automate

ActiveDirectory/LDAP result limits – MaxPageSize

ns a website from a systems administrator for systems administrators Home IT-Admins CMDB IT-Admins tool IT Search EOL Solutions Blog Contact Links ActiveDirectory/LDAP result limits – MaxPageSize

ActiveDirectory, respective LDAP, has a result limit setting, MaxPageSize. Those are set by default to 1000 rows per query.

This is primarily important if you use some kind of programming language to get results from LDAP, this code must compensate those limits and engage paging.

Your LDAP query does not need to provide the limit, only the code needs to do the paging as you always just get the max. amount of results set in the current settings.

In order to check your settings do the following commands in a command prompt / cmd window:

In theory you could set different values now as well, assuming you have the permission level to do so. But this is not recommended and you should engage paging instead, as you otherwise risk to overload your DCs – even if your commands won’t cause it, a possibly DoS attack could happen – malicious or not, so leave the limits, but be aware of them.

 

Join systems to a domain and create KeePass server entries for local admin’s

Join systems to a domain and create KeePass server entries for local admin’s

Please note – this script was updated – you find the updated post here.

One of the challenges in most daily IT operations is onboarding of workstations and servers (respective domain join). Over the years I came across and tried many ways to accomplish this. Today I wanted to share a script and solution others might find helpful, but first lets get down to some theory and background.

The goals and challenges:

  • simple domain join after a system was imaged
    • this is in theory possible in a fully automated process via various imaging solutions – I found that WDS (Microsoft Windows Deployment Services are in most cases the easiest way to accomplish this while having the possibility to use this in consulting for various clients, in enterprise for various departments etc. Since Windows 10 came in to the equation some of the automation with WDS became more challenging – so keeping it simple with some additional manual labor is often the easiest way to accomplish this – to simplify the process a PowerShell script became a perfect solution).
  • systems should have a local admin account (not administrator / SID 500 / who should remain disabled) with an individual password
    • typing this manual you always risk that the password is misspelled either in your password database or on the actual operating system
    • if you think it is a good idea to have the same password on all your clients I actually suggest you do some security related research!

The PowerShell script below will do the following for you:

  1. Ask for the name of the system (this will change the hostname/computername)
  2. Ask for credentials for KeePassPleasant Password Server
  3. Ask for credentials to join the system to the domain
  4. Create a local admin user account on the system
  5. Generate a password for this account
  6. Check if there is an existing KeePassPleasant Password Server entry for this system
  7. If not – it will proceed and create a entry with the machine name, username, password and various additional information like
    1. manufacturer
    2. model
    3. serial number / service tag
    4. UEFI BIOS Windows license key
    5. MAC addresses of all network cards Windows knows about
  8. And finally it will join the domain and put the system right away in to the defined OU

The whole script is only an example – you don’t have to use KeePassPleasant Password Server nor is the script perfect for any situation – you can take it and modify it as you need it – point it to various IT Asset databases or let you chose from predefined OUs etc. – adjust it as you needed – in general it is a very useful baseline and I wanted to share it.

One of the challenges is to execute the script as administrator (elevated rights) and as well bypass the script execution restrictions without compromising them in a default image, like disabling this important security feature on the image itself. To accomplish this, a simple CMD-Script actually will execute the PowerShell script. CMD-Script can right-clicked and executed as administrator and gain elevated rights. This is as of today not possible by default with PowerShell scripts (.ps1).

Create the following two files “Execute-DomainJoin.cmd” and “Execute-DomainJoin.ps1” and save them in the same directory or e.g. a portable flash drive. Adjust the PowerShell script so it connects to your domain and local systems.

Please note – this script was updated – you find the updated post here.

Explaining, adjusting and guiding your through the PowerShell script

It is important that you understand the script so you can make adjustments to it. I will try to explain everything that is important and reference some line-numbers while doing so.

  1. Lines 1-30 are just a general introduction and show some generic information
  2. Lines 31-76 hold some functions to generate a password, to bypass some certificate issues etc
    1. Lines 35-38 are worth taking a look at, here are all the characters of the four categories that will be used to generate a password. Excluded are already usually hard to read characters in some fonts and other characters that might cause issues – of course, adjust especially line 38 to your preferences and add more symbols or remove what you don’t want to use
  3. Lines 77-89 are just informational
  4. Lines 90-96 expect some user-input
    1. new computername
    2. get credentials for the domain join (admin)
      1. the script will not validate the credentials, in theory this could be done but I never found it that important
    3. get credentials to read/write on the password database server (often not the actual admin-credentials, therefor I separated those two)
      1. the script will not validate the credentials, in theory this could be done but I never found it that important
    4. the local admin username that will be created
      1. $localAdminUser = $(“$ComputerName” + “_Admin”)
      2. the above line will create a hostname_admin account – you can adjust this to your preferences
    5. 94-95 will generate a password and encrypt it so it can be used to create the local account
  5. Lines 97-103 are just informational
  6. Lines 104-216 – this is actually the whole password server communication and entry check and generation
    1. 104-115 those lines gather various information from your current system like serial number, UEFI Windows keys, etc. – you can keep em as is
    2. 116 – please enter the URL to your password server here 
    3. 117 – here your need to enter the folder where the generated credentials are going to be put in on your password server
    4. 118 – this is the subject of the entry that will be generated – adjust this to your preferences
    5. 119-120 – those are username/password for the entry – you should leave this as is
    6. 121-134 – those lines are the details in your password server entry – adjust them to your likes
    7. 135-165 – this actually will execute the following on the REST API on your password server
      1. connect to it
      2. check if a entry with the same username already exists
    8. 166-189 – this will raise an alert that this user already exists on your password server – 189 will actually exit the whole script
    9. 190-216 – this block will write to the password server – cause it did not find an entry with the new username
  7. Lines 217-241 this shows the new created username and password – it actually suggests you compare the entries on your password server to the information shown to make sure everything is correct
  8. Lines 242-251 will create the new local admin account on the system and set the password
  9. Lines 252-267 are informational
  10. Line 268 will execute the actual domain join
    1. please adjust the -Domain and the -OUPath parameter to your specific needs
    2. note that the command will automatically restart the system
  11. Lines 269-282 Those lines are informational – actually – if anything would go wrong those lines would be shown and help to take further steps after the failed domain join – in most cases those suggestions will help – in the end the error output shown by the command for the domain join (line 268) would indicate what went wrong. The restart of the system actually would bypass this message in the end (more or less)

