- 1 Refreshing Computer Group Memberships without Reboots Using KLIST
- 2 Why am I still seeing Kerberos PAC validation/verification when its off!?
- 3 List Recently Modified GPOs
- 4 Network Captures from Command Line
- 5 Steps Recorder
- 6 Command Shell Tricks
- 7 Active Directory Administrative Center
- 8 RDCMan
- 9 Policy Analyzer
- 10 GPO Merge
- 11 Honorable Mentions
Hello All. The AskPFEPlat team is here today with you in force. Recently we put together 10 Tips and Tricks from the Field – a collection of tips and tricks in our tool belt that we use on occasion. We wanted share these with all our readers in-an-effort to make your day a little easier. Certainly, this list of 10 will not cover everything. So, feel free to comment below if you have a great little trick to share with the community.
In addition to this article, you should really read a recently published article Some Tools of a PFE by David Das Neves:
So, let’s get to all of it.
Refreshing Computer Group Memberships without Reboots Using KLIST
Submitted by Jacob Lavender & Graeme Bray
This is one of my favorite little items that can save a significant amount of time. Let’s say that I just added a computer object in Active Directory to a new group. Now, before diving in, the account used must be able to act as part of the operating system. If you have a GPO which prevents this could cause a problem with this item.
Normally, how would you get the machine to update its group memberships and get the permissions associated? Reboot, right? Sometimes that just isn’t going to work. Well, all we actually need to do is update the machine Kerberos ticket. So, let’s purge them and get a new one. Step in klist.
Here is a great little PowerShell sample script that Graeme wrote that can help you make short work of this as well – for local and remote machines: Clear Kerberos Ticket on Local/Remote Machine
Let’s begin by first identifying the accounts with sessions on the computer we are working with. The command necessary is:
Each LogonId is divided into two sections, separated by a “:”. These two parts are referred to as:
- High Part
- Low Part
So, for this task, we are going to utilize the Low Part of the LogonId to target the account that we plan to purge and renew tickets for.
Just for reference, domain joined machines obtain Kerberos tickets under two sessions, identified below along with the Low Part of the LogonId. These two accounts will always use the same Low Part LogonId. They should never change.
- Local System (0x3e7)
- Network Service (0x3e4)
We can use the following commands to view the cached tickets:
Local System Tickets:
Klist -li 0x3e7
Network Services Tickets:
Klist -li 0x3e4
Let’s purge the computer account tickets. As an example of when this might be necessary, I’ve seen this several times with Exchange Servers where the computer objects need to be added to a domain security group but we are not allowed to reboot the server during operational hours. I’ve also seen this several times when a server needs to request a certificate, however the certificate template is restricted to specific security groups.
To view the cached tickets of the computer account, we’ll use the following command. Take note of the time stamp:
Klist -li 0x3e7
Now, let’s purge the machine certificate using the following command:
Klist purge -li 0x3e7
Let’s validate that the tickets have been purged using the first command:
Klist -li 0x3e7
Finally, let’s get a new ticket:
Let’s now look at the machine tickets again using the first command:
Klist -li 0x3e7
What should stand out is that all the tickets prior to our purge were time stamped at 7:40:19. After purging the tickets and getting a new set, all the timestamps are now 7:46:09. Since the machine Kerberos tickets are how the domain joined resources determine which security groups the machine is a member of, it now has a ticket that will identify any updates. No reboot required.
Why am I still seeing Kerberos PAC validation/verification when its off!?
Submitted by Brandon Wilson
Kerberos PAC verification is one of those items that is a blessing in that it adds additional security, but at the same time, it also adds additional overhead and can cause problems in some environments (namely, MaxConcurrentApi issues).
So, let’s cover one of the most basic items about PAC validation/verification, which is how to toggle it on or off (default is disabled/off on Windows Server 2008 and above). You can do that by going into regedit, browsing to:
Then we are going to set the value for ValidateKdcPacSignature to 0 (to disable) or 1 (to enable).
