Monday, April 3, 2017

Where’s my enabled Users?

Where’s my enabled Users? I’m going through and fine tuning our Proodpoint Spam solution and noticed one of the filters needs to be updated. This filter finds users in ADUC and does a push to our Spam Solution out on the internets. This filter should have an end result that finds active mail enabled users.




Filter:
(&(msExchHomeServerName=*)(!(objectclass=contact))(!(objectclass=group))(!(cn=systemmailbox*))(!(cn=healthmailbox*)))

See the problem? It’s grabbing all users. Because we have thousands and thousands of disabled AD objects (I have no control over this), this is altering our number of users in the system. To correct this we needed to query on something in AD that would filter out disabled users.

Instead of giving you the answer right away I am going to show you my thought process. First thing was to figure out the attributes I could query off. I need to do a Get-Adobject but first need my DN to run that command. So I run:

Get-AdUser –Identity keith.smith


To get the DN I just need to run:

((Get-AdUser –Identity keith.smith).DistinguishedName)



Then to get all the attributes on my AD User Object, I put that into my Get-ADObject command:

Get-ADObject -Identity ((get-aduser -Identity ksmi13).distinguishedname) -Properties *



That will pull back alotta (yes that’s a word) different attributes. The one we are looking for that seems interesting is “userAccountControl


So I Google it and come up with this url:
https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

On here what I need to figure out is the OID for a disabled user. The syntax should look like:
attributename:ruleOID:=value

I really wanted to know how the OID syntax was generated so I searched the MS-ADTS Glossary for OID.
https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_aaaf2f1a-0b0a-487e-a0f0-c3510a6091b2


object identifier (OID): In the Lightweight Directory Access Protocol (LDAP), a sequence of numbers in a format described by [RFC1778]. In many LDAP directory implementations, an OID is the standard internal representation of an attribute. In the directory model used in this specification, the more familiar ldapDisplayName represents an attribute.

So to learn more I read RFC 1778.
https://www.ietf.org/rfc/rfc1778.txt

Which didn’t really work because I didn’t understand anything at all in that RFC, but after some other reading found that I needed to figure out the below Syntax:
$Attribute-ID+ $LdapMatchingRule + “:$Identifier (defined in iads.h)”

I went to the UserAccountControl page
https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

And found the $Attribute-Id 1.2.840.113556.1.4.8


Then found the LDAP Matching Rule I wanted to use 03 (Needed an AND bitwise operation)
https://msdn.microsoft.com/en-us/library/cc223367.aspx



Then found the UserAccountControl Disabled attribute (2) at the bottom of
https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

So what I have so far is:
  • Attribute-ID = 1.2.840.113556.1.4.8
  • LDAP_MATCHING_RULE_BIT_AND = 1.2.840.113556.1.4.803
  • ADS_UF_ACCOUNTDISABLE = 0x00000002

What I want is…
“If Attribute-ID AND 2 Then”.

In OID Syntax, that would be…
(1.2.840.113556.1.4.8 + 03 + := + 2)
So to find disabled users you would use as the filter
  • (1.2.840.113556.1.4.803:=2)

In my case I am trying to find Enabled accounts. To do that just put a NOT before it.
  • (!(1.2.840.113556.1.4.803:=2))

And finally all together my final query would look like…

"(&(msExchHomeServerName=*)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(!(objectclass=contact))(!(objectclass=group))(!(cn=systemmailbox*))(!(cn=healthmailbox*)))"


One last RFC that I haven't read yet but looks pretty interesting on LDAP Attributes is RFC 2251.
https://www.ietf.org/rfc/rfc2251.txt


Tuesday, July 19, 2016

Find logged on Users

Today I got asked to figure out what servers our team members are logged into. What better way than to right up a PowerShell script that runs every morning and shoots us an email. This process also helps out with the question "WHAT SERVER IS LOCKING OUT MY ACCOUNT!". I do have another PowerShell script that checks the PDC Emulators security logs for that, but that will be in a future post.






