LogonSessionId account assigned Read access in new certificates? - windows
I have a question that (hopefully) someone can shed some light on.
I was writing a Powershell script that would import a certificate to the Local Machine store, and assign the Everyone group Read permissions to the private key's on the certificate.
Now, I do have a working script that does accomplish this, but I've noticed that I have an account called "LogonSessionId_0_some-random-number" assigned Read permissions to the ACL on the private keys as shown in the following image:
At first I thought this was my script maybe doing this, but when I manually import the certificate I get the same result.
Has anyone seen this before or know why this is happening? What exactly is this account and why are permissions being assigned? I've tried to search for some answers on this but have come up short.
Not sure if it helps, but this is the portion of my code that imports the certificate and assigns the permissions:
$sslCert = gci Cert:\LocalMachine\My | WHERE {$_.Subject -match $getCerts}
$sslCertPrivKey = $sslCert.PrivateKey
$privKeyCertFile = Get-Item -path "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" | WHERE {$_.Name -eq $sslCertPrivKey.CspKeyContainerInfo.UniqueKeyContainerName}
$privKeyAcl = (Get-Item -Path $privKeyCertFile.FullName).GetAccessControl("Access")
$permission = "Everyone","Read","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$privKeyAcl.AddAccessRule($accessRule)
Set-Acl $privKeyCertFile.FullName $privKeyAcl
I'm using Windows 10 Pro.
Any help/insight is greatly appreciated!
It's because you have different scopes.
When you add something at the machine level, by default it gives all users read permissions. Everyone with access to that computer will be able to see the certificate.
You don't need to explicitly give users read access for a machine level certificate.
It's like when you install some programs they ask "Install for all users?" If you say yes, it installs at the machine level and everyone can use it, otherwise it will install for just you and logging in with a different user means they won't have access.
Comment out the user-specific part of your script to test what I'm saying, you'll notice all users are given read-only and things will work as expected.
Related
Import User and Group with Powershell in AD from a csv file
I'm pretty new in Powershell. I was working in a cloud environment creating an Active Directory with some users and groups and had to close the server in which I was working. In order to reproduce and have a completely identical enviromment, I used this code Get-ADUser -Filter * -Properties * | Export-Csv -Path ExportUsers.csv and also Get-ADGroup -Filter * -Properties * | Export-Csv -Path ExportGroups.csv did with my code an export of ALL users and groups from the Active Directory using Powershell in order to export ALL info of the users and groups. Now, I have create a VM with a new Active Directory in my laptop and at least I created the same domain name I had in the cloud (just to start in a closes as possible way). I'm not able to import now all groups and all users WITH ALL PROPERTIES there are in the file. I saw in several threads that someone created some scripts inserting inside all params they need from the file. In reality, I'd like to have all info of the user so I'm trying the easier way to import all data without going to say exactly the fields I need (I need everything!) The export was pretty simple so I hope the import should be the same. The header columns of my csv file in regard to users is this: