some cmdlets are not showing in admin audit log? - exchange-server

I have enabled admin audit log using below command:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets * -AdminAuditLogParameters *
enter image description here
and run set calendar processing cmdlet. but it is not get audited.
I am using exchange 2019 server
searched using search-admin audit log but no response

Related

Can we see , what password or PIN is being typed in on windows login screen on event viewer

Can we see , what password or PIN is being typed in on windows login screen in event viewer , because as of now i have only been able to see Audit success or audit failure logs in Event viewer enter image description here
I tried setting the group policy to enable the auditing but it didn't made any diffrence .

RDOSession.LogonExchangeMailbox for other users

Using Exchange 2016 on premises, I'm trying to logon to another users mailbox from my admin account using the RDOSession.LogonExchangeMailbox method. The admin account has impersonation access to all other mailboxes so should have rights to do this. After running the logon method the RDOSession object shows ExchangeConnectionMode as olCachedConnectedFull, but the RDOSession.CurrentUser.name shows as UNKNOWN. If I try to access the inbox using GetDefaultFolder I get a MAPI_E_LOGON_FAILED message. Can you suggest what I might be doing wrong, or haven't done to allow this ?
LogonExchangeMailbox always uses the identity of the current user to connect to the mailbox in the RPC mode (no longer supported by Exchange 2016). To open another mailbox, you can call RDOSession.GetSharedMailBox / GetSharedMailBoxEx.
You can also use LogonHostedExchangeMailbox - it takes explicit credentials instead of connecting as the current local user.

Keycloak gives "Username or password is wrong" error after pressed "unlink users" button

I'm using a standalone Keycloak 4.5.0 version on the Centos for providing secure-login with LDAP for a web application.
It was working successfully but when somebody After pressing the "unlink users" button on the Keycloak Admin Panel > User federation > LDAP, anybody can not log in with the LDAP username and password because it gives that "Username or password is wrong" error.
I tried to pressing "Sychronize All Users" button but there is no changing.
So i restarted to keycloak appication from server but the problem was not change.
I checked the server logs of keycloak and it gives that :
11:22:51,152 ERROR [org.keycloak.events.EventBuilder] (default task-1) Event listener 'user' registered, but provider not found .
so please help me for this login problem and give info about the unlink users button.
thx for responses.
It is not possible for keycloak to get the password from ldap. After the unlink process the password can't be checked anymore and the login would fail. You have to set the "password reset action" for the users to let them specify a new one.
An interesting approach for migrating users can be found here: Migrate to Keycloak with Zero Downtime
Apparently, it's possible to re-link the users manually via the database:
Go to COMPONENT table, and find the configuration name of your LDAP
configuration in User Federation. Copy the ID
Go to your USER_ENTITY table and query the account you want to
restore
On the FEDERATION_LINK column of the account data, paste the
COMPONENT id
Verify by hitting the "Synchronized all user" button in your User
Federation configuration page
Sample query to Find Federation ID from COMPONENT table based on REALM_ID with query: SELECT id FROM COMPONENT WHERE NAME = '<mapper-ldap-name>' AND REALM_ID = '<realm-name>';.
Sample query to update federation_link column in USER_ENTITY based on REALM_ID with query:
UPDATE USER_ENTITY SET FEDERATION_LINK = '<federation-id>' WHERE REALM_ID = '<realm-name>';
We solved it by deleting all users except admin using a shell script like this and then "Synchronize all Users". You could also delete them through UI if you still have admin access.
kcadm=/opt/keycloak/bin/kcadm.sh
$kcadm config credentials --server http://localhost:8080/auth --realm master --user admin
for x in $($kcadm get users -r myrealm|jq -r '.[].id'); do $kcadm delete users/$x -r myrealm; done