The script is a little long to explain so I'm just going to post it. I cant remember where I got the html section from. It's freak'n ugly (I'm not an html programmer), but works. Just go through and change the usernames you want to check for and the smtp settings at the bottom of the script. Also, you will need to have psloggedon.exe from....




https://technet.microsoft.com/en-us/sysinternals/psloggedon.aspx


Just make sure the exe is in your system32 dir.









CLS
<#
    .NOTES
    --------------------------------------------------------------------------------
     Code generated by:            Keith Smith
     Generated on:                06/30/2016
     Description:                Checks to see who is logged onto any servers
                                with their admin account

    --------------------------------------------------------------------------------

#>

#----------------------------------------------
# Variables
#----------------------------------------------

write-host "Generating the Serverlist."
write-host "`tLoading..."
# This is the main array that gets all server names in the entire domain
[array]$ServerList = get-adcomputer -filter { operatingsystem -like "*server*" }

# how many servers do we have?
# Information could be useful somewhere?
$TotalAmountOfServers = $ServerList.count

# If you wanted to search a couple servers uncomment the below
#[array]$ServerList = "ustxcr00exc11i","ustxcr00exc12i","ustxcr00exc13i","ustxcr00exc14i","ustxcr00exc15i","ustxcr00exc16i","ustxcr00exc17i","ustxcr00exc18i"

# Build an array with usernames of who you want to check
[array]$AllTheUserNames = "admin_bob", "admin_john", "admin_alex", "admin_keith"

# Create a blank array for all the bad users that are still logged in
[array]$BadUsers = @()

$ScriptStartTime = Get-Date

#----------------------------------------------
# Main
#----------------------------------------------

# Create a foreach loop that goes through each server in the serverlist array
foreach ($EachServer in $ServerList)
{
    
    # uncomment the below if you want to see which server you are querying
    write-host "Querying: $($EachServer.Name)" -foregroundcolor yellow
    
    # Awesome command Lumakar found to pull logged on users
    # Run the command and put the results into a variable called TheResults
    # psloggedon.exe mus be in the system32 dir on the computer you run this
    $TheResults = psloggedon.exe -l -x `\`\$($EachServer.name)
    #$TheResults = psloggedon.exe -l -x `\`\$($EachServer)
    
    # Created Nested foreach loop that goes through each username for each server
    foreach ($EachUserName in $AllTheUserNames)
    {
        # Go through the results one by one and check if the username is in the TheResults variable
        if ($TheResults -like "*$EachUserName*")
        {
            # Do something
            [array]$BadUsers += "`t$($EachUserName)`t`t`n$($EachServer.name)"
        }
        else
        {
            # Dont do anything
            # Some kind of logic could go here
        }
    }
}

