Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Working in IT 3.0: xp_cmdshell
«2906 »
 
  • Post
  • Reply
Bunni-kat
May 25, 2010

Service Desk B-b-bunny...
How can-ca-caaaaan I
help-p-p-p you?
So I've been looking at dynamic distribution lists, and it seems god-damned awesome. But I'm sure you all knew that. Now, from what I'm seeing there's no way to convert a static list to dynamic, I have to make a new one? Also, some people in a department are on certain lists while others are not. I saw you can use custom attributes for the filter, but what happens when someone is on 14 mailing lists? Coordinating the attributes seems really annoying in cases like that, am I misunderstanding it somehow?

* # ? Sep 15, 2017 04:02
  • Quote
Adbot
ADBOT LOVES YOU

# ? Jun 1, 2024 00:00
  • Quote
jaegerx
Sep 10, 2012

Maybe this post will get me on your ignore list!


 And we’re back to normal

* # ? Sep 15, 2017 04:46
  • Quote
SeaborneClink
Aug 27, 2010

MAWP... MAWP!

Avenging_Mikon posted:

So I've been looking at dynamic distribution lists, and it seems god-damned awesome. But I'm sure you all knew that. Now, from what I'm seeing there's no way to convert a static list to dynamic, I have to make a new one? Also, some people in a department are on certain lists while others are not. I saw you can use custom attributes for the filter, but what happens when someone is on 14 mailing lists? Coordinating the attributes seems really annoying in cases like that, am I misunderstanding it somehow?

You stop fulfilling quests to make DL-All-Accounting_except-Jill, DL-All-Accounting_except-Peter.

use -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (memberOfgroup -eq 'CN=Accounts_Receivable,OU=Security Groups,OU=xxxxxx,DC=xxxxxxx,DC=xxxxxx,DC=com'))}

Edit: Use statefully named Mail Enabled Security Groups

The real answer is you get out of the mail game all together.

SeaborneClink fucked around with this message at 05:45 on Sep 15, 2017

* # ? Sep 15, 2017 05:42
  • Quote
Sefal
Nov 8, 2011
Fun Shoe
My boss found out I had snuck in some AD clean up scripts that i had running on a weekly schedule, 6ish months ago. While not having encountered a single problem during the last 6 months. He now wants the scripts disabled and retooled so that he has to run it manually and he himself has to insert a username that goes through the cleanup. I tried telling him that he gets and has been getting a weekly e-mail with a list of users that have been disabled and deleted. He's not listening. i'm not a big fan of turning what has been a proven working automated solution back into a manual process.
Or does he make some sense that i'm not seeing?
I took out the company info but these are the scripts


code:
=========
#
#This script will check which Active Directory accounts have been disabled for more than 90 days 
#and will delete the homedirectory, e-mail and the Account itself."

add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010
 
Add-PSSnapin Quest.ActiveRoles.ADManagement 
 
$Today = get-date
$OU = "company.com/Accounts/Disabled Accounts" #company DC OU Location
$Path = "E:\Scripts\Log\InactiveUserAccounts.csv"
 
$users = Get-QADUser  -InactiveFor 90 -Disabled -SizeLimit 0 -searchroot $OU |  
where {$_.WhenChanged.Adddays(90) -lt $Today } 
 
ForEach ($user in $users) 
{
 
Write-host -ForegroundColor green "the following user's homedirectory will be deleted" 
write-host -foregroundcolor red $user.homedirectory
          
            remove-item $user.Homedirectory -Recurse -Force 
Write-Host -foregroundcolor green "The user's homedirectory has been deleted"
 
Write-Host -foregroundcolor green "the following active directory account wil be deleted"
Write-Host -foregroundcolor red $user.SamAccountName
 
            Remove-QADObject -identity $user.SamAccountName -force -DeleteTree
Write-Host -foregroundcolor green "The user's  Active Directory Account has been deleted" 
 
      
             
           
 }
 
Get-QADUser -searchroot $OU | Set-QADUser -ObjectAttributes @{extensionAttribute1=$null} 
 $users | Select-Object DisplayName, email, homedirectory | Export-csv -path $Path -Delimiter ";" -NoTypeInformation
 