Related Logon and Logoff events in Windows using Win32_NTLogEvent class

I'm trying to get the login and logoff events from the Win32_NTLogEvent class. To do it, I'm using the following WMI query:
PATH Win32_NTLogEvent WHERE "(EventIdentifier = 4648 OR EventIdentifier = 4647 OR EventIdentifier = 4634) And TimeGenerated > '201811010000'" GET /ALL
The query is working fine and brings in response all the relevant logons and logoffs for me. The problem is: How can I relate both events? I mean, how can I link which logoff is linked with some logon event?
Analyzing the (not so clear) documentation for the events 4648 (logon attempt) and 4634 (An account was logged off), it looks like both has a linked Id, considering SubjectLogonId for 4648 event and TargetLogonId for 4634 event.
Considering these information, I'm parsing the returned events, getting the Ids from the InsertionStrings and trying to find the linked IDs, but I didn't find any.
Am I misunderstood something or I'm looking for the wrong information?
I tested it in Windows 10 and also in Windows Server 2012, but I'm looking for something that works in as many versions as possible.
Some background:
In short, I want to know the login/logoff times and session duration for some specific dates. I able to get the logon and logoff times for a specific user using the following WMI query (Win32_NetworkLoginProfile class):
PATH Win32_NetworkLoginProfile WHERE "Name='DOMAIN\\user'" GET LastLogon, LastLogoff
My intention with the first query is almost the same, but I want the info for all users without know each username. My best guess is the use of Win32_NTLogEvent class as described, but this is not mandatory.
You are attempting to use a 4648 Logon Attempt. This event only indicates an attempt was made and whether or not it was successful.
The event you should look for is 4624 "An account was successfully logged on.", and the Logon ID for that event will correlate with the Logon ID for the 4634 "An account was logged off."
To comment on your background statement of "LastLogon, LastLogoff", These values are updated in active directory on every Logon or Logoff, but no history is kept.
I know the WBEM interface has existed since Windows XP, I cannot find proof that your powershell queries will work on that platform, however, they should work without modification on Windows 7+, and Server 2008+.
In windows vista(or windows server 2008) and above this PowerShell command should do the trick
Get-WmiObject -Query "select Name, LastLogon, LastLogoff from Win32_NetworkLoginProfile WHERE {your logic here}"
However, if you want to use Win32_NTLogEvent class which supports Windows XP I think cannot be done, because of two reason
The EventIdentifier in that class specifies the meta-data about the event types which can be 1-5 which mean: Error, Warning, Information, Security Audit Success and Security Audit Failure. And you should look into EventCode which leads me to my second point
Two events from the same source may have the same value for this property but may have different severity and EventIdentifier values. For example, a successful logoff is recorded in the Security log with the Event ID 538. However, Event IDs are not necessarily unique. It is possible that, when retrieving Event ID 538, you can get other kinds of events with ID 538. If this happens, you might need to filter by the source as well as ID.
and finally, as you might have noticed auditing events(like 4648, 4647) supports Windows 10(or Windows Server 2016)

Mail count in O365 Inbox using shell script

I need to write shell script to get the INBOX folder count in Office 365 using below script.
{
echo "01 login ${IMAP_USER} ${IMAP_PASSWD}"
sleep 2
echo "03 STATUS INBOX MESSAGES"
sleep 2
echo "19 logout"
} | telnet outlook.office365.com 993 | tee ${LOG_DIR}/imap_status.log*
I am getting only below message in log file.
Trying 52.97.137.194...
Connected to outlook.office365.com (52.97.137.194).
Escape character is '^]'.
It is unable to login to mailbox using imap username & password.
Since it is O365, i gave complete mail id in username field.
I tested telnet command separately and that is also showing the same message. Before Office 365 migration, i was able to connect & login mailbox using telnet.
Do I need to perform any specific changes for Office 365?
Depending on what exactly you wish to do in the mailbox, you might be able to use the Office 365 Graph.
The graph uses simple http rest calls and allows you to do a lot of things on a users Office 365 account as rest commands (POST / GET / DELETE).
You can browse the categories such as Outlook Mail (which is the Office 365 Exchange e-mail) and see if you might be able to work in your functionality like that.
Another option would be PowerShell using the Exchange Online modules.
Get-MailboxFolderStatistics might get all you need in regards to folders.
If you login with a user account you can only view data from that user.
Using an Exchange Administrator account you can get the info from all users.

Resources