goto 0

Set objUser = Nothing

End If

IsUserAccountExpired = bolReturn

End Function

'Is the User Member of one of the Groups in the Array? Give back first GroupName found if possible

Function IsUserInGroup(distinguishedName, arrGroups, FirstFoundGroupMembership)

Dim objUser, objGroup

Dim i

Dim strGroupName

Dim bolFound

bolFound = False

If NZ(distinguishedName, "") <> "" Then

Set objUser = GetObject("LDAP://" & distinguishedName)

On Error Resume Next

For Each objGroup In objUser.GetEx("memberOf")

strGroupName = Split(objGroup,",")(0)

strGroupName = Right(strGroupName, (Len(strGroupName)-3))

For i = 0 To UBound(arrGroups)

If LCase(strGroupName) = LCase(arrGroups(i)) Then

bolFound = True

FirstFoundGroupMembership = strGroupName

IsUserInGroup = True

Exit For

End If

If bolFound Then

Exit For

End If

On Error Goto 0

Set objUser = Nothing

Else

IsUserInGroup = False 'couldn't find User distinguishedName - not really possible

End If

End Function

'Is the Password Expired?

Function PasswordIsExpired(userAccountControl)

If NZ(userAccountControl, "") <> "" Then

If ADS_UF_PASSWORD_EXPIRED And userAccountControl Then

PasswordIsExpired = True

Else

PasswordIsExpired = False

End If

Else

PasswordIsExpired = False

End If

End Function

'Is the User able to change to Password?

Function UserCantChangePassword(distinguishedName)

Dim bolReturn

Dim objUser, objSD, objDACL, objACE

bolReturn = False

If NZ(distinguishedName, "") <> "" Then

On Error Resume Next

Set objUser = GetObject("LDAP://" & distinguishedName)

Set objSD = objUser.Get("nTSecurityDescriptor")

Set objDACL = objSD.DiscretionaryAcl

For Each objACE in objDACL

If objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT And LCase(objACE.ObjectType) = CHANGE_PASSWORD_GUID Then

bolReturn = True

Exit For

End If

Set objDACL = Nothing

Set objSD = Nothing

Set objUser = Nothing

On Error Goto 0

End If

UserCantChangePassword = bolReturn

End Function

'Does the Account PW expire or not?

Function PasswordDoesExpire(userAccountControl)

If NZ(userAccountControl, "") <> "" Then

If ADS_UF_DONT_EXPIRE_PASSWD And userAccountControl Then

PasswordDoesExpire = True

Else

PasswordDoesExpire = False

End If

Else

PasswordDoesExpire = False

End If

End Function

'Account Disabled or not

Function IsAccountDisabled(distinguishedName)

Dim bolReturn

Dim objUser

bolReturn = False

If NZ(distinguishedName, "") <> "" Then

On Error Resume Next

Set objUser = GetObject("LDAP://" & distinguishedName)

bolReturn = objUser.AccountDisabled

Set objUser = Nothing

On Error Goto 0

End If

IsAccountDisabled = bolReturn

End Function

'NZ equivalent to VBA

Function NZ(Value,alternativeValue)

If IsNull(Value) Then

NZ = alternativeValue

Else

NZ = Value

End If

End Function

'Adds the Information as needed to the specified Variable as a new Line and returns the complete new string

Function AddAdminInfoTo(CurrentString, NewTextLine, IsTable)

If Not Len(NZ(CurrentString, "")) > 0 Then

'AddAdminInfoTo = NewTextLine

If Not IsTable Then

AddAdminInfoTo = NewTextLine

Else

AddAdminInfoTo = CurrentString & "<tr><td>" & Replace(NewTextLine, vbNewLine, "") & "</td></tr>"

End If

Else

'AddAdminInfoTo = CurrentString & vbNewLine & NewTextLine

If Not IsTable Then

AddAdminInfoTo = CurrentString & vbNewLine & NewTextLine

Else

AddAdminInfoTo = CurrentString & "<tr><td>" & Replace(NewTextLine, vbNewLine, "") & "</td></tr>"

End If

End Function

'Reformatts the Days-Left into a special div tag if it is negative/positive

Function AdminInfoDaysLeftHTMLFormat(DaysLeft)

If DaysLeft > 0 Then

AdminInfoDaysLeftHTMLFormat = "<div class=""dayspositive"">" & DaysLeft & "</div>"

Else

AdminInfoDaysLeftHTMLFormat = "<div class=""daysnegative"">" & DaysLeft & "</div>"

End If

End Function

'Generates the Mail-Body for the Admin Mail

Function GenerateAdminMailBody()

Dim strReturn

strReturn = ""

strReturn = strReturn & "<style>" & vbNewLine

strReturn = strReturn & "table { font-family: Calibri; font-size: 11pt; }" & vbNewLine

strReturn = strReturn & "th { font: bold; background-color: light-blue; }" & vbNewLine

strReturn = strReturn & "th, td { border-bottom: 1px solid black; text-align: left; }" & vbNewLine

strReturn = strReturn & "tr:nth-child(even) { background-color: #f2f2f2; }" & vbNewLine

strReturn = strReturn & "tr:hover { background-color: #f5f5f5 }" & vbNewLine

strReturn = strReturn & "td.right { text-align: right; }" & vbNewLine

strReturn = strReturn & "div.dayspositive { }" & vbNewLine

strReturn = strReturn & "div.daysnegative { color: #FF0000; font: bold; }" & vbNewLine

strReturn = strReturn & "h1 { font: bold; font-size: 12pt; text-decoration: underline; }" & vbNewLine

strReturn = strReturn & "</style>" & vbNewLine

If Len(NZ(strAdminErrorUsers, "")) > 0 Then

'strReturn = strReturn & "<u>THE FOLLOWING USERS GENERATED SCRIPT ERRORS:</u>" & vbNewLine

strReturn = strReturn & "<h1>USERS THAT GENERATED SCRIPT ERRORS:</h1>" & vbNewLine

'strReturn = strReturn & strAdminErrorUsers & vbNewLine

strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th></tr>" & strAdminErrorUsers & "</table><br><br>"

strReturn = strReturn & vbNewLine & vbNewLine

End If

If bolInformAdminAboutPWexpires And Len(NZ(strAdminPWexpires,"")) > 0 Then

'strReturn = strReturn & "<u>THE FOLLOWING PASSWORDS WILL EXPIRE:</u>" & vbNewLine

strReturn = strReturn & "<h1>NOTIFIED USERS WITH EXPIRING PASSWORDS:</h1>" & vbNewLine

'strReturn = strReturn & strAdminPWexpires & vbNewLine

strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminPWexpires & "</table><br><br>"

strReturn = strReturn & vbNewLine & vbNewLine

End If

If bolInformAdminAboutPWisExpired And Len(NZ(strAdminPWisExpired,"")) > 0 Then

'strReturn = strReturn & "<u>THE FOLLOWING PASSWORDS ARE EXPIRED ALREADY:</u>" & vbNewLine

strReturn = strReturn & "<h1>NOTIFIED USERS WITH EXPIRED PASSWORDS:</h1>" & vbNewLine