$BadUsers = $BadUsers | sort

$ScriptEndTime = Get-Date
$ScriptTotalTime = $ScriptEndTime - $ScriptStartTime

# Clear the screen
# Clear-host is the proper way to do it, but I am old school
CLS

$HTMLCode = @"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <html ES_auditInitialized='false'><head><title> Logged On User Report</title>
    <META http-equiv=Content-Type content='text/html; charset=windows-1252'>
    <STYLE type=text/css>    
        DIV .expando {DISPLAY: block; FONT-WEIGHT: normal; FONT-SIZE: 8pt; RIGHT: 10px; COLOR: #ffffff; FONT-FAMILY: Tahoma; POSITION: absolute; TEXT-DECORATION: underline}
        TABLE {TABLE-LAYOUT: fixed; FONT-SIZE: 100%; WIDTH: 100%}
        #objshowhide {PADDING-RIGHT: 10px; FONT-WEIGHT: bold; FONT-SIZE: 8pt; Z-INDEX: 2; CURSOR: hand; COLOR: #000000; MARGIN-RIGHT: 0px; FONT-FAMILY: Tahoma; TEXT-ALIGN: right; TEXT-DECORATION: underline; WORD-WRAP: normal}
        .heading0_expanded {BORDER-RIGHT: #bbbbbb 1px solid; PADDING-RIGHT: 5em; BORDER-TOP: #bbbbbb 1px solid; DISPLAY: block; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 8pt; MARGIN-BOTTOM: -1px; MARGIN-LEFT: 0px; BORDER-LEFT: #bbbbbb 1px solid; WIDTH: 100%; CURSOR: hand; COLOR: #FFFFFF; MARGIN-RIGHT: 0px; PADDING-TOP: 4px; BORDER-BOTTOM: #bbbbbb 1px solid; FONT-FAMILY: Tahoma; POSITION: relative; HEIGHT: 2.25em; BACKGROUND-COLOR: #CCCC00}
        .heading_collapsed {BORDER-RIGHT: #bbbbbb 1px solid; PADDING-RIGHT: 5em; BORDER-TOP: #bbbbbb 1px solid; DISPLAY: block; PADDING-LEFT: 16px; FONT-WEIGHT: bold; FONT-SIZE: 8pt; MARGIN-BOTTOM: -1px; MARGIN-LEFT: 5px; BORDER-LEFT: #bbbbbb 1px solid; WIDTH: 100%; CURSOR: hand; COLOR: #ffffff; MARGIN-RIGHT: 0px; PADDING-TOP: 4px; BORDER-BOTTOM: #bbbbbb 1px solid; FONT-FAMILY: Tahoma; POSITION: relative; HEIGHT: 2.25em; BACKGROUND-COLOR: #7BA7C7}
        .heading_expanded {BORDER-RIGHT: #bbbbbb 1px solid; PADDING-RIGHT: 5em; BORDER-TOP: #bbbbbb 1px solid; DISPLAY: block; PADDING-LEFT: 16px; FONT-WEIGHT: bold; FONT-SIZE: 8pt; MARGIN-BOTTOM: -1px; MARGIN-LEFT: 5px; BORDER-LEFT: #bbbbbb 1px solid; WIDTH: 100%; CURSOR: hand; COLOR: #ffffff; MARGIN-RIGHT: 0px; PADDING-TOP: 4px; BORDER-BOTTOM: #bbbbbb 1px solid; FONT-FAMILY: Tahoma; POSITION: relative; HEIGHT: 2.25em; BACKGROUND-COLOR: #A5A5A5}
        .tableDetail {BORDER-RIGHT: #bbbbbb 1px solid; BORDER-TOP: #bbbbbb 1px solid; DISPLAY: block; PADDING-LEFT: 16px; FONT-SIZE: 8pt;MARGIN-BOTTOM: -1px; PADDING-BOTTOM: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #bbbbbb 1px solid; WIDTH: 100%; COLOR: #000000; MARGIN-RIGHT: 0px; PADDING-TOP: 4px; BORDER-BOTTOM: #bbbbbb 1px solid; FONT-FAMILY: Tahoma; POSITION: relative; BACKGROUND-COLOR: #f9f9f9}
        .filler {BORDER-RIGHT: medium none; BORDER-TOP: medium none; DISPLAY: block; BACKGROUND: none transparent scroll repeat 0% 0%; MARGIN-BOTTOM: -1px; FONT: 100%/8px Tahoma; MARGIN-LEFT: 43px; BORDER-LEFT: medium none; COLOR: #ffffff; MARGIN-RIGHT: 0px; PADDING-TOP: 4px; BORDER-BOTTOM: medium none; POSITION: relative}
        .Solidfiller {BORDER-RIGHT: medium none; BORDER-TOP: medium none; DISPLAY: block; BACKGROUND: none transparent scroll repeat 0% 0%; MARGIN-BOTTOM: -1px; FONT: 100%/8px Tahoma; MARGIN-LEFT: 0px; BORDER-LEFT: medium none; COLOR: #000000; MARGIN-RIGHT: 0px; PADDING-TOP: 4px; BORDER-BOTTOM: medium none; POSITION: relative; BACKGROUND-COLOR: #000000}
        td {VERTICAL-ALIGN: TOP; COLOR: #000000; FONT-FAMILY: Tahoma}
        th {VERTICAL-ALIGN: TOP; COLOR: #000000; TEXT-ALIGN: left}
    </STYLE>