Write-Host -foregroundcolor yellow  " A list of the deleted accounts, homedirectory and e-mail will be sent via e-mail"
 
 
$SmtpServer = "mail.company.com" # smtp adress of company email
$From = " Company Domain Controller <noreply-dc.company.coml>" #no reply adress of company dc
$To = ""; #shared email box of company for the it department 
$Subject = "Lijst van verwijderde AD gebruikers "
$Body ="Bijgesloten de lijst met verwijderde Active Directory User Accounts, Homedirectory's en e-mails."
 
Send-mailmessage -from $From -to $To -subject $Subject -body $Body -Attachments $path -smtpServer $SmtpServer
Write-host -ForegroundColor Yellow "All accounts in Disabled Accounts OU will be hidden from the address list"
Get-Mailbox -OrganizationalUnit "Disabled Accounts" | Set-Mailbox -HiddenFromAddressListsEnabled $TRUE
And

code:
 
# Dit script wordt gebruikt om automatisch accounts die expired zijn te disablen en in de disabled ou te plaatsen. 
 
Add-PSSnapin Quest.ActiveRoles.ADManagement 
 
$OU = "company.com/Accounts/"
$OU2= "company.com/Accounts/childou1"
$OU3= "company.com/Accounts/childou2/grandchild1"
$path = "e:\scripts\log\test.csv"
$doelou = "company.com/accounts/disabled accounts"
 
# met de volgende commando creeer je een lijst met accounts die zijn expired. 
 
$users = get-qaduser -SearchRoot $ou, $ou2, $ou3 -SizeLimit 0 -IncludedProperties 'accountExpires' | where-object -filterScript {($_.accountExpires -gt [System.DateTime]"1/1/1970") -and ($_.accountExpires -lt (get-date).adddays(-30))} 
 
$Dusers =  get-qaduser -SearchRoot $OU, $OU2, $OU3 -disabled
 
# met "for each" wordt elke account die aan de  criteria van $users voldoet, disabled en verplaats naar de OU "disabled accounts
 foreach ($user in $users)
{
Write-host -ForegroundColor green "the following user will be disabled" 
write-host -foregroundcolor red $user.name
       
       $User.MemberOf | Remove-QADGroupMember -Member $User -Confirm:$false 
       
       Disable-qaduser $user 
 
       Write-host -ForegroundColor green "the following user will be moved to the disabled ou" 
       write-host -foregroundcolor red $user.name
       Move-QADObject $user -newparentcontainer $doelou 
 
 
 
  }
 
 
 
  #Hier verplaatsen we alle disabled users in de OU die in de eerste regels zijn gespecificeerd naar de disabled ou.
  foreach ($user in $dusers)
    {
 
    $User.MemberOf | Remove-QADGroupMember -Member $User -Confirm:$false 
    Write-host -ForegroundColor green "the following user who was disabled will be moved to the disabled ou" 
       write-host -foregroundcolor red $user.name
       Move-QADObject $user -newparentcontainer $doelou 
 
 
 
 
         }
 
$users | Select-object  displayname, accountexpires, samaccountname, lastlogon    | Export-Csv -Path $path -Delimiter ";" -NoTypeInformation

$SmtpServer = "mail.company.com" # smtp adress of company email
$From = " Company Domain Controller <noreply-dc.company.coml>" #no reply adress of company dc
$To = ""; #shared email box of company for the it department 
$Subject = "Lijst van disabled gebruikers "
$Body ="Bijgesloten de lijst met disabled Active Directory User Accounts"
Send-mailmessage -from $From -to $To -subject $Subject -body $Body -Attachments $path -smtpServer $SmtpServer

Sefal fucked around with this message at 12:05 on Sep 15, 2017

* # ? Sep 15, 2017 12:02
  • Quote
SlowBloke
Aug 14, 2017

Sefal posted:

My boss found out I had snuck in some AD clean up scripts that i had running on a weekly schedule, 6ish months ago. While not having encountered a single problem during the last 6 months. He now wants the scripts disabled and retooled so that he has to run it manually and he himself has to insert a username that goes through the cleanup. I tried telling him that he gets and has been getting a weekly e-mail with a list of users that have been disabled and deleted. He's not listening. i'm not a big fan of turning what has been a proven working automated solution back into a manual process.
Or does he make some sense that i'm not seeing?