AccountExpirationDate,"accountExpires","AccountLockoutTime","AccountNotDelegated","adminCount","AllowReversiblePasswordEncryption","BadLogonCount","badPasswordTime","badPwdCount","CannotChangePassword","CanonicalName","Certificates","City","CN","codePage","Company","Country","countryCode","Created","createTimeStamp","Deleted","Department","Description","DisplayName","DistinguishedName","Division","DoesNotRequirePreAuth","dSCorePropagationData","EmailAddress","EmployeeID","EmployeeNumber","Enabled","Fax","GivenName","HomeDirectory","HomedirRequired","HomeDrive","HomePage","HomePhone","Initials","instanceType","isCriticalSystemObject","isDeleted","LastBadPasswordAttempt","LastKnownParent","lastLogoff","lastLogon","LastLogonDate","lastLogonTimestamp","LockedOut","logonCount","logonHours","LogonWorkstations","Manager","MemberOf","MNSLogonAccount","MobilePhone","Modified","modifyTimeStamp","msDS-SupportedEncryptionTypes","msDS-User-Account-Control-Computed","Name","nTSecurityDescriptor","ObjectCategory","ObjectClass","ObjectGUID","objectSid","Office","OfficePhone","Organization","OtherName","PasswordExpired","PasswordLastSet","PasswordNeverExpires","PasswordNotRequired","POBox","PostalCode","PrimaryGroup","primaryGroupID","ProfilePath","ProtectedFromAccidentalDeletion","pwdLastSet","SamAccountName","sAMAccountType","ScriptPath","sDRightsEffective","ServicePrincipalNames","SID","SIDHistory","SmartcardLogonRequired","State","StreetAddress","Surname","Title","TrustedForDelegation","TrustedToAuthForDelegation","UseDESKeyOnly","userAccountControl","userCertificate","UserPrincipalName","uSNChanged","uSNCreated","whenChanged","whenCreated" and this is just an entry of an user ,"9223372036854775807",,"False",,"False","0","0","0","True","mydomain.com/Users/Guest","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,"Guest","0",,,"0","3/21/2014 2:00:02 PM","3/21/2014 2:00:02 PM",,,"Built-in account for guest access to the computer/domain",,"CN=Guest,CN=Users,DC=mydomain,DC=com",,"False","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,,,"False",,,,"False",,,,,"4","True",,,,"0","0",,,"False","0",,,,"Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","False",,"3/21/2014 2:00:02 PM","3/21/2014 2:00:02 PM",,"0","Guest","System.DirectoryServices.ActiveDirectorySecurity","CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=com","user","b3cdb85f-aa85-41e8-a36a-1e9cabb03bf2","S-1-5-21-1277972300-3555916100-1183092696-501",,,,,"False",,"True","True",,,"CN=Domain Guests,CN=Users,DC=mydomain,DC=com","514",,"False","0","Guest","805306368",,"15","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","S-1-5-21-1277972300-3555916100-1183092696-501","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","False",,,,,"False","False","False","66082","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,"8197","8197","3/21/2014 2:00:02 PM","3/21/2014 2:00:02 PM" and, in a similar way, I have exported all GROUPS, so that now I have a csv with these headers: "adminCount,"CanonicalName","CN","Created","createTimeStamp","Deleted","Description","DisplayName","DistinguishedName","dSCorePropagationData","GroupCategory","GroupScope","groupType","HomePage","instanceType","isCriticalSystemObject","isDeleted","LastKnownParent","ManagedBy","member","MemberOf","Members","Modified","modifyTimeStamp","Name","nTSecurityDescriptor","ObjectCategory","ObjectClass","ObjectGUID","objectSid","ProtectedFromAccidentalDeletion","SamAccountName","sAMAccountType","sDRightsEffective","SID","SIDHistory","systemFlags","uSNChanged","uSNCreated","whenChanged","whenCreated" And an example of an entry 1,"prestige.com/Builtin/Administrators","Administrators","3/21/2014 2:00:02 PM","3/21/2014 2:00:02 PM",,"Administrators have complete and unrestricted access to the computer/domain",,"CN=Administrators,CN=Builtin,DC=prestige,DC=com","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","Security","DomainLocal","-2147483643",,"4","True",,,,"Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","3/21/2014 2:18:22 PM","3/21/2014 2:18:22 PM","Administrators","System.DirectoryServices.ActiveDirectorySecurity","CN=Group,CN=Schema,CN=Configuration,DC=prestige,DC=com","group","729af9dd-25ee-448e-a63e-72fa546aa83e","S-1-5-32-544","False","Administrators","536870912","15","S-1-5-32-544","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","-1946157056","12711","8199","3/21/2014 2:18:22 PM","3/21/2014 2:00:02 PM" What should be the best way to import ALL info, using maybe powershell again and that csv, in my new Active Directory? I need to have it as more similar as possible of the AD I had in the cloud. Thanks everyone for your help: I'm not finding a good way to resolve :-(
move all member of OU to new-distributiongroup
I'm trying to set up some new distributiongroups and want to fill them with all members of an specific OU.