'strReturn = strReturn & strAdminPWisExpired & vbNewLine

strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminPWisExpired & "</table><br><br>"

strReturn = strReturn & vbNewLine & vbNewLine

End If

If bolInformAdminAboutAccountWithoutEMail And Len(NZ(strAdminAccountWithoutEMail,"")) > 0 Then

'strReturn = strReturn & "<u>THE FOLLOWING USER ACCOUNTS DON'T HAVE A VALID EMAIL ADDRESS:</u>" & vbNewLine

strReturn = strReturn & "<h1>USER ACCOUNTS WITH NO VALID EMAIL ADDRESS:</h1>" & vbNewLine

'strReturn = strReturn & strAdminAccountWithoutEMail & vbNewLine

strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminAccountWithoutEMail & "</table><br><br>"

strReturn = strReturn & vbNewLine & vbNewLine

End If

If bolInformAdminAboutPWneverExpires And Len(NZ(strAdminPWneverExpires,"")) > 0 Then

'strReturn = strReturn & "<u>THE FOLLOWING PASSWORDS NEVER EXPIRE:</u>" & vbNewLine

strReturn = strReturn & "<h1>PASSWORD NEVER EXPIRES USERS:</h1>" & vbNewLine

'strReturn = strReturn & strAdminPWneverExpires & vbNewLine

strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th></tr>" & strAdminPWneverExpires & "</table><br><br>"

strReturn = strReturn & vbNewLine & vbNewLine

End If

If bolInformAdminAboutUserCantChangePW And Len(NZ(strAdminUserCantChangePW,"")) > 0 Then

'strReturn = strReturn & "<u>THE FOLLOWING USERS CAN'T CHANGE THEIR PASSWORDS:</u>" & vbNewLine

strReturn = strReturn & "<h1>THE FOLLOWING USERS CAN'T CHANGE THEIR PASSWORDS:</h1>" & vbNewLine

'strReturn = strReturn & strAdminUserCantChangePW & vbNewLine

strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th></tr>" & strAdminUserCantChangePW & "</table><br><br>"

strReturn = strReturn & vbNewLine & vbNewLine

End If

If bolInformAdminAboutAccountDisabled And Len(NZ(strAdminAccountDisabled,"")) > 0 Then

'strReturn = strReturn & "<u>THE FOLLOWING USER ACCOUNTS ARE DISABLED:</u>" & vbNewLine

strReturn = strReturn & "<h1>DISABLED USER ACCOUNTS:</h1>" & vbNewLine

'strReturn = strReturn & strAdminAccountDisabled & vbNewLine

strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th></tr>" & strAdminAccountDisabled & "</table><br><br>"

strReturn = strReturn & vbNewLine & vbNewLine

End If

If bolInformAdminAboutExpiredUserAccount And Len(NZ(strAdminExpiredUserAccount,"")) > 0 Then

'strReturn = strReturn & "<u>THE FOLLOWING USER ACCOUNTS ARE EXPIRED:</u>" & vbNewLine

strReturn = strReturn & "<h1>EXPIRED USER ACCOUNTS:</h1>" & vbNewLine

'strReturn = strReturn & strAdminExpiredUserAccount & vbNewLine

strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminExpiredUserAccount & "</table><br><br>"

strReturn = strReturn & vbNewLine & vbNewLine

End If

If bolInformAdminAboutIgnoredUsersExcludedByGroup And Len(NZ(strAdminIgnoredUsersExcludedByGroup,"")) > 0 Then

strReturn = strReturn & "<h1>EXCLUDED USER ACCOUNTS (GROUP-FILTER):</h1>" & vbNewLine

strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminIgnoredUsersExcludedByGroup & "</table><br><br>"

strReturn = strReturn & vbNewLine & vbNewLine

End If

If bolInformAdminAboutStillGoodPasswords And Len(NZ(strAdminPWstillGood,"")) > 0 Then

'strReturn = strReturn & "<u>THE FOLLOWING USER ACCOUNTS HAVE VALID PASSWORDS:</u>" & vbNewLine

strReturn = strReturn & "<h1>THE FOLLOWING USER ACCOUNTS HAVE VALID PASSWORDS:</h1>" & vbNewLine

'strReturn = strReturn & strAdminPWstillGood & vbNewLine

strReturn = strReturn & "<table><tr><th>Firstname</th><th>LastName</th><th>Username</th><th>Expires in days</th></tr>" & strAdminPWstillGood & "</table><br><br>"

strReturn = strReturn & vbNewLine & vbNewLine

End If

If bolAttachDebugToAdminMail Then

'strReturn = strReturn & "<u>DEBUG OUTPUT:</u>" & vbNewLine

strReturn = strReturn & "<h1>DEBUG OUTPUT:</h1>" & vbNewLine

'strReturn = strReturn & strAdminDebug & vbNewLine

strReturn = strReturn & Replace(strAdminDebug, vbNewLine, "<br>") & vbNewLine

End If

GenerateAdminMailBody = "<div style=""font-family: calibri; font-size: 11pt;"">" & strReturn & "</div>"

End Function

'Sends out EMails, to the User (False, UserMailAddress, True or False, DaysLeft for Password, "") or the Admin (TRUE, "", True or False, 0, AdminTextBody)

Sub SendEmailNotification(AdminMail, UserMailAddress, IsExpired, DaysLeft, AdminTextBody)

Dim objMail

Set objMail = CreateObject("CDO.Message")

objMail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2

objMail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = strSMTPServer

objMail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = intSMTPServerPort

objMail.Configuration.Fields.Update

objMail.From = strFrom

If AdminMail Then 'is Admin Mail

objMail.Subject = strAdminMailSubject

objMail.To = strToAdmin

'objMail.TextBody = AdminTextBody

'objMail.HTMLBody = Replace(AdminTextBody, vbNewLine, "<br>")

objMail.HTMLBody = AdminTextBody

Else 'is User Mail

If Not bolAdminMailOnly Then 'only the Admin Mail will be send

If IsExpired Then

objMail.Subject = strUserMailSubjectExpired

Else

objMail.Subject = Replace(strUserMailSubjectWillExpire, "REPLACEWITHDAYS", DaysLeft)

End If

If bolRedirectMailToAdmin Then 'redirect Mails to Admin - add User Mail Address to Subject

objMail.To = strToAdmin

objMail.Subject = objMail.Subject & " - REDIRECTED TO ADMIN INSTEAD OF: " & UserMailAddress

Else

objMail.To = UserMailAddress

End If

objMail.CreateMHTMLBody strBodyURL

End If

If Not bolTestDebugOutputToConsoleOnly Then

If Len(strAttachment) > 0 Then 'we do have an attachment to add?

objMail.AddAttachment strAttachment

End If

If bolAdminMailOnly Then 'only Admin Mail?