What version of Windows are you using on the domain servers(and what functional level you are running your domain on)? If you have at least 2008r2 you could retool it to use native powershell rather than quest.activeroles

SlowBloke fucked around with this message at 12:24 on Sep 15, 2017

* # ? Sep 15, 2017 12:21
  • Quote
Sefal
Nov 8, 2011
Fun Shoe
Windows 2012R2
Function level is Windows Server 2012.
Retooling it to use the native P$ is a pretty good idea. Thank you!

* # ? Sep 15, 2017 12:34
  • Quote
SlowBloke
Aug 14, 2017

Sefal posted:

Windows 2012R2
Function level is Windows Server 2012.
Retooling it to use the native P$ is a pretty good idea. Thank you!

You are going to need the active directory power shell module contained within RSAT installed(if you are running the script on one of the dc servers no need for it) and you are going to need to change the module loading with
code:
 Import-Module ActiveDirectory
instead of quest.activeroles. Synthax changes slightly but nothing terribly complex.

If you have active directory recycle bin active and configured, there is no major issue with mass deleting active directory objects, otherwise i might share some reservations with having automated object removal without quick reversibility.

* # ? Sep 15, 2017 12:57
  • Quote
Sickening
Jul 16, 2007

Black summer was the best summer.
Personally I see no benefit from deletion over simple disable and move unless the company size is massive.

* # ? Sep 15, 2017 13:03
  • Quote
nielsm
Jun 1, 2009



 I wouldn't want a script with such sloppy code formatting running.

* # ? Sep 15, 2017 13:10
  • Quote
Sefal
Nov 8, 2011
Fun Shoe
I see no problem with keeping the account in the disabled ou. But deleting the homedirectory is something i want to keep as it frees up storage space.
The company size isn't massive so I can take out the delete account part.
Thank you guys. It's good to hear someone else's opinion of my choices.

* # ? Sep 15, 2017 13:11
  • Quote
Sefal
Nov 8, 2011
Fun Shoe

nielsm posted:

I wouldn't want a script with such sloppy code formatting running.

I'm trying :negative:

* # ? Sep 15, 2017 13:12
  • Quote
Dick Trauma
Nov 30, 2007

God damn it, you've got to be kind.

Sickening posted:

Personally I see no benefit from deletion over simple disable and move unless the company size is massive.

Working at small companies I never delete the account, and unless their home directory is big I leave that alone as well. It rarely matters but just this month an employee returned after two years at business school and he was stoked that all his stuff was still there.

* # ? Sep 15, 2017 13:55
  • Quote
GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

 gently caress that. 30 days and then email and home directory is gone.

* # ? Sep 15, 2017 13:56
  • Quote
Bunni-kat
May 25, 2010

Service Desk B-b-bunny...
How can-ca-caaaaan I
help-p-p-p you?
I need to ask why we delete AD entries. The only useful part is it removes people from our static distribution lists.

* # ? Sep 15, 2017 14:19
  • Quote
Sickening
Jul 16, 2007

Black summer was the best summer.

Avenging_Mikon posted:

I need to ask why we delete AD entries. The only useful part is it removes people from our static distribution lists.

Remove them from all the members of and it serves the sane function.

* # ? Sep 15, 2017 14:56
  • Quote
nielsm
Jun 1, 2009

Avenging_Mikon posted:

I need to ask why we delete AD entries. The only useful part is it removes people from our static distribution lists.

This is why you use PowerShell to disable the account and remove it from all group memberships.

* # ? Sep 15, 2017 14:57
  • Quote
Kashuno
Oct 9, 2012

Where the hell is my SWORD?
Grimey Drawer
What is the reason to not delete AD accounts?