    </HEAD>
    <BODY>
    <p><b>    <font face="Arial" size="5"><b><i>Logged On User Report - Hours: $($ScriptTotalTime.Hours) Minutes: $($ScriptTotalTime.Minutes) <hr size="4" color="#2b52ed"></i></b></font>
    <br>
    <TABLE cellSpacing=0 cellPadding=0>
        <TBODY>
            <TR>
                <TD>
                    <DIV id=objshowhide tabIndex=0><FONT face=Arial></FONT></DIV>
                </TD>
            </TR>
        </TBODY>
    </TABLE>

"@

$header = @"
    <DIV class=container>
            <DIV class={0}>
                <SPAN class=sectionTitle tabIndex=0></SPAN>
                <A class=expando href='#'></A>
            </DIV>
            <DIV class=container>
                <DIV class=tableDetail>
                
                
                
                <TABLE>
                    <tr>
                        <th width='30%'><b>Users who need to log off</b></th>
                    </tr>
"@

$HTMLCode += $header

foreach ($BadUser in $BadUsers)
{
    $HTMLCode += @"
    <tr>
        <td width='30%'>$BadUser</td>
    </tr>

"@
}

$HTMLCode += @"
    </TABLE>
    
                    </DIV>
            </DIV>
        </DIV>
        
        <DIV class=filler></DIV>

    </body>
    </html>
"@

#Configuration Variables for E-mail
$SmtpServer = "mail.contoso.local"
$EmailFrom = "Report <postmaster@contoso.local>"
$EmailTo = "AdminTeam@contoso.local"
$EmailSubject = "Logged On User Report"



#Send E-mail from PowerShell script
Send-MailMessage -To $EmailTo -From $EmailFrom -Subject $EmailSubject -Body $HTMLCode -BodyAsHtml -SmtpServer $SmtpServer




Wednesday, April 15, 2015

Citrix - Jabber 10.5 - Data is not in ICO format


Got a request today to publish out Cisco Jabber 10.5 in my XenApp 6.5 environment. While publishing it out, it errors on the icon having issues. Below is a screenshot of the error. I have seen this happen in the past with Firefox too.



So what's the fix you ask?

Apply the following Hotfix for XenApp 6.5 (CTX137747)

 
And for the people that are on XenApp 6.0 (CTX139340)
 
 


Wednesday, September 24, 2014

Worse than HeartBleed? CVE-2014-6271


CVE-2014-6271

Overview

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0Exploitability Subscore: 10.0
CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service


Information taken from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Tuesday, June 3, 2014

Citrix XenApp - Automate Discovery

I am in the process of building out a new XenApp environment for a customer, and was thinking... "It would be so nice to automate the 'Configure and run discovery' settings". So how do you accomplish this? I know my service desk would appreciate it!

The answer is a custom "MMC". Below are the steps to accomplish this.

Part 1: Create the custom MMC

  • Open up a 32bit MMC console (universally will work better and create less stress)
    • On 32 bit OS run "mmc"
    • On 64 bit OS run "mmc /32"


  •  Click File > Add/Remove Snap-in...


  •  Select the console you are going to push out to your users and add it to the "Selected snap-ins"
    • (In my case it is going to be AppCenter)


  •  Right Click on "XenApp"
    • Select "Configure and run discovery"


  •  Select the "Skip this screen in the future" box
    • Click Next


  •  Click on Add
    • For the server, I am going to pick my two XenApp Controllers
      • Depending on your setup, and where you are publishing this, you will need to pick the correct server(s)... (setting up a load balanced VIP on your NetScaler....  hmmm....)



  •  Click Next


  •  Check the box next to "Close this wizard when discovery is successful"


  •  Change the options of your new custom MMC console
    • Click on File > Options...


