querying LDAP - get account status (like disabled , active, etc.) - windows

I am querying a LDAP and setting variables for mail and displayName. I also need to get account is disable or active. Which property should I need to pull for this?

If using Active Directory the attribute you are interested in is userAccountControl which is a bit mask. Here are the possible values... http://support.microsoft.com/kb/305144/
There is no standard attribute though and it will vary by product and sometimes applications that use the directory server as a repository.

We have auto unlock after 5min via GPO enabled on our network. With this setting, the userAccountControl field remains unchanged until the user logs in. So we have currently no way to find out if a user is still logged or not by querying LDAP.

Related

Windows account password hash location

I have a machine which I want to find where my password hash is stored.
the set command returns details about the account and shows that it is connected to a domain however it doesn't show in net user. As well as this on advanced system settings -> User profiles the account shows as type: local and Status: local.
It seems to be a domain user however windows doesn't think it's on a domain.
Because of this searching for hashes has only brought up dead ends. They aren't in the SAM file and they aren't in SECURITY. I also tried password recovery software and the account simply didn't show.
I could see the correct hash through sekurlsa::LogonPasswords full - specifically serkurlsa::msv with mimikatz but now I would like to know where they are stored.
I know they are cached somewhere as I can login without internet, so I think I'm specifically looking for this file.
A brief search of the command suggests they are in the SAM database but I know they aren't.
Any assistance would be appreciated.

Unable to update group policy(local gpo) status to "Not Configured" using Powershell

With PowerShell, by updating corresponding registry keys we can able to toggle the local GPO status to "Enabled" or "Disabled", but I have a specific requirement to make sure that certain local GPOs are set to "Not configured". Tried deleting corresponding registry keys but it didn't help.
Is there any way to achieve this in PowerShell?
If I run Local Group Policy Editor (gpedit.msc) as Administrator and set the Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access policy to Enabled or Disabled, according to Process Monitor that is actually setting the Deny_Write value at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{GUIDGUID-GUID-GUID-GUID-GUIDGUIDGUID}Machine\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
If I modify, delete, or rename that Deny_Write value as Administrator then I see the change reflected in Local Group Policy Editor when I edit/reopen that policy. I'm not exactly certain how it is that a machine policy is being set under a user's registry; perhaps there's a symbolic link or loaded hive at play. Process Monitor indicates that C:\Windows\System32\GroupPolicy\Machine\Registry.pol is also modified at the time I set the policy, so that must be the underlying storage for Group Policy-based registry changes.

How to get EVERY user token on a PC for SHGetKnownFolderPath?

I'm working on a System Service project with SYSTEM privilege (cleaning utility)... It does not interactive with any user interface.
My goal is to check files in "Desktop" and "AppData" folders for any user that exists on the PC.
I'm using NetUserEnum() to get the user list on the PC. Then I want to get the path of each user's Desktop and AppData with SHGetKnownFolderPath(), but I can't find a way to get each user's access token for SHGetKnownFolderPath(). Without a token defined in SHGetKnownFolderPath(), it returns the path for SYSTEM and not specific users.
Q1. How can I get the token of each user for SHGetKnownFolderPath()?
Q2. If no answer for Q1, is there any documented way to get the desktop & appdata path of each user in the PC?
I understand this can be achieved with dirty way ---> Registry key with some string replacement. However, the Registry key method is undocumented, which may easily break in future updates to Windows.
Edit Update:
#RaymondChen Thanks for pointing out that some user profiles may not exist. Also,
About Q1 : #Remy Lebeau provides a solution with LogonUser/Ex(),login to each user with their credentials,might be the only answer that fits the need of Q1.
About Q2 : There might have no documented way to achieve this. The only method might have to stick with Windows Registry (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) , as #Remy Lebeau and #Olaf Hess said. I tried to dig more information on Microsoft Community Forum and I got Microsoft would never allow access other users' profile with their native API for security reason. They do not provide APIs that can possibly violate the security rules. Each user profile can only access by its credentials.
btw, I totally understand that "Cleaning utility" aka "Windows-breaking tool", especially when the tool is not being well codded(ex. compatibility problem). For the sake of avoiding to make it become a totally Windows-Destroyer, I tried to use more documented API as possible.
For Windows Vista with SP1 / Server 2008 and better you can query the existing user profiles using the WMI class Win32_UserProfile. This allows you to retrieve the profile path and check whether it is a local or roaming profile and to get status information. The rest (retrieving the paths to APPDATA, DESKTOP, etc.) is likely going to involve reading values straight from the registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders).

How propagate modification of HKLM to gpedit?

I would to modify (enable and set value) of a Machine Group Policy with PowerShell. I understood this kind of Policy is based on Registry. That's why I tried to add my value with Set-ItemPropertycommand.
The new value is correctly set in registry but gpedit doesn't see it.
I tried to use GroupPolicy commands but I don't see how address the Local Group Policy because I don't reach to get a correct GUID.
The key I want to chang is this one: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
I think I miss something but I don't know what. An Idea ?
Thanks
The answer you are looking for can be found at https://superuser.com/questions/1192405/why-gpedit-and-the-corresponding-registry-entries-are-not-synchronized
Quoted from Wes
Since the changes you make in the group policy editor affect what you see in the registry, it's perfectly logical to assume that the reverse is also true. However, it doesn't work that way.
Local group policy settings (which is what I believe you are referring to in your post) are stored in registry.pol files located in C:\Windows\system32\GroupPolicy. These files overwrite the corresponding keys in the registry every time the system performs a group policy refresh. The editor never actually reads the registry to see what settings it contains.
A group policy refresh is triggered whenever one of the following events occurs:
At a regularly scheduled refresh interval (every 90 minutes by default)
A user logon or logoff event (user policy only)
A computer reboot (computer policy only)
A manually triggered refresh via gpupdate
A policy refresh command issued by an admin from the domain controller (if the computer is domain-joined).
It's important to remember that if the computer is domain-joined, domain policies will be applied after the local group policy files are processed (meaning that some settings may get overwritten by domain policy). You will not be able to see domain policies in the local group policy editor.

What user profile the system uses when runs a service in windows

All,
I have no idea how Windows service works, just curious when we register a windows service(such as auto run a server after reboot), if it requires a user profile to load info(such as pulling data from somewhere else), what user profile does it load?
Thanks,
You can select what user run each service registered and the system comes with users assigned per service. The most used by the system is SYSTEM.
To check this you have to:
Go to services.
Right click on the desired service and properties.
Go to the Log on tab and check.
If the Local System account is selected the username is SYSTEM which has special permissions on almost all folder and Windows sections including users' profiles data.
By the other hand if you would like to do something special with an specific account you can tell the system the service will start with the account specified. Just make sure to update the password information every time the user change it.
Regards,
Luis

Resources