* # ? Sep 15, 2017 15:01
  • Quote
Sickening
Jul 16, 2007

Black summer was the best summer.

Kashuno posted:

What is the reason to not delete AD accounts?

Fastest recover from mistakes. Employees returning later. Etc

* # ? Sep 15, 2017 15:03
  • Quote
Japanese Dating Sim
Nov 12, 2003

hehe
Lipstick Apathy

Kashuno posted:

What is the reason to not delete AD accounts?

Not speaking from a position of authority, but disabling and removing from all groups accomplishes the same effect and is easily reversible, whereas deleting AD objects (recycling bin aspect aside) is a permanent, non-reversible action, no?

* # ? Sep 15, 2017 15:03
  • Quote
The Iron Rose
May 12, 2012

:minnie: Cat Army :minnie:
"Best Practices."

And, in all fairness, it is.

* # ? Sep 15, 2017 15:13
  • Quote
Kashuno
Oct 9, 2012

Where the hell is my SWORD?
Grimey Drawer
I've always done just disable and remove from groups, but I haven't really ever needed to turn things back on. Makes sense from a best practices thing

* # ? Sep 15, 2017 15:25
  • Quote
Sickening
Jul 16, 2007

Black summer was the best summer.

Kashuno posted:

I've always done just disable and remove from groups, but I haven't really ever needed to turn things back on. Makes sense from a best practices thing

Its a better process to have when multiple people administrate systems like active directory. A mistake is eventually going to happen. Restoring from the active directory recycle bin is more convoluted that it has to be. Its 100x easier to just enable a user back.

I had have employees leave the company and then return in a 6 month period. Its feels really great to be able to enable and account, give it some memberships, and be right back to where they were when they left. It really helps with contractors or the like that aren't always on payroll 100% of the time but use a computer. Same with interns or other seasonal employees.

Most of the reasons for getting rid of the accounts aren't really for need but mostly for preference.

* # ? Sep 15, 2017 15:43
  • Quote
nielsm
Jun 1, 2009



 Additionally, an account in AD can have more properties than just group membership, there are some related to encryption keys that could be relevant in case the user has ever used encryption features in Windows.

* # ? Sep 15, 2017 15:50
  • Quote
Wrath of the Bitch King
May 11, 2005

Research confirms that black is a color like silver is a color, and that beyond black is clarity.
I'm not a big fan of using the same account mostly because of systems that may be outside your control. Take file ACL permissions, for example. If your organization does things poorly with regards to maintaining access, a user may come back in a different capacity than when they left and shouldn't have access to resources they previously did. With a new account the SID will be different even if the User ID is the same, whereas with the old account it may have some baggage even if you did the due diligence on groups.

Really it depends on if your org is doing explicit permissions or not. (Your org should not be doing explicit permissions for users outside of niche use cases, or mailbox delegation or something)

I don't think generating a new user account is all that difficult though; the difficulty is always in paperwork and specifically knowing what the user will need access to. I've seen way too many instances of orgs that just clone other users ad nauseum and have no idea as to how their SGs are structured, so they just throw individual rights all over the place.

* # ? Sep 15, 2017 15:53
  • Quote
TheFace
Oct 4, 2004

Fuck anyone that doesn't wanna be this beautiful

Sickening posted:

Its a better process to have when multiple people administrate systems like active directory. A mistake is eventually going to happen. Restoring from the active directory recycle bin is more convoluted that it has to be. Its 100x easier to just enable a user back.

I had have employees leave the company and then return in a 6 month period. Its feels really great to be able to enable and account, give it some memberships, and be right back to where they were when they left. It really helps with contractors or the like that aren't always on payroll 100% of the time but use a computer. Same with interns or other seasonal employees.

Most of the reasons for getting rid of the accounts aren't really for need but mostly for preference.

As a consultant (previous employment, but also side work now) I love when people follow the disable not delete method. Just yesterday my previous employer asked if I would sub-contract on a specific account that without me they don't have the expertise to service anymore, they get to keep their fairly pricey contract, I get money on the side, customer is happy, everyone wins. Thankfully the customer only disabled the AD accounts I had. Re-enable and re-add groups and I was able to start cleaning up the mess that's been left in a matter of minutes.