Now, where it tends to throw people off, is understanding *when* this setting actually effects Kerberos PAC validation, and that time is whenever anything is using an account with the “Act as part of the operating system” user right; in other words, a service/system account logon (think, network service, local service, etc). Now, this can be something stripped at launch time to limit the attack surface as well (Exchange 2013 and above does this, as an example), at which point you are effectively doing a batch logon, and batch logons, we will still see PAC validations for, regardless of what the registry entry is configured as.
A common area this is seen is on web servers, or more specifically, web servers that are clustered or load balanced. Due to the configuration necessary, IIS is using batch logons, and therefore we continue to get PAC validations.
This becomes important to know if you are troubleshooting slow or failed authentication issues that are related to IIS (or Exchange 2013 and above, as I referenced earlier), as it can be a contributor to authentication bottlenecks (MaxConcurrentApi) that lead to slow or failed authentication.
For reference, take a look at these oldies but goodies:
List Recently Modified GPOs
Submitted by Tim Muessig
A common scenario that any system administrator might encounter is the “it’s broken, but nothing has changed.” We’ve all been there, right? Well, a common trick that Tim suggested we include is just a simple method by which to view the 10 most recently updated GPOs.
Get-GPO -all | Sort ModificationTime -Descending | Select -First 10 | FT DisplayName, ModificationTime
So, let’s briefly list what this command will perform:
- It will obtain all GPO’s within the domain.
- It will then sort those GPO’s based on their Modification Time stamp and arrange them in a descending order, effectively placing the newest at the top.
- It then will select the first 10 of those GPOs
- Finally, it takes those 10 GPO’s and places them in a table for your review with their display name and modification time
One of the greatest benefits of this simple little trick is that it is very flexible to meet your needs.
Network Captures from Command Line
Submitted by Elizabeth Greene
Two great options for conducting network captures from the command line include:
- Command Line: NETSH TRACE
- Windows 7+
- Windows 7+
- PowerShell: NetEventSession
- Windows 8+
- Windows 8+
Netsh trace start capture=yes tracefile=c:tempcapturefile.etl report=no maxsize=500mb
Netsh trace stop
One little great little addition is the persistent argument. This configured the capture to survive and reboot and capture network traffic while Windows is starting. Example:
Netsh trace start persistent=yes capture=yes tracefile=c:tempcapturefile.etl report=no maxsize=500mb
Imagine that you’re attempting to troubleshoot a slow login? That might just be a great little command to have to capture the network traffic to the domain in that case.
The trace files are able to be opened with Microsoft Message Analyzer. Message Analyzer can then convert the files to .cap files if you prefer to view them in Wireshark.
I’ve also recently published a tool that you are welcome to look at, along with some REALLY great reference material for further review on this topic.
- Simple PowerShell Network Capture Tool (by Jacob Lavender)
- Using Wireshark to read the NETSH TRACE output ETL
- Capture a Network Trace Without Installing Anything
Hello everyone! Tim Beasley (PFE-Platforms) here to briefly discuss a handy dandy little tool known as Steps Recorder.
Officially, Microsoft says Steps Recorder (called Problems Steps Recorder in Windows 7), is a program that helps you troubleshoot a problem on your device by recording the exact steps you took when the problem occurred. You can then send this record to a support professional to help them diagnose the problem.
Ahh…but that’s just the beginning! This nifty piece of software not only can help during troubleshooting and diagnostics…but it can help you build desperately needed documentation! Let me tell you, I bring this up at every customer site I visit, and you wouldn’t believe how well it’s received. And, most of the time people haven’t even heard of it! Hence the reason for adding it to the Top 10 Tricks and Tips post.
So, let’s get to the meat of this shall we? Naturally, there’s a few ways to launch it. (It wouldn’t be a Microsoft product if there weren’t!)
- You can search for “Steps Recorder” in Windows.