If AdminMail Then 'Then only if it is the Admin Mail

objMail.Send

End If

Else 'User Mail as well as Admin Mail

objMail.Send

End If

Else

ScriptDebug("=>DEBUG ONLY MODE - A EMAIL WOULD HAVE BEEN SEND TO: " & objMail.To & " - Subject: " & objMail.Subject)

End If

Set objMail = Nothing

End Sub

'Any Debug-Information will be proccessed here, easier to do it central and being able to change it to a LogFile or what ever...

Sub ScriptDebug(strDebugMessage)

If bolDebug Then

WScript.Echo strDebugMessage

End If

If bolAttachDebugToAdminMail Then

strAdminDebug = AddAdminInfoTo(strAdminDebug, strDebugMessage, False)

End If

End Sub

<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Your password will expire in “X” days</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.sectiontitle, li.sectiontitle, div.sectiontitle
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:12.0pt;
margin-left:0in;
font-size:12.0pt;
font-family:Verdana;
font-variant:small-caps;
font-weight:bold;}
p.sectioncontent, li.sectioncontent, div.sectioncontent
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:9.0pt;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:Verdana;}
span.sectiontitlechar
{font-family:Verdana;
font-variant:small-caps;
font-weight:bold;}
@page Section1
{size:8.5in 11.0in;
margin:81.35pt 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>

</head>

<body lang="EN-US" link="blue" vlink="purple">

<div class="Section1">
<table width="100%"><tr><td>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana;
color:blue">This is an automated password expiration notification. </span></b></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana;
color:blue">Please change your password as soon as possible.</span></b></p>
</td><td>
<div text-align=right>
<img src="logo.jpg" width="150px">
</div>
</td></tr></table>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></b></p>

<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Verdana">Password
Policy</span></u></b></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></p>

<p class="sectioncontent"><b>Password Rules</b></p>

<p class="sectioncontent" style="margin-left:45.0pt;text-indent:-.25in">1.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

</span>Your password must be changed every 90 days</p>

<p class="sectioncontent" style="margin-left:45.0pt;text-indent:-.25in">2.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>The system will remember the last 8 passwords used and will not allow
them again</p>

<p class="sectioncontent" style="margin-left:45.0pt;text-indent:-.25in">3.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>Minimum password age is 1 day. A password cannot be changed until it is
1 day old.</p>

<p class="sectioncontent" style="margin-left:45.0pt;text-indent:-.25in">4.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>Account lockout duration is 15 minutes</p>

<p class="sectioncontent" style="margin-left:45.0pt;text-indent:-.25in">5.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>Account lockout threshold is 6 invalid login attempts</p>

<p class="sectioncontent" style="margin-left:45.0pt;text-indent:-.25in">6.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>Reset account lockout counter after 15 minutes</p>

<p class="sectioncontent">&nbsp;</p>

<p class="sectioncontent"><b>Complexity Rules</b></p>

<p class="sectioncontent" style="margin-left:45.0pt;text-indent:-.25in">1.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

</span>It must be at least 8 characters in length</p>

<p class="sectioncontent" style="margin-left:45.0pt;text-indent:-.25in">2.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>It cannot contain a significant portion of the username or the person’s
full name</p>

<p class="sectioncontent" style="margin-left:45.0pt;text-indent:-.25in">3.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>It cannot contain a complete dictionary word</p>

<p class="sectioncontent" style="margin-left:45.0pt;text-indent:-.25in">4.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>It must contain at least one character from 3 of the 4 following groups:</p>

<p class="sectioncontent" style="margin-left:63.0pt;text-indent:-.25in">a.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>Lower-case alpha character (a-z)</p>

<p class="sectioncontent" style="margin-left:63.0pt;text-indent:-.25in">b.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>Upper-case alpha character (A-Z)</p>

<p class="sectioncontent" style="margin-left:63.0pt;text-indent:-.25in">c.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>Numeric digit (0-9)</p>

<p class="sectioncontent" style="margin-left:63.0pt;text-indent:-.25in">d.<span style="font-size:7.0pt;font-family:&quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

</span>Special character ( { } [ ] , . &lt; &gt; ; : ' " ? / | \ ` ~ ! @ #
$ <br>
% ^ &amp; * ( ) _ - + = )</p>

<p class="sectioncontent">&nbsp;</p>

<p class="sectioncontent"><b>Suggestions</b></p>

<p class="sectioncontent">Use a password that you can remember. One common
practice is to model your password after a sentence or a phrase. It can also be
useful to replace letter with numbers. </p>

<p class="sectioncontent">&nbsp;</p>

<p class="sectioncontent">Steve might use the well-known statement, “I can eat
sushi for lunch every day” to come up with the following password:</p>

<p class="sectioncontent" style="text-indent:27.0pt">Ic3s4led!</p>

<p class="sectioncontent">&nbsp;</p>

<p class="sectioncontent">Ray might use “My motorcycle is way too fast for you!”</p>

<p class="sectioncontent" style="text-indent:27.0pt">MmiW2f4u!</p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></p>

<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Verdana">How
to Change Your Password</span></u></b></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana">Method
1 – Directly From Windows</span></b></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">If you
have a computer with direct connectivity to corporate network, changing
your password is very easy. </span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></p>

<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">After
you are logged into your computer, enter the keyboard combination “Ctrl +
ALT + Del” (this is the same combination used&nbsp; when logging onto your
computer)</span></li>
<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">In the
Windows Security popup window click “Change Password”</span></li>
<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">The 1<sup>st</sup>
two fields will be auto-filled. Please enter your current “OLD” password
followed by your “NEW” password in the last two fields.</span></li>

</ol>

<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;
font-family:Verdana">&nbsp;</span></p>

<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="289" style="width:216.6pt;margin-left:41.4pt;border-collapse:collapse">
<tbody><tr>
<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;
padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana">Description</span></b></p>
</td>
<td width="153" valign="top" style="width:114.6pt;border:solid windowtext 1.0pt;
border-left:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana">Your
Answer</span></b></p>

</td>
</tr>
<tr>
<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Username</span></p>
</td>
<td width="153" valign="top" style="width:114.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Your
userID e.g. jsmith</span></p>

</td>
</tr>
<tr>
<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Log on
to</span></p>
</td>
<td width="153" valign="top" style="width:114.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Company Name</span></p>

</td>
</tr>
<tr>
<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Old
password</span></p>
</td>
<td width="153" valign="top" style="width:114.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Your
OLD password</span></p>

</td>
</tr>
<tr>
<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">New
password</span></p>
</td>
<td width="153" valign="top" style="width:114.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Your
NEW password</span></p>