If you have any questions, feel free to reach out to me. The script could be cleaned up more – but I wanted to provide a working version of it – so I just did a quick clean up or some special stuff and posted it here. Personally I like things a bit more structured, but as said – this is just a general example.

Please note – this script was updated – you find the updated post here.

This script is also mentioned on the API Examples page on the Pleasant Solutions web site here.

Auto-Cycle through URLs

Auto-Cycle through URLs

Our challenge was to have several Paessler/PRTG MAPs (www.paessler.com) cycling through a TV in the IT room. We did not want to have just one static MAP at all. This was originally posted by myself here: https://kb.paessler.com/en/topic/79668-prtg-maps-auto-cycle

In order to accomplish this – we created a simple HTML file with some JAVASCRIPT code that runs through several URLs you easily can specify. Per URL there is a timeout value. Further is there a company logo that will be displayed while a MAP is loading, that will fade out and actually make the MAP visible.

The HTML code including the JavaScript is below – here are some things I wanted to explain and share about it.

Line 6 – to the end: src=”bgpicture.png” This can be replaced by any other file-name – simple use a LOGO here that you want to see while the MAP is loaded – it will fade out

Line 11 – 21 – those lines hold the URLs in var Source=[] – add a line per URL you want to cycle through, each URL has the same format as follows. Please MAKE SURE that the last URL entry is not followed by a comma “,” otherwise the script might fail to cycle.

Entry format:

  • ‘URL’,timeout,showBGfading,’title’
  • URL in text-marks
  • timeout in seconds
  • show background picture/logo fading out – 0 (do not show) or 1 (show and fade)
  • title/description in text-marks

Example: ‘https://prtg.company.local/public/mapshow.htm?id=1111&mapid=ABCDEFGH-1234-ABCD-1234-123456789000′,60,1,’Network Map’,

This would mean:

  • URL = https://prtg.company.local/public/mapshow.htm?id=1111&mapid=ABCDEFGH-1234-ABCD-1234-123456789000
  • timeout = 60 seconds
  • bgpicture = 1 – start with BGPicture from the HTML code and let it fade out (fades the map in)
  • Title/Description = Network Map

We simply load the HTML file in the browser and display it as full screen – avoiding any browser title-bar etc.

Features:

  • you will see a timeout counter in the upper right – this shows you how much longer the current view will be available.
  • you will see a title/description in the upper left while the element was loaded – it will slowly (slower the bgpicture) fade out – you can use any text there – per URL
  • you might or might not see the BGPicture element – fading out – depending on your URL configuration – we found it worked out nicely cause we didn’t want to see a …load map data… or anything and have a smooth transition between the maps..
  • we set timeouts per MAP like 60 seconds etc. – so we a) cycle quick enough and b) have enough time to look at the data shown to us
  • you can use the LEFT and RIGHT arrow key on your keyboard to jump to the previous or next URL while you execute the HTML file (if not randomized)
  • the up/down arrow keys allow you to show/hide a menu of all links available, this then allows you to click on a specific item in the list and show this specifically – the list is always generated on the fly – this prepares for future adjustments like showing where you are right now…
  • added a feature for to PAUSE the script – press P to stop the cycle any time
  • added a randomization – you can activate it and any of the URLs will be accessed randomly – if it is disabled, the script will cycle through the URLs as defined
    • var bolRandomize=true;

For fun – or how to add a few Easter Eggs:

  • you can use any file (we use MP4 and GIFs) to be displayed as well – our URL list is rather long – mostly just going through the same URLs but every now and then showing briefly a little IT joke in between – of course it depends a bit on your company – how ever – wanted to mention that we even like to do that for a short 5 seconds period.

Updated – December 2018: This is version 2.0 of the script. Updates are some minor bug fixes and mainly the ability to scroll forward and backward through the URLs while using the left and right arrow keys on you keyboard. Additionally do the up/down keys show or hide a complete menu of all links that are cycled through.This then allows you to click on a specific link to show the content.

Updated – April 2019: Version 3.0 of the script has now a PAUSE feature and a randomization feature that you can enable/disable.

Notes as per May 2022: Did not change the script but wanted to make you all aware that you might run in to issues with X-FRAME-OPTIONS set to SAMEORIGIN. This can be investigated while using your browsers developer tools (F12), you should see script errors revealing this issue. Eventually it boils down to some pages not loading (e.g., https://www.google.com) due to them not allowing to be embedded. You can see if the page offers special embedded links/URLs or try to use a proxy-script that feeds to page to the iFrame. At this point I can not offer a good working solution, the script was designed to load Paessler PRTG MAPS and this is still working just fine. Using the script beyond this purpose might work or not due to the target page settings and configurations.