$allMemberofTestOU = get-qadgroup $ouNameT | get-qadmemberof
but my exchange management shell dont know this cmdlet. i dont know why.
I dont get the point how i can do this, i guess - simple, thing.
Long Version:
I have many OU which named like OU-ProgramName-** and want to move all of these members to an new distributiongroup name VL-ProgramName-**.
At the beginning, i get the content from a textfile with all Programnames and want to loop via ForEach (works).
Question:
I need help at getting all members of an OU and copy them to a new distributiongroup.
Best regards from germany
Paul
Edit:
I built another way to do the job. Im new to powershell, so i dont know if im doing it the right way.
$OU = "CN=*-$ouName,OU=Prodfarm-Anwendungen,OU=LRA-CTRX,DC=kreis-gr,DC=de”
$AD = New-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$OU")
# Testfarm
$newGroupT = "VLP_"+ $ouName + " Test C65"
$Users = $AD.FindAll() | %{$_.Properties.samaccountname} | Sort-Object
$Users | New-Distributiongroup -Name $newGroupT -Members $_
All Get-QAD*CMDLets are part from the Quest ActiveRoles Management Shell plugin. There was a free version out there before Quest was bought by Dell. The free version is the reason why some blog posts refer to use them. However after the merge the free version was pulled from the Quest/Dell website and you can buy this plugin now directly from Dell/Quest here. So your issue could be solved with two possible solutions: 1.) If you have installed the plugin, then you didn´t add the Quest ActiveRoles AD management snap-in at first via: Add-PSSnapin Quest.ActiveRoles.ADManagement 2.) The Quest ActiveRoles AD management snap-in isn´t installed. If you wish to use the last known "free" version you can find that in the internet for example here. Keep noted that nobody knows if this is the original version! Keep also noted that the free version is a very old version as the current one is version 1.7. So you might also buy the new and latest one from Quest/Dell. Update: Here is a script I´m using which can add all users from a given OU to a given AD group. I run it via the Windows Scheduler and an task account. Once it run, it is adding all users from the given OU to an given AD group, means its auto updating the groups. You might adjust that one so that it fits your needs. Its a little bit advanced coding as it send out an error email if something failed, writes a log and used a function.
What does $c mean in a Windows Directory?
My boss gave me access to the company's private network via SonicFireWall. I can not access their files using my File Explorer. However, there is something that I don't understand. There is a file/folder named c$ that seems to not exist only if your type it. You can access things in 'c$', like for example folder1/folder2/c$/file.txt. But when I back out c$, I cannot find c$. meaning, When I am in folder1/folder2/, I cannot find c$. What is this? Is there a name for this type of file/folder?
It means it is an "admin" share or "hidden" share. Therefore its not visible when a share list of the device is requested
How can I configure CDOSYS in IIS 7.5 on Windows 2008?