</td>
</tr>
<tr>
<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Confirm
new password</span></p>
</td>
<td width="153" valign="top" style="width:114.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Your
New Password</span></p>

</td>
</tr>
</tbody></table>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></p>

<ol style="margin-top:0in" start="4" type="1">
<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Click
OK </span></li>
</ol>

<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;
font-family:Verdana">Your new password is now set and will be valid for 90 days</span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana">Method
2 – Contact the Helpdesk</span></b></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">If you
require assistance in changing your password, please submit a help desk request
and we will be more than happy to help you out. </span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">&nbsp;</span></p>

<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Create
a helpdesk ticket </span></li>

<ol style="margin-top:0in" start="1" type="a">
<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Open
your web browser and type <a href="http://helpdesk.domain.com/">http://helpdesk.domain.com</a></span></li>
<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Create
a new ticket and label it “I Need Help”</span></li>
<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">In the
Notes field, please provide a phone number and the best time to reach you</span></li>
</ol>
<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">An IT associate will contact you to assist in changing your password</span></li>

</ol>

<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;
font-family:Verdana">NOTE: If you are unable to access helpdesk website,
please call 888-888-8888 or x8888</span></p>

</div>


</body></html>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

<title>Your password will expire in “X” days</title>

<style>

<!--

/* Font Definitions */

@font-face

{font-family:Verdana;

panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

{margin:0in;

margin-bottom:.0001pt;

font-size:12.0pt;

font-family:"Times New Roman";}

a:link, span.MsoHyperlink

{color:blue;

text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

{color:purple;

text-decoration:underline;}

p.sectiontitle, li.sectiontitle, div.sectiontitle

{margin-top:12.0pt;

margin-right:0in;

margin-bottom:12.0pt;

margin-left:0in;

font-size:12.0pt;

font-family:Verdana;

font-variant:small-caps;

font-weight:bold;}

p.sectioncontent, li.sectioncontent, div.sectioncontent

{margin-top:0in;

margin-right:0in;

margin-bottom:0in;

margin-left:9.0pt;

margin-bottom:.0001pt;

font-size:10.0pt;

font-family:Verdana;}

span.sectiontitlechar

{font-family:Verdana;

font-variant:small-caps;

font-weight:bold;}

@page Section1

{size:8.5in 11.0in;

margin:81.35pt 1.0in 1.0in 1.0in;}

div.Section1

{page:Section1;}

/* List Definitions */

{margin-bottom:0in;}

-->

</style>

</head>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana;

color:blue">This is an automated password expiration notification. </span></b></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana;

color:blue">Please change your password as soon as possible.</span></b></p>

</td><td>

</div>

</td></tr></table>

<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Verdana">Password

Policy</span></u></b></p>

<p class="sectioncontent"><b>Password Rules</b></p>

</span>Your password must be changed every 90 days</p>

</span>The system will remember the last 8 passwords used and will not allow

them again</p>

</span>Minimum password age is 1 day. A password cannot be changed until it is

1 day old.</p>

</span>Account lockout duration is 15 minutes</p>

</span>Account lockout threshold is 6 invalid login attempts</p>

</span>Reset account lockout counter after 15 minutes</p>

<p class="sectioncontent"><b>Complexity Rules</b></p>

</span>It must be at least 8 characters in length</p>

</span>It cannot contain a significant portion of the username or the person’s

full name</p>

</span>It cannot contain a complete dictionary word</p>

</span>It must contain at least one character from 3 of the 4 following groups:</p>

</span>Lower-case alpha character (a-z)</p>

</span>Upper-case alpha character (A-Z)</p>

</span>Numeric digit (0-9)</p>

</span>Special character ( { } [ ] , . < > ; : ' " ? / | \ ` ~ ! @ #

$ <br>

% ^ & * ( ) _ - + = )</p>

<p class="sectioncontent"><b>Suggestions</b></p>

<p class="sectioncontent">Use a password that you can remember. One common

practice is to model your password after a sentence or a phrase. It can also be

useful to replace letter with numbers. </p>

<p class="sectioncontent">Steve might use the well-known statement, “I can eat

sushi for lunch every day” to come up with the following password:</p>

<p class="sectioncontent">Ray might use “My motorcycle is way too fast for you!”</p>

<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Verdana">How

to Change Your Password</span></u></b></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana">Method

1 – Directly From Windows</span></b></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">If you

have a computer with direct connectivity to corporate network, changing

your password is very easy. </span></p>

<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">After

you are logged into your computer, enter the keyboard combination “Ctrl +

ALT + Del” (this is the same combination used  when logging onto your

computer)</span></li>

<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">In the

Windows Security popup window click “Change Password”</span></li>

two fields will be auto-filled. Please enter your current “OLD” password

followed by your “NEW” password in the last two fields.</span></li>

</ol>

<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;

font-family:Verdana"> </span></p>

<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;

padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana">Description</span></b></p>

</td>

<td width="153" valign="top" style="width:114.6pt;border:solid windowtext 1.0pt;

border-left:none;padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana">Your

Answer</span></b></p>

</td>

</tr>

<tr>

<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;

border-top:none;padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Username</span></p>

</td>

<td width="153" valign="top" style="width:114.6pt;border-top:none;border-left:

none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;

padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Your

userID e.g. jsmith</span></p>

</td>

</tr>

<tr>

<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;

border-top:none;padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Log on

to</span></p>

</td>

<td width="153" valign="top" style="width:114.6pt;border-top:none;border-left:

none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;

padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Company Name</span></p>

</td>

</tr>

<tr>

<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;

border-top:none;padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Old

password</span></p>

</td>

<td width="153" valign="top" style="width:114.6pt;border-top:none;border-left:

none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;

padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Your

OLD password</span></p>

</td>

</tr>

<tr>

<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;

border-top:none;padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">New

password</span></p>

</td>

<td width="153" valign="top" style="width:114.6pt;border-top:none;border-left:

none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;

padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Your

NEW password</span></p>

</td>

</tr>

<tr>

<td width="136" valign="top" style="width:102.0pt;border:solid windowtext 1.0pt;

border-top:none;padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Confirm

new password</span></p>

</td>

<td width="153" valign="top" style="width:114.6pt;border-top:none;border-left:

none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;

padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Your

New Password</span></p>

</td>

</tr>

</tbody></table>

<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Click

OK </span></li>

</ol>

<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;

font-family:Verdana">Your new password is now set and will be valid for 90 days</span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Verdana">Method

2 – Contact the Helpdesk</span></b></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">If you

require assistance in changing your password, please submit a help desk request

and we will be more than happy to help you out. </span></p>

<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Create

a helpdesk ticket </span></li>

<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Open

your web browser and type <a href="http://helpdesk.domain.com/">http://helpdesk.domain.com</a></span></li>

<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">Create

a new ticket and label it “I Need Help”</span></li>

<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">In the

Notes field, please provide a phone number and the best time to reach you</span></li>

</ol>

<li class="MsoNormal"><span style="font-size:10.0pt;font-family:Verdana">An IT associate will contact you to assist in changing your password</span></li>

</ol>

<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;

font-family:Verdana">NOTE: If you are unable to access helpdesk website,

please call 888-888-8888 or x8888</span></p>

</div>

</body></html>

As always – feel free to reach out to me if you have any questions or comments.