* # ? Sep 15, 2017 16:05
  • Quote
Bunni-kat
May 25, 2010

Service Desk B-b-bunny...
How can-ca-caaaaan I
help-p-p-p you?

nielsm posted:

This is why you use PowerShell to disable the account and remove it from all group memberships.

Hmm, another thing to add to my burgeoning disable script.

* # ? Sep 15, 2017 16:41
  • Quote
nielsm
Jun 1, 2009

Avenging_Mikon posted:

Hmm, another thing to add to my burgeoning disable script.

As a bonus, with PS you can easily dump a log file with all the groups removed during the account deactivation. Timestamp the filename and just stash them away somewhere, so you can still go back and see what the user previously had if you need to re-activate.

* # ? Sep 15, 2017 17:43
  • Quote
Japanese Dating Sim
Nov 12, 2003

hehe
Lipstick Apathy
So my job got one of those pentest reports done and one of the things I'm meant to correct is a lot of machines with read-only access to IPC$ shares. Edit: These are client/end-user machines.

I'm pretty ignorant about all of this so I've been trying to learn, but it looks like the main potential vulnerability with the IPC$ share is null user enumeration, which can be prevented via enabling the "Network access: Do not allow anonymous enumeration of SAM accounts and shares" GPO and disabling "Let Everyone permissions apply to anonymous users" (which is disabled by default).

Am I totally off-base on this? It seems like disabling the IPC$ share will interfere with RPC and PDQ Deploy, etc.?

Japanese Dating Sim fucked around with this message at 18:44 on Sep 15, 2017

* # ? Sep 15, 2017 18:39
  • Quote
Dr. Arbitrary
Mar 15, 2006

Bleak Gremlin
I think it's a bad idea to rush into.

Identify the actual vulnerability, because that share needs to be available to certain authenticated processes.

Edit:

Apparently this was a big problem in Windows 2000.

Definitely fix this if you have windows 2000 computers in your network.

* # ? Sep 15, 2017 18:55
  • Quote
MC Fruit Stripe
Nov 26, 2002

around and around we go

Dr. Arbitrary posted:

Apparently this was a big problem in Windows 2000.
For those of you new to pen testing, this means you'll be hearing about it for the rest of your life. They're just adding poo poo to a script, running it, dumping it on you, and making it your problem.

* # ? Sep 15, 2017 18:59
  • Quote
Japanese Dating Sim
Nov 12, 2003

hehe
Lipstick Apathy
It's all Windows 7 or 10 here. I'm not in charge of our area's servers but they're all at least 2008. And yeah, that's exactly what I'm very hesitant. Disabling IPC$ is not recommended by Microsoft, and it appears you can only do it through some registry tweaks or disabling the Server service.

I don't like being in a position where I'm being difficult with people senior to me in terms of rank and experience but this just seemed a little strange to me.

To be clear, they identified a lot of legit problems and our actual on-site people have been very helpful, but I'm not so sure about this one.

* # ? Sep 15, 2017 19:00
  • Quote
Judge Schnoopy
Nov 2, 2005

dont even TRY it, pal
I had to stress-test a DC server to quantify improvements on proposed new hardware (went to a lab and imported my OVA). I didn't want to time opening applications and poo poo, so I had powershell crunch useless numbers for a while.

measure-command {foreach ($user in (get-aduser -filter *)){write-host (get-aduser -filter*)}}

Finds 200 users, and for each, writes 200 users. 40,000 lines of output. It doesn't look the prettiest, but I thought it was a pretty decent way to get the DC to freak out and work hard without breaking anything.

Old hardware took 3 minutes, new hardware took 50 seconds. I'd say that's a success.