- Start, Windows Accessories, Steps Recorder
- Run psr.exe
Each will launch this little nugget:
For diagnostics and troubleshooting, simply launch Steps Recorder on the machine in question…click “Start Record” and then reproduce the error. AKA, go through and click around to repeat the problem. Once done, hit “Stop Record” and it’ll immediately bring up all the steps you took including screenshots, descriptions of what you clicked on and how you clicked it, and give you the option to save it. What else is cool, is that it also includes a text version of everything you did at the bottom of the output. Simply save it (it’ll be a zip file) and send to whomever is running the diagnostics and they’ll have a comprehensive step-by-step guide on how to reproduce the problem along with screenshots!
Now, let’s take a step further. Your boss asks you to build out a new PKI environment (or any other IT project, but since I’m a PKI guy I had to throw that in here…heh). The project manager wants complete documentation of how everything was built. But, you hate writing technical docs, it’s so time consuming, pain in the rear to gather all the screenshots, (insert excuse here) … But enter Steps Recorder! On the server, simply start a recording session before you begin the deployment and all steps are recorded! At the end you’ll have a nice as-built document for each server you run it on!
That’s it for this little addition to the Top 10 Tricks and Tips. Put it to use! You won’t regret it!
Command Shell Tricks
Submitted by Michele Ferrari
- Open an explorer window from your current location in a command window
- start .
- Open a command window from your current location in explorer
- Type “cmd” or “powershell” in the address bar
- Copy the output of a command (or any text) to the clipboard
- “dir c:windowsdrivers | clip” for cmd.exe
- “get-childitem c:windowsdrivers |set-clipboard” in PowerShell
- What is the path for a utility? – use the where command
- “where notepad.exe”
- What binary version is a specific file?
- Get-ChildItem c:windowssysetm32ntdll.dll|Format-List VersionInfo
- Extra trick, use “Format-List *” for lots of other interesting info (like LinkType)
Active Directory Administrative Center
Submitted by Graeme Bray
Hi everyone! Graeme Bray here with a quick tip on a piece of software initially shipped with Windows Server 2008 R2 RSAT that no one uses. Active Directory Administrative Center (ADAC) looks and feels different from Active Directory Users and Computers, but it provides more functionality and allows us to manage newer technologies introduced in later operating systems (like Fine Grained Passwords), without having to do all the work via PowerShell.
Fine Grained Passwords you say? One of my favorite pieces of technology within Active Directory Functional Level 2008 was the addition of Fine Grained Passwords (FGPP). The problem is that there was no easy way to create these before Windows Server 2012 (or Windows 8). With the on-going updates to ADAC, we have now been provided the ability to modify and work with FGPP in a much easier way.
To open, type Active Directory Administrative Center (or dsac.exe for short).
On the left side of ADAC, click the “Tree” icon
Expand your domain and then go to the System container
Inside, you’ll see Password Settings Container.
If you click this, you can create as many password policies as desired.
Typically, I would recommend having a policy for Highly Privileged accounts (Domain Admins and equivalent), one for Service accounts, and then if you needed a policy with few restrictions, you can target specific accounts.
For more details on how to create a Fine Grained Password Policy, go here.
But wait! That’s not all! What else can ADAC do? The other example that I use ADAC for is to demo how to create PowerShell without having to use your favorite search engine.
At the bottom of the ADAC window, there is a section called Windows PowerShell History. Create a user account, group, etc.. Afterwards, “steal” the code and use it over, and over again. No looking to create it on your own.
Click the (^) button, to expand the history, then see your results like below:
You can copy the cmdlets, customize, and they should magically work.
There are other nifty features that are only being added to the Active Directory Administrative Center. Poke around and see what else you can find!
Submitted by Nathan Penn
Hello all! Nathan Penn back again to share with you a few of my go to tools. On a daily basis I need to Remote Desktop into multiple systems (Domain controllers, Member Servers, Clients). While the built-in remote desktop client (mstsc.exe) works, I can sometimes get lost on which system I am currently in a session with, especially when working in multiple full screen sessions. Enter RDCMan! RDCMan is a wrapper for the remote desktop client and allows for a manageable tabular view from the side. It enables me to define multiple servers into a single console, separate them into groups, save logon credentials (At least the username), specify an RDS gateway if needed, and much more. When you have an active session it becomes blue, and the checkmark indicates the session you are currently interacting with. What a time saver!