June 22, 2018 by Florian Rossmark recommendations scripts security server solutions

Join systems to a domain and create KeePass server entries for local admin’s

Please note – this script was updated – you find the updated post here.

One of the challenges in most daily IT operations is onboarding of workstations and servers (respective domain join). Over the years I came across and tried many ways to accomplish this. Today I wanted to share a script and solution others might find helpful, but first lets get down to some theory and background.

The goals and challenges:

simple domain join after a system was imaged
- this is in theory possible in a fully automated process via various imaging solutions – I found that WDS (Microsoft Windows Deployment Services are in most cases the easiest way to accomplish this while having the possibility to use this in consulting for various clients, in enterprise for various departments etc. Since Windows 10 came in to the equation some of the automation with WDS became more challenging – so keeping it simple with some additional manual labor is often the easiest way to accomplish this – to simplify the process a PowerShell script became a perfect solution).
systems should have a local admin account (not administrator / SID 500 / who should remain disabled) with an individual password
- typing this manual you always risk that the password is misspelled either in your password database or on the actual operating system
- if you think it is a good idea to have the same password on all your clients I actually suggest you do some security related research!

The PowerShell script below will do the following for you:

Ask for the name of the system (this will change the hostname/computername)
Ask for credentials for KeePass / Pleasant Password Server
Ask for credentials to join the system to the domain
Create a local admin user account on the system
Generate a password for this account
Check if there is an existing KeePass / Pleasant Password Server entry for this system
If not – it will proceed and create a entry with the machine name, username, password and various additional information like
1. manufacturer
2. model
3. serial number / service tag
4. UEFI BIOS Windows license key
5. MAC addresses of all network cards Windows knows about
And finally it will join the domain and put the system right away in to the defined OU

The whole script is only an example – you don’t have to use KeePass / Pleasant Password Server nor is the script perfect for any situation – you can take it and modify it as you need it – point it to various IT Asset databases or let you chose from predefined OUs etc. – adjust it as you needed – in general it is a very useful baseline and I wanted to share it.

One of the challenges is to execute the script as administrator (elevated rights) and as well bypass the script execution restrictions without compromising them in a default image, like disabling this important security feature on the image itself. To accomplish this, a simple CMD-Script actually will execute the PowerShell script. CMD-Script can right-clicked and executed as administrator and gain elevated rights. This is as of today not possible by default with PowerShell scripts (.ps1).

Create the following two files “Execute-DomainJoin.cmd” and “Execute-DomainJoin.ps1” and save them in the same directory or e.g. a portable flash drive. Adjust the PowerShell script so it connects to your domain and local systems.

powershell.exe -executionpolicy unrestricted -file "%~dp0\Execute-DomainJoin.ps1"
pause

1 2	powershell.exe -executionpolicy unrestricted -file "%~dp0\Execute-DomainJoin.ps1" pause

Please note – this script was updated – you find the updated post here.

$ScriptVersion = "1.0 - 6/15/2018 - Florian Rossmark
Clear-Host
Write-Host ""
Write-Host ""
Write-Host "Welcome to the Execute Domain-Join script"
Write-Host "========================================="
Write-Host ""
Write-Host ""
Write-Host "This script will do the following Steps:"
Write-Host "----------------------------------------"
Write-Host "- You enter the Computer Name / Host Name"
Write-Host "- You enter Domain Admin credentials for a Domain-Join"
Write-Host "- You enter credentials to access KeyPass Password server"
Write-Host ""
Write-Host ""
Write-Host "Note: always type credentials without any domain-information (MYDOMAIN\) - the script will fail otherwise."
Write-Host ""
Write-Host ""
Write-Host ""
Write-Host "- The script will automatically create a KeyPass entry with all information"
Write-Host "- The script will automatically create a specific local admin account for this machine"
Write-Host "- The script will automatically rename the system to the given name"
Write-Host "- The script will automatically join the system to the domain"
Write-Host ""
Write-Host ""
Write-Host "Script Version: $ScriptVersion"
Write-Host ""
Write-Host ""
pause

#Upper area holds functions..
Function MakeUp-String([Int]$Size = 8, [Char[]]$CharSets = "ULNS", [Char[]]$Exclude) {
$Chars = @(); $TokenSet = @()
If (!$TokenSets) {$Global:TokenSets = @{
U = [Char[]]'ABCDEFGHJKLMNPQRSTUVWXYZ' #Upper case
L = [Char[]]'abcdefghijkmnpqrstuvwxyz' #Lower case
N = [Char[]]'23456789' #Numerals
S = [Char[]]'!@$!@$!@$!@$' #Symbols
}}
$CharSets | ForEach {
$Tokens = $TokenSets."$_" | ForEach {If ($Exclude -cNotContains $_) {$_}}
If ($Tokens) {
$TokensSet += $Tokens
If ($_ -cle [Char]"Z") {$Chars += $Tokens | Get-Random} #Character sets defined in upper case are mandatory
}
}
While ($Chars.Count -lt $Size) {$Chars += $TokensSet | Get-Random}
($Chars | Sort-Object {Get-Random}) -Join "" #Mix the (mandatory) characters and output string
};

#bypass/avoid certificate issues
Add-Type @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class ServerCertificateValidationCallback
{
public static void Ignore()
{
ServicePointManager.ServerCertificateValidationCallback +=
delegate
(
Object obj,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors errors
)
{
return true;
};
}
}
"@
[ServerCertificateValidationCallback]::Ignore();

#Script starts here...
Clear-Host
Write-Host ""
Write-Host ""
Write-Host "This script must be executed in a PowerShell with elevated rights!"
Write-Host ""
Write-Host ""
Write-Host "Stop the script with: CTRL + C any time..."
Write-Host ""
Write-Host ""
pause
Clear-Host

$ComputerName = Read-Host "Please enter the new Computer Name"
$DomainJoinCredentials = Get-Credential -Message "Enter your credentials for the domain join"
$KeePassCredentials = Get-Credential -Message “Enter your credentials to access Keepass Server”
$localAdminUser = $("$ComputerName" + "_Admin")
$PW = MakeUp-String(12)
$PWencrypted = ConvertTo-SecureString $PW -AsPlainText -Force

Clear-Host
Write-Host ""
Write-Host ""
Write-Host "Checking KeePass to see if those credentials already exist"
Write-Host ""
Write-Host ""