  •  In my case, I want to restrict access to areas of the tree
    • I am going to select "User mode - limited access, single window"


Below is an explanation of each option:

  • Author mode
    • Enables full customization of the snap-in console, including the ability to add or remove snap-ins, create new windows, create Favorites and taskpads, and access all the options of the Customize View and Options dialog boxes. Users creating a custom console file for themselves or others typically use this mode. The resulting snap-in console is usually saved in one of the user modes in this table.
  • User mode - full access
    • The same as author mode, except that users cannot add or remove snap-ins, change snap-in console options, create Favorites, or create taskpads.
  • User mode—limited access, multiple window
    • Provides access only to those parts of the tree that were visible when the console file was saved. Users can create new windows, but cannot close any existing windows.
  • User mode - limited access, single window
    • Provides access only to those parts of the tree that were visible when the console file was saved. Users cannot create new windows.


  •  Now we want to save our custom MMC
    • Click File > Save As...


  •  Save it where ever you would like. I am going to save mine to c:\custom mmc\AppCenter.mmc on each of my terminal servers.


Part 2: Publish the custom MMC

This section could be done a dozen different ways. I will show you how to publish out the mmc we just created as it being accessed directly from each server.


  • Select "Skip this screen in the future"
    • Click Next



  •  Enter in a Display name for your application
    • In my case I am using "Citrix AppCenter"


  •  Use the defaults
    • Application
      • Accessed from a server
        • Installed application


  •  Location to mmc.exe and the location of the custom mmc
    • Command Line:
      • c:\windows\system32\mmc.exe "c:\windows\system32\AppCenter.mmc"
    • Working directory:
      • c:\windows\system32
    • Click Next


  •  Click Add
    • Select the Servers or Worker Group that contains the servers you would like to publish out the mmc too.
      • Click Next


  •  Click Add
    • Add the users that need access to the mmc
      • Click Next


  •  Go to where your Citrix management console is installed (where the console is installed), and right click > properties
    • Then click on "Change Icon..."

  •  Copy out the location of the .ico


    • Go back to your application you are publishing and click "Chang icon..."
    • Click Browse
      • Input the location of the .ico file you just copied
        • Click OK


    •  Click Next


    •  Click Finish


    You now have a management console that your admins will not have to configure for discovery.


    Thursday, May 15, 2014

    The group policy service failed the logon. Access is denied.

    This morning, I had a brand new user log into a Citrix XenApp 6.0 environment. When launching applications, they received the following error message.

    "The group policy service failed the logon. Access is denied."


    Quick and easy fix for this one is to delete the users profile. User can now log in and launch applications. Issue resolved!

    Monday, May 12, 2014

    NetScaler - Gateway vServer- Dropping packets from a specific Source

    NetScaler - Gateway vServer- Dropping packets from a specific Source

    While talking with a citrixirc colleague, the question was brought up... "Is there a way to block 1 client from a vserver at the NetScaler level?"

    The answer is "Yes". I am sure there are multiple ways to do this. I personally would use a "Responder Policy".

    If you want to learn more about Citrix Responder Policies you can check out support.citrix.com.

    Setting up a Responder Policy to drop a client

    • Open up the GUI and go to "NetScaler Gateway > Virtual Servers"
      • Open the vServer you would like to add the Responder Policy too.
      • Click on the "Policies" tab
        • Then click on the Responder button
          • Click on Insert Policy at the bottom
            • Then click on "New Policy..."

    • Create the following Responder Policy
      • Name: rpol-%youpickaname%
        • You can use which ever naming convention you would like. I use "rpol" for my Responder Policies.
      • Action: DROP
      • Expression: CLIENT.IP.SRC.EQ(10.10.10.10)
        • Replace 10.10.10.10 with the IP you want to block.
      • Click on "Create" and you should now see you Responder Policy under the Responder Section.