Submitted by Nathan Penn
The next tool that I want to share with you is Policy Analyzer.
This tool is for those of us that work in group policy and provides a capability that we have sought after for years. Policy Analyzer provides that capability to compare multiple group policies for duplicate settings, differences, and even conflicts. Just to clarify on terminology, a difference is a setting that is configured in one policy and not the other(s), while a conflict is a setting configured in the compared policies that is set to differing values. With Policy Analyzer, you can quickly review a pending revision of a GPO to identify all the changes that will occur by updating the policy.
In addition to the interaction you have within Policy Analyzer GUI, it also provides the capability to export the analysis to Excel. Many thanks to Aaron Margosis for creating this for us.
Policy Analyzer is available for download here: https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/
The final tool / trick is also for those that manage group policy. This one is a PowerShell script from fellow Microsoft PFE Ashley McGlone. Oftentimes, I want to consolidate two or more group policies into a single policy. As many of you know from experience this can be a tedious, time intensive effort, that can sometimes be error prone. Usually it involves running a Gpresult, maybe printing it out, and a good bit of duplication of the original effort(s). Not anymore, thanks to the GPO-Merge script.
GPO-Merge allows me to create an OU and link the group policies I want consolidated into one. Make sure to establish the correct link order, because the script also respects that, and only carries forward the winning settings. Run the script pointing it to your target OU and… VIOLA!!!! What would take countless hours before is now done in a couple of minutes.
A couple of notes just for awareness. GPO-Merge currently “can only migrate registry-based settings. Look at the warning details to see what other types of settings are included in the policy. These settings require manual copying.”
It also does not migrate GPO Preferences.
With that said, this 95% solution is awesome, and when combined with the aforementioned Policy Analyzer, group policy administration just became much easier.
GPO-Merge is available for download here: https://blogs.technet.microsoft.com/ashleymcglone/2015/06/11/updated-copy-and-merge-group-policies-gpos-with-powershell/
- PowerShell Tip: Run Local Functions Remotely in PowerShell
- Use Regions in PowerShell ISE
- Use PowerShell to Find Computers Still Alive in Your Active Directory Domain
- Clipboard Copy and Paste in vSphere Client
Setting the Failover Cluster Management Account in System Center Virtual Machine Manager
Contributed by Chuck Timon
Scenario: On-Premises, System Center Virtual Machine Manager (SCVMM) is used to manage a Private Cloud environment. This environment includes managing one or more Hyper-V Failover Clusters hosting virtual machine workloads. When managing a Failover Cluster in SCVMM, it is best practice that a single RunAsAccount be used that has local administrator privileges on each node in the cluster. This ensures for reliable communications to all nodes in the cluster so, for example, jobs executed in SCVMM against the cluster will complete successfully.
There are times when SCVMM Administrators choose not to use a configured RunAsAccount to create the cluster, or to add new nodes to a cluster as part of a scale-out initiative. The result is the RunAsAccount for Host Access is blank in one or more nodes in the cluster-
A properly configured cluster will reflect a single RunAsAccount being used throughout the cluster.
There are two ways to remedy the situation. You can use the GUI (SCVMM Console) or the SCVMM PowerShell module. The GUI method is not immediately obvious because you will note in the above screenshot (taken from an active node in a cluster), the ‘Browse’ button is greyed-out and cannot be used. However, if you access the ‘Properties’ of the cluster in the SCVMM console, you will see a selection called ‘File Share Storage.’
Clicking on that selection brings up the ‘File Share Storage’ information for the cluster. At the bottom of that information page is an area that can be used to add or modify the RunAsAccount for each node in the cluster (Browse button is ‘live’ in this context).
As shown in the above screenshot, I am using a RunAsAccount that I configured in SCVMM –
The management credential can also be changed across the cluster using the SCVMM PowerShell module. Here is an example –