#Collecting MACs
$colMACItems = get-wmiobject Win32_NetworkAdapter | Where-Object {$_.MACAddress -like "*:*"}
foreach ($objMACItem in $colMACItems) {
$MACobj = $objMACItem |select Description,MACAddress
$MACs += $MACobj.MACAddress + " - " + $MACobj.Description + "
"
}
#Collecting SN/ServiceTag and HW information
$SN = "ServiceTag / SN: "+(Get-WmiObject win32_bios | select SerialNumber).SerialNumber
$Model = "Model: "+(Get-WmiObject win32_computersystem | select Model).Model
$Manufacturer = "Manufacturer: "+(Get-WmiObject win32_computersystem | select Manufacturer).Manufacturer
$UEFIKey = wmic path softwarelicensingservice get OA3xOriginalProductKey
$KeepassURL = "https://passwordserver.mydomain.local:10001"
$PWFolder = "Local Admin Accounts"
$PWName = "Individual Admin Account on $ComputerName"
$PWUser = $localAdminUser
$PWPassword = $PW
$PWDescription = "Hardware information:
=====================
$Manufacturer
$Model
$SN

UEFI BIOS Windows Key:
======================
$UEFIKey

Known MAC Addresses:
====================
$MACs
(MACs might be subject to change with Docking-Stations)"

$tokenParams = @{
grant_type='password';
username=$KeePassCredentials.UserName;
password=$KeePassCredentials.GetNetworkCredential().password;}

$JSON = Invoke-WebRequest -Uri "$KeepassURL/OAuth2/Token" -Method POST -Body $tokenParams -ContentType "application/x-www-form-urlencoded"
$Token = (ConvertFrom-Json $JSON.Content).access_token

$headers = @{
"Accept" = "application/json"
"Authorization" = "$Token"}

$GroupSearch = @{“search” = $PWFolder}
$Group = Invoke-RestMethod -Method post -Uri "$KeepassURL/api/v4/rest/search"-body (ConvertTo-Json $GroupSearch) -Headers $headers -ContentType 'application/json'
$GroupID = $Group.Groups.Id

$SearchPhrase = $PWUser
$searchbody = @{“search” = $SearchPhrase}
$Search = Invoke-RestMethod -Method post -Uri "$KeepassURL/api/v4/rest/search"-body (ConvertTo-Json $searchbody) -Headers $headers -ContentType 'application/json'
$SearchID = $Search.Credentials.Id

$KeePassResultscnt = 0
ForEach($Result in $Search.credentials)
{
$CredentialID = $Result.id
If ($Result.GroupId -eq $GroupID)
{
$KeePassResultscnt += 1
}
}
If ($KeePassResultscnt -ge 1)
{
Write-Host "Total number of results found: $cnt"
Write-Host ""
Write-Host ""
Write-Host "ALERT - KeePass already has credentials for this system - can not proceed."
Write-Host "=========================================================================="
Write-Host ""
Write-Host "Search-Phrase: $SearchPhrase"
Write-Host "Search-Folder: $PWFolder"
Write-Host "Amount of results found: $KeePassResultscnt"
Write-Host ""
Write-Host ""
Write-Host ""
Write-Host "Next Steps:"
Write-Host "==========="
Write-Host "- This script will exit now!"
Write-Host "- No changes to the system of KeePass have been applied"
Write-Host "- Go to KeePass and check if this is an old entry and can be renamed/moved"
Write-Host "- Execute the script again"
Write-Host ""
Write-Host ""
pause
EXIT
} Else {
Write-Host ""
Write-Host ""
Write-Host "Writing new credentials to the KeePass server/database"
Write-Host ""
Write-Host ""
$PWEntryDT = Get-Date -Format "O"
$CredEntry = @{
Id = "00000000-0000-0000-0000-000000000000"
Name = "$PWName"
Username = "$PWUser"
Password = "$PWPassword"
Created = "$PWEntryDT"
Modified = "$PWEntryDT"
GroupId = "$GroupID"
Notes = "$PWDescription"
Url = "$ComputerName"
}
Invoke-RestMethod -Method post -Uri "$KeepassURL/api/v4/rest/credential/00000000-0000-0000-0000-000000000000"-body @(ConvertTo-Json $CredEntry) -Headers $headers -ContentType 'application/json'
Write-Host ""
Write-Host ""
Write-Host "Finished writing to KeePass server/database"
Write-Host ""
Write-Host ""
}
pause

Clear-Host
Write-Host ""
Write-Host ""
Write-Host "Please check the following information:"
Write-Host "======================================="
Write-Host ""
Write-Host "Computer Name: $ComputerName"
Write-Host "local Admin: $localAdminUser"
Write-Host "Admin-PW: $PW"
Write-Host ""
Write-Host ""
Write-Host "Make sure the information above are correct!"
Write-Host ""
Write-Host ""
Write-Host "Verify the local Admin and Admin-PW in KeePass!"
Write-Host ""
Write-Host ""
pause
Write-Host ""
Write-Host ""
Write-Host "All information are verified?"
Write-Host ""
Write-Host ""
pause

Clear-Host
Write-Host "Checking and removing (if exists) old local user: $localAdminUser"
Get-LocalUser -Name $localAdminUser | Remove-LocalUser
Clear-Host
Write-Host "Adding new local administrator account: $localAdminUser"
New-LocalUser -Name $localAdminUser -Password $PWencrypted -AccountNeverExpires -PasswordNeverExpires -Description "System specific local administrator account"
$NewUser = Get-LocalUser -Name $localAdminUser
$AdminGroup = Get-LocalGroup -Name "Administrators"
Add-LocalGroupMember -Name $AdminGroup -Member $NewUser

Write-Host ""
Write-Host ""
Write-Host "Finished."
Write-Host ""
Write-Host ""
pause

Write-Host ""
Write-Host ""
Write-Host "Joining this system to the domain and reboot automatically - stay put"
Write-Host ""
Write-Host ""
Write-Host "Note: The system will not reboot if an error occurs. Check the error message in case you see a error."
Write-Host ""
Write-Host ""

Add-Computer -Domain "mydomain.local" -Credential $DomainJoinCredentials -NewName $ComputerName -Restart -Force -OUPath "OU=Computers,OU=San Diego,OU=USA,DC=mydomain,DC=local"

Write-Host ""
Write-Host ""
Write-Host "Computer exists already:"
Write-Host " Check Domain - remove Computer if needed"
Write-Host " Reboot this system"
Write-Host " Rename this system manually after the reboot"
Write-Host ""
Write-Host "Credentials for Domain are wrong:"
Write-Host " Start the script over"
Write-Host ""
Write-Host ""
pause

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

$ScriptVersion = "1.0 - 6/15/2018 - Florian Rossmark

Clear-Host

Write-Host ""

Write-Host "Welcome to the Execute Domain-Join script"

Write-Host "========================================="

Write-Host ""

Write-Host "This script will do the following Steps:"

Write-Host "----------------------------------------"

Write-Host "- You enter the Computer Name / Host Name"

Write-Host "- You enter Domain Admin credentials for a Domain-Join"

Write-Host "- You enter credentials to access KeyPass Password server"

Write-Host ""

Write-Host "Note: always type credentials without any domain-information (MYDOMAIN\) - the script will fail otherwise."