    If you want to verify from the NetScaler it is being blocked, you could do something like 
    • Enable logging
    • SSH to you NetScaler and from shell do a "NSTCPDUMP.sh dst 10.10.10.10" to see what is happening with the packets.
    • From CLI do
      • Show Connectiontable "DESTIP eq 10.10.10.10"


    If you wanted to do this all from the CLI, you could just do...

    add responder policy rpol-block-ip "CLIENT.IP.SRC.EQ(10.10.10.10)"
    bind vpn vserver My-vServer -policy rpol-block-ip -priority 100 -gotoPriorityExpression END -type REQUEST

    Note: This only blocks new connections. Any existing connections will remain connected until they are forced to reconnect. 

    Wednesday, September 4, 2013

    Citrix Hooks - Troubleshooting

    Citrix Hooks - Troubleshooting

    After clicking on a link via published Internet Explorer that opens a streamed VNC session through an ActiveX control, VNC does not display

    This morning, one of my clients upgraded their internal site that allows users VNC access to the point of sale computers. They were able to log in, but unable to launch VNC. You could see that the vnc session was opened, but to the users, they could not see the window at all. They were getting to the internal site via published IE8 in a XA6 environment.


    First thing was to see if it was a hook that was causing the issue. To disable all hooks, you will need to have the following registry "DWORD" in place
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI\" 
      • "SeamlessFlags"=dword:00e6dea7

      


    Now after killing all my sessions and then launching IE, the second VNC window opens. This tells me there is an issue with one of the hooks. Until I found out there was a GUI that sets the hooks auto-magically for you, I used to manually se the hooks in the registry. The easy way to do it is to use a tool called

    Now for the fun part. To my knowledge it’s basically a guessing game to narrow down which hook you need to set. I personally do 6 at a time and then whittle it down to which specific one it is. What you need to do is after checking the boxes next to the hooks you want, click on “Set Values”, then close all your Citrix sessions and re-launch your app for testing. In my case, the issue is with

    • DISABLE ACTIVE ACCESSIBILITY HOOK (0x4) 
    Not so fast! At this point you know the hook, but this is a global setting. This will apply to all published apps. To narrow it down to a specific app you need to find the “ClassName” that is being affected. To do this, I use an app called
    After opening the application, hover over the area of the application that is launching the secondary window/app that is not displaying correctly. This will give you the “Class”
    • Internet Explorer_Server 


    Now go back to the Farm Helper app and add in the Class Name


    This will then pop up the following window



    Click on one of the boxes (anyone), and then click on “Set_Values”

    This will setup a new registry key under TWI called Internet Explorer_Server. It is all though going to have the wrong “Data” for “Type”. Open up the “Type” DWORD and change the value to the hook you selected earlier (0x4). You could also dig deeper and run through selecting each check box in the per app flags, but in my case, I do not need this.




    You have now successfully added the “DISABLE ACTIVE ACCESSIBILITY HOOK” hook to only the “Internet Explorer_Server” Class.

    Just make sure to go back and delete the “SeamlessFlags” DWORD under "TWI"so the hook isn't applied globally.

    Wednesday, July 24, 2013

    VM - SYSPREP Failure!


    VM - Sysprep Failure

    Sysprep: Fatal error occurred while trying to sysprep the machine

    While trying to sysprep a machine this morning I ran into an issue with running sysprep. Below is the process I was going through.
    • I would open a command prompt and run sysprep 
    • I would then run sysprep with OOBE  

    Every time I was getting the same error

    Sysprep - Fatal error occurred while trying to sysprep the machine


    So the first thing I checked was the "Remaining Windows Activation Count" via "slmgr /div". It looks like I have 3 more activations remaining.


    The next thing was to check the "GeneralizationState" Registry Entry. If it is not already set to 7, change it to 7.
    HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus


    After changing the "GeneralizationState" DWORD to 7, sysprep is now working!

    Where’s my enabled Users?

    Where’s my enabled Users? I’m going through and fine tuning our Proodpoint Spam solution and noticed one of the filters needs to be updated....