* # ? Sep 15, 2017 19:07
  • Quote
Dick Trauma
Nov 30, 2007

God damn it, you've got to be kind.
There's a big meeting in the conference room next to me and I see a tray of baked goods that no one has touched. :ninja:

* # ? Sep 15, 2017 19:08
  • Quote
Jowj
Dec 25, 2010

My favourite player and idol. His battles with his wrists mirror my own battles with the constant disgust I feel towards my zerg bugs.

Japanese Dating Sim posted:

So my job got one of those pentest reports done and one of the things I'm meant to correct is a lot of machines with read-only access to IPC$ shares. Edit: These are client/end-user machines.

I'm pretty ignorant about all of this so I've been trying to learn, but it looks like the main potential vulnerability with the IPC$ share is null user enumeration, which can be prevented via enabling the "Network access: Do not allow anonymous enumeration of SAM accounts and shares" GPO and disabling "Let Everyone permissions apply to anonymous users" (which is disabled by default).

Am I totally off-base on this? It seems like disabling the IPC$ share will interfere with RPC and PDQ Deploy, etc.?

It depends on your relationship with your auditor / what sort of regulation you're under that dictates what you must do from a compliance perspective. I'd highly recommend building a good relationship with your auditor because this sort of thing will keep happening.

I would speak to your seniors at the company and tell them your concerns, tell them the work arounds you have (and provide documentation that supports it) and get people to sign off on it. If they agree, then take it to your auditor and explain the situation.

Good luck, sometimes this can be reaaaaaal frustrating.

* # ? Sep 15, 2017 19:09
  • Quote
Kashuno
Oct 9, 2012

Where the hell is my SWORD?
Grimey Drawer

Dick Trauma posted:

There's a big meeting in the conference room next to me and I see a tray of baked goods that no one has touched. :ninja:

Walk in, take some stuff and say hello, walk out.

* # ? Sep 15, 2017 19:15
  • Quote
Siochain
May 24, 2005

"can they get rid of any humans who are fans of shitheads like Kanye West, 50 Cent, or any other piece of crap "artist" who thinks they're all that?

And also get rid of anyone who has posted retarded shit on the internet."

Kashuno posted:

Walk in, take some stuff and say hello, walk out.

Be carrying a cable tester and a clipboard. Randomly hit buttons, mumble something, steal the entire tray, and walk out muttering about "conflicts with the wifi"

* # ? Sep 15, 2017 19:23
  • Quote
Docjowles
Apr 9, 2009

Dick Trauma posted:

There's a big meeting in the conference room next to me and I see a tray of baked goods that no one has touched. :ninja:

One of my college buddies was a disgusting hobothe king of scavenging free food. He got like half of his meals by lurking in the student center and waiting for meetings to let out. As soon as people started to leave, he'd confidently stride in in, pick up the leftover tray of sandwiches or pizza or whatever, and roll out. No one ever questioned this.

* # ? Sep 15, 2017 20:01
  • Quote
MC Fruit Stripe
Nov 26, 2002

around and around we go
Sounds like he learned earlier than most that most important rule in life - if you act like you belong there, you can pretty much do anything you want.

* # ? Sep 15, 2017 20:10
  • Quote
fishmech
Jul 16, 2006

by VideoGames
Salad Prong

MC Fruit Stripe posted:

Sounds like he learned earlier than most that most important rule in life - if you act like you belong there, you can pretty much do anything you want.

And if you do it while wearing an ID tag or a hard hat, it's even easier.

* # ? Sep 15, 2017 20:28
  • Quote
Adbot
ADBOT LOVES YOU

# ? Jun 1, 2024 00:00
  • Quote
Methanar
Sep 26, 2013

by the sex ghost

fishmech posted:

And if you do it while wearing an ID tag or a hard hat, it's even easier.

At an old job I made a run to the bottle depot to drop off several large bags of recyclables and I kept my hardhat on for the trip. People let me cut in line because clearly I was important, and some other dudes with safety vests congregated to help me out.

Basically just always wear a hardhat is what I'm trying to say.

Methanar fucked around with this message at 20:53 on Sep 15, 2017

* # ? Sep 15, 2017 20:36
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Working in IT 3.0: xp_cmdshell
«2906 »