Write-Host ""

Write-Host "- The script will automatically create a KeyPass entry with all information"

Write-Host "- The script will automatically create a specific local admin account for this machine"

Write-Host "- The script will automatically rename the system to the given name"

Write-Host "- The script will automatically join the system to the domain"

Write-Host ""

Write-Host "Script Version: $ScriptVersion"

Write-Host ""

pause

#Upper area holds functions..

Function MakeUp-String([Int]$Size = 8, [Char[]]$CharSets = "ULNS", [Char[]]$Exclude) {

$Chars = @(); $TokenSet = @()

If (!$TokenSets) {$Global:TokenSets = @{

U = [Char[]]'ABCDEFGHJKLMNPQRSTUVWXYZ' #Upper case

L = [Char[]]'abcdefghijkmnpqrstuvwxyz' #Lower case

N = [Char[]]'23456789' #Numerals

S = [Char[]]'!@$!@$!@$!@$' #Symbols

}}

$CharSets | ForEach {

$Tokens = $TokenSets."$_" | ForEach {If ($Exclude -cNotContains $_) {$_}}

If ($Tokens) {

$TokensSet += $Tokens

If ($_ -cle [Char]"Z") {$Chars += $Tokens | Get-Random} #Character sets defined in upper case are mandatory

}

While ($Chars.Count -lt $Size) {$Chars += $TokensSet | Get-Random}

($Chars | Sort-Object {Get-Random}) -Join "" #Mix the (mandatory) characters and output string

};

#bypass/avoid certificate issues

Add-Type @"

using System;

using System.Net;

using System.Net.Security;

using System.Security.Cryptography.X509Certificates;

public class ServerCertificateValidationCallback

{

public static void Ignore()

{

ServicePointManager.ServerCertificateValidationCallback +=

delegate

(

Object obj,

X509Certificate certificate,

X509Chain chain,

SslPolicyErrors errors

)

{

return true;

};

}

[ServerCertificateValidationCallback]::Ignore();

#Script starts here...

Clear-Host

Write-Host ""

Write-Host "This script must be executed in a PowerShell with elevated rights!"

Write-Host ""

Write-Host "Stop the script with: CTRL + C any time..."

Write-Host ""

pause

Clear-Host

$ComputerName = Read-Host "Please enter the new Computer Name"

$DomainJoinCredentials = Get-Credential -Message "Enter your credentials for the domain join"

$KeePassCredentials = Get-Credential -Message “Enter your credentials to access Keepass Server”

$localAdminUser = $("$ComputerName" + "_Admin")

$PW = MakeUp-String(12)

$PWencrypted = ConvertTo-SecureString $PW -AsPlainText -Force

Clear-Host

Write-Host ""

Write-Host "Checking KeePass to see if those credentials already exist"

Write-Host ""

#Collecting MACs

$colMACItems = get-wmiobject Win32_NetworkAdapter | Where-Object {$_.MACAddress -like "*:*"}

foreach ($objMACItem in $colMACItems) {

$MACobj = $objMACItem |select Description,MACAddress

$MACs += $MACobj.MACAddress + " - " + $MACobj.Description + "

}

#Collecting SN/ServiceTag and HW information

$SN = "ServiceTag / SN: "+(Get-WmiObject win32_bios | select SerialNumber).SerialNumber

$Model = "Model: "+(Get-WmiObject win32_computersystem | select Model).Model

$Manufacturer = "Manufacturer: "+(Get-WmiObject win32_computersystem | select Manufacturer).Manufacturer

$UEFIKey = wmic path softwarelicensingservice get OA3xOriginalProductKey

$KeepassURL = "https://passwordserver.mydomain.local:10001"

$PWFolder = "Local Admin Accounts"

$PWName = "Individual Admin Account on $ComputerName"

$PWUser = $localAdminUser

$PWPassword = $PW

$PWDescription = "Hardware information:

=====================

$Manufacturer

$Model

$SN

UEFI BIOS Windows Key:

======================

$UEFIKey

Known MAC Addresses:

====================

$MACs

(MACs might be subject to change with Docking-Stations)"

$tokenParams = @{

grant_type='password';

username=$KeePassCredentials.UserName;

password=$KeePassCredentials.GetNetworkCredential().password;}

$JSON = Invoke-WebRequest -Uri "$KeepassURL/OAuth2/Token" -Method POST -Body $tokenParams -ContentType "application/x-www-form-urlencoded"

$Token = (ConvertFrom-Json $JSON.Content).access_token

$headers = @{

"Accept" = "application/json"

"Authorization" = "$Token"}

$GroupSearch = @{“search” = $PWFolder}

$Group = Invoke-RestMethod -Method post -Uri "$KeepassURL/api/v4/rest/search"-body (ConvertTo-Json $GroupSearch) -Headers $headers -ContentType 'application/json'

$GroupID = $Group.Groups.Id

$SearchPhrase = $PWUser

$searchbody = @{“search” = $SearchPhrase}

$Search = Invoke-RestMethod -Method post -Uri "$KeepassURL/api/v4/rest/search"-body (ConvertTo-Json $searchbody) -Headers $headers -ContentType 'application/json'

$SearchID = $Search.Credentials.Id

$KeePassResultscnt = 0

ForEach($Result in $Search.credentials)

{

$CredentialID = $Result.id

If ($Result.GroupId -eq $GroupID)

{

$KeePassResultscnt += 1

}

If ($KeePassResultscnt -ge 1)

{

Write-Host "Total number of results found: $cnt"

Write-Host ""

Write-Host "ALERT - KeePass already has credentials for this system - can not proceed."

Write-Host "=========================================================================="

Write-Host ""

Write-Host "Search-Phrase: $SearchPhrase"

Write-Host "Search-Folder: $PWFolder"

Write-Host "Amount of results found: $KeePassResultscnt"

Write-Host ""

Write-Host "Next Steps:"

Write-Host "==========="

Write-Host "- This script will exit now!"