Like so many of you at the moment I am moving a legacy classic ASP application from a Windows 2003 server to Windows 2008. I have this mostly working but I am unable to send e-mail through it. This is because CDOSYS is not configured correctly. Despite about 4-5 hours' googling and running through API documentation and even searching through all files on the filesystem and the system registry I was unable to figure out where this is set. The ASP.NET portion of the legacy application works fine. It is able to send e-mails to localhost without authentication which are then passed through to the mail server with authentication for sending to their destination. I translated the VB6 calls from the source code into a Powershell script for convenience: $config = new-object -com "CDO.Configuration"; $config.Load(1); $smtp = new-object -com "CDO.Message"; $smtp.Configuration = $config; $smtp.From = "me#example.com" $smtp.To = "me#example.com" $smtp.Subject = "test" $smtp.TextBody = "Message"; $smtp.Send(); This script sends an e-mail correctly on my original server. On the new server it returns this error when calling $smtp.Send(): Exception calling "Send" with "0" argument(s): "The "SendUsing" configuration value is invalid. The configuration between the two servers is quite different. Using the $config reference from above, I executed $config.Fields | Format-List -Property Name,Value on both servers. Old server (where it works): Name : http://schemas.microsoft.com/cdo/configuration/languagecode Value : en-us Name : http://schemas.microsoft.com/cdo/configuration/postusing Value : 0 Name : http://schemas.microsoft.com/cdo/configuration/sendusing Value : 1 Name : http://schemas.microsoft.com/cdo/configuration/smtpserverpickupdirectory Value : D:\Inetpub\mailroot\Pickup Name : http://schemas.microsoft.com/cdo/configuration/usemessageresponsetext Value : True Name : urn:schemas:calendar:timezoneid Value : 1 New server: Name : http://schemas.microsoft.com/cdo/configuration/languagecode Value : en-gb Name : http://schemas.microsoft.com/cdo/configuration/postusing Value : 0 Name : http://schemas.microsoft.com/cdo/configuration/sendusing Value : 0 Name : http://schemas.microsoft.com/cdo/configuration/usemessageresponsetext Value : True Name : urn:schemas:calendar:timezoneid Value : 0 It seems that all I need to do to make this work is either configure it to by default send mail to localhost, or to drop the mail in the pickup directory. The IIS SMTP server is already configured to look at this directory. However, I am unable to figure out where these values are set. They must be set in a file or the registry somewhere but even searching through the C drive looking for phrases like "\Pickup" and "usemessageresponsetext" and so on have not revealed anything. If they are somewhere I guess they're in a binary datastore somewhere. All samples for CDOSYS involve configuring the CDO.Configuration or CDO.Message instance directly but all throughout the code our application loads the configuration from IIS, so somehow this was set at one point by someone. I missed out on the classic ASP era so I am in very unfamiliar territory. That said, my coworkers who were active classic ASP developers do not know how to configure this, and the original person who set this up has since moved on. It's entirely possible that I'm missing a very simple basic concept here.
I discovered that I was able to use my sample Powershell script when I was logged in as an administrator. Research from that lead me to a post on the IIS forums which has a solution for the issue. Unfortunately it now leads to some dead links which mean it doesn't work. It had enough hints however to put together a solution: Download and install the IIS Resource Kit Tools. Execute C:\Program Files (x86)\IIS Resources\Metabase Explorer\MBExplorer.exe as an administrator. Navigate to /LM/SmtpSvc, right-click on it and select Properties. Enter the groups you want to give access to. In my case it was both Users and IIS_IUSRS with read access only. Navigate to /LM/SmtpSvc/1, and set the same permissions on this node also. Grant read/write access to IIS_IUSRS and Users to c:\inetpub\mailroot So, the root cause was that the user I was trying to execute this under did not have the correct permissions. Regrettably I couldn't figure out how to script these steps. The post makes reference to a "metaacl.vbs" script that I couldn't find anywhere; all links that claim to have it are dead. It's also meant to be installed by the IIS Resource Kit tools linked above but I couldn't find it anywhere on my server. If you could find that somewhere you'd be able to perform the above steps like so: cscript metaacl.vbs IIS://LOCALHOST/SMTPSVC %computername%\IIS_IUSRS R cscript metaacl.vbs IIS://LOCALHOST/SMTPSVC/1 %computername%\IIS_IUSRS R
Interacting with USER OU in Powershell
User is not your typical OU in Active Directory and I am trying to interact with it to pull its information down. If I run get-adorganizationlunit -filter 'name -eq "User"' I receive no output which I guess I expected, but how can I interact with it? I am writing a script to create OU's from a CSV file and we need sub OUs to be added under User. Any ideas?
This is because Users is not an organizational unit, but rather a container. Try runnning Get-ADObject -Filter {Name -eq 'Users'} to get back the Users object; you'll see that it's ObjectClass is 'container', and not 'Organizational Unit.' You cannot create OU's under containers, such as Users. So you'll need to create these new OU's somewhere else.