Write-Host "- No changes to the system of KeePass have been applied"

Write-Host "- Go to KeePass and check if this is an old entry and can be renamed/moved"

Write-Host "- Execute the script again"

Write-Host ""

pause

EXIT

} Else {

Write-Host ""

Write-Host "Writing new credentials to the KeePass server/database"

Write-Host ""

$PWEntryDT = Get-Date -Format "O"

$CredEntry = @{

Id = "00000000-0000-0000-0000-000000000000"

Name = "$PWName"

Username = "$PWUser"

Password = "$PWPassword"

Created = "$PWEntryDT"

Modified = "$PWEntryDT"

GroupId = "$GroupID"

Notes = "$PWDescription"

Url = "$ComputerName"

}

Invoke-RestMethod -Method post -Uri "$KeepassURL/api/v4/rest/credential/00000000-0000-0000-0000-000000000000"-body @(ConvertTo-Json $CredEntry) -Headers $headers -ContentType 'application/json'

Write-Host ""

Write-Host "Finished writing to KeePass server/database"

Write-Host ""

}

pause

Clear-Host

Write-Host ""

Write-Host "Please check the following information:"

Write-Host "======================================="

Write-Host ""

Write-Host "Computer Name: $ComputerName"

Write-Host "local Admin: $localAdminUser"

Write-Host "Admin-PW: $PW"

Write-Host ""

Write-Host "Make sure the information above are correct!"

Write-Host ""

Write-Host "Verify the local Admin and Admin-PW in KeePass!"

Write-Host ""

pause

Write-Host ""

Write-Host "All information are verified?"

Write-Host ""

pause

Clear-Host

Write-Host "Checking and removing (if exists) old local user: $localAdminUser"

Get-LocalUser -Name $localAdminUser | Remove-LocalUser

Clear-Host

Write-Host "Adding new local administrator account: $localAdminUser"

New-LocalUser -Name $localAdminUser -Password $PWencrypted -AccountNeverExpires -PasswordNeverExpires -Description "System specific local administrator account"

$NewUser = Get-LocalUser -Name $localAdminUser

$AdminGroup = Get-LocalGroup -Name "Administrators"

Add-LocalGroupMember -Name $AdminGroup -Member $NewUser

Write-Host ""

Write-Host "Finished."

Write-Host ""

pause

Write-Host ""

Write-Host "Joining this system to the domain and reboot automatically - stay put"

Write-Host ""

Write-Host "Note: The system will not reboot if an error occurs. Check the error message in case you see a error."

Write-Host ""

Add-Computer -Domain "mydomain.local" -Credential $DomainJoinCredentials -NewName $ComputerName -Restart -Force -OUPath "OU=Computers,OU=San Diego,OU=USA,DC=mydomain,DC=local"

Write-Host ""

Write-Host "Computer exists already:"

Write-Host " Check Domain - remove Computer if needed"

Write-Host " Reboot this system"

Write-Host " Rename this system manually after the reboot"

Write-Host ""

Write-Host "Credentials for Domain are wrong:"

Write-Host " Start the script over"

Write-Host ""

pause

Explaining, adjusting and guiding your through the PowerShell script

It is important that you understand the script so you can make adjustments to it. I will try to explain everything that is important and reference some line-numbers while doing so.

Lines 1-30 are just a general introduction and show some generic information
Lines 31-76 hold some functions to generate a password, to bypass some certificate issues etc
1. Lines 35-38 are worth taking a look at, here are all the characters of the four categories that will be used to generate a password. Excluded are already usually hard to read characters in some fonts and other characters that might cause issues – of course, adjust especially line 38 to your preferences and add more symbols or remove what you don’t want to use
Lines 77-89 are just informational
Lines 90-96 expect some user-input
1. new computername
2. get credentials for the domain join (admin)
  1. the script will not validate the credentials, in theory this could be done but I never found it that important
3. get credentials to read/write on the password database server (often not the actual admin-credentials, therefor I separated those two)
  1. the script will not validate the credentials, in theory this could be done but I never found it that important
4. the local admin username that will be created
  1. $localAdminUser = $(“$ComputerName” + “_Admin”)
  2. the above line will create a hostname_admin account – you can adjust this to your preferences
5. 94-95 will generate a password and encrypt it so it can be used to create the local account
Lines 97-103 are just informational
Lines 104-216 – this is actually the whole password server communication and entry check and generation
1. 104-115 those lines gather various information from your current system like serial number, UEFI Windows keys, etc. – you can keep em as is
2. 116 – please enter the URL to your password server here
3. 117 – here your need to enter the folder where the generated credentials are going to be put in on your password server
4. 118 – this is the subject of the entry that will be generated – adjust this to your preferences
5. 119-120 – those are username/password for the entry – you should leave this as is
6. 121-134 – those lines are the details in your password server entry – adjust them to your likes
7. 135-165 – this actually will execute the following on the REST API on your password server
  1. connect to it
  2. check if a entry with the same username already exists
8. 166-189 – this will raise an alert that this user already exists on your password server – 189 will actually exit the whole script
9. 190-216 – this block will write to the password server – cause it did not find an entry with the new username
Lines 217-241 this shows the new created username and password – it actually suggests you compare the entries on your password server to the information shown to make sure everything is correct
Lines 242-251 will create the new local admin account on the system and set the password
Lines 252-267 are informational
Line 268 will execute the actual domain join
1. please adjust the -Domain and the -OUPath parameter to your specific needs
2. note that the command will automatically restart the system
Lines 269-282 Those lines are informational – actually – if anything would go wrong those lines would be shown and help to take further steps after the failed domain join – in most cases those suggestions will help – in the end the error output shown by the command for the domain join (line 268) would indicate what went wrong. The restart of the system actually would bypass this message in the end (more or less)

If you have any questions, feel free to reach out to me. The script could be cleaned up more – but I wanted to provide a working version of it – so I just did a quick clean up or some special stuff and posted it here. Personally I like things a bit more structured, but as said – this is just a general example.

Please note – this script was updated – you find the updated post here.

This script is also mentioned on the API Examples page on the Pleasant Solutions web site here.

June 15, 2018 by Florian Rossmark configuration recommendations scripts security server solutions windows

security

Bypassing Windows 10 UAC for Unknown Publishers

Monitor group memberships in Active Directory with PRTG

Auditing network users against HR lists etc.

Structured groups and rights

Monitoring Active Directory activity

Auditing your user base against HR (Human Resources) data

Don’t forget your ERP systems and systems with Active Directory independent user bases

Office 365

PRTG and Cisco ASA VPN monitoring

Amount of locked out accounts

Search the Windows Security Eventlog for a string / text

Active Directory password reset events and group change events

Find user account lockout events

APC network cards – fix logon issues

Monitor multiple website certificates with a single PRTG sensor

Microsoft RADIUS / NPS SQL logging

Enable SMBv1 on Windows 10 per GPO

Monitor user accounts in Active Directory with PRTG

Password expiration notifications for end users

Join systems to a domain and create KeePass server entries for local admin’s

Recent blog posts

Blog Archives

security

Structured groups and rights

Monitoring Active Directory activity

Auditing your user base against HR (Human Resources) data

Don’t forget your ERP systems and systems with Active Directory independent user bases

Office 365

Recent blog posts

Blog Archives

Tags