LDAP query logged in users via IP - active-directory

Is it possible to connect to an LDAP/Windows Active Directory server as an admin (using bind) and then run an IP based query to see what user is logged into a Windows PC based on a particular IP? The IP would not be a hardcoded value or attribute.
Basically I am wondering if I can ask Active Directory what user is logged in when supplied an IP address.

Active Directory stores user logon history data in the event logs on domain controllers.
The event ID for a user logon event is 4624.
These events contain data about the user, time, computer and type of user logon.
Using LDAP query, we cannot fetch the username from the IP address.
Instead we can use PowerShell to query the logon event data and fetch the username with IP address.
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}
# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address based on user logon IP address
foreach ($e in $slogonevents){
# Logon Successful Events
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[18] -eq ”IPAdress”)){
write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUsername: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
}}
Reference : Active Directory: How to Get User Login History using PowerShell - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

Related

Get-AzADUser no longer return Department and AccountEnabled

I'm pretty sure that last week I was able to use Get-AzADUser to return both Department and AccountEnabled.
Get-AzADUser | where {$_.Mail -eq "abc#xyz.com"} | Select-Object Mail, Department, AccountEnabled
Mail Department AccountEnabled
---- ---------- --------------
abc#xyz.com
When I call up all parameters for a single user I can see that I'm missing content on many fields, I basically only see Name, JobTitle, Mail, and MobileNumber
I'm using an account assigned the roles "Global reader" and "Directory readers".
(Other parts of my script also stopped working since last week where Get-AzADUsers no longer has a field called "ObjectId" but instead the field is simply called "Id")
You need to use "-Select" and " -AppendSelected" parameters to get the info.
Try the following (working for me)...
Get-AzADUser -Select 'Department,AccountEnabled' -AppendSelected -UserPrincipalName "abc#xyz.com" | Select-Object Mail, Department, AccountEnabled
Mail Department AccountEnabled
---- ---------- --------------
abc#xyz.com IT Support True
More info: https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azaduser
I tested in My Environment and found Get-AzADUser not much suitable command as it doesn't appear to return any information about the user (like department, usage location, office info, or basically any properties on the user).
There continues to be a lack of properties returned when comparing Get-AzureADUser vs. Get-AzADUser:
AzureAD Module which is a designed for tasks within AzureAD
Where second one Az which is designed to handle most, if not all of Azure's resources.
you can use the az module easliy if you just want to look up the users existance, but if you need to actually administer azure ad i would suggest you go for azuread. To connect to a specified tenant with azuread use connect-azuread -tenantId 'XXXXXX'.
Output Using Get-AzureADUser
I am able to get the departmentName
Reference : https://github.com/Azure/azure-powershell/issues/10497

Add a value to all users in AD

I am trying to set up dynamic distribution lists at the company I work for.
I want to use the company value in AD for a distribution list that everyone in the company needs to be part of.
Most of our users have the name of the company as the value, but after checking some users it appears that this value is not set for all users.
Is there a way to set this value for all AD users (by using powershell f.e), or get a list of users where the company value is not set to the company name?
You can use the PowerShell ActiveDirectory module, which is included in the Remote Server Administration Tools (RSAT). Details on how to install it are here.
Then you can use Get-ADUser and pipe the results into Set-ADUser. Something like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'"
$badusers | Set-ADUser -Company "Your Company Name"
You could do this in one line, but I split it into two so you can inspect the $badusers collection to actually see the users that you changed (just type $badusers into the PowerShell prompt and hit enter).
It may be wise to limit it to, say, 5 or 10 users just to make sure it works the way you want before attempting to change every user. You can do this by adding -ResultSetSize 5 to the Get-ADUsers line.
This also assumes you want to change all user objects to have your company name, even administrative accounts. Keep in mind that this will stop processing users if it hits one that you don't have permission to modify. If you want to limit it to a single OU, you can use the -SearchBase parameter of Get-ADUsers, like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'" -SearchBase "OU=Users,DC=example,DC=com"

Query to LDAP on WIndows Server to get Active Directory's User

I have setup AD DS and AD LDS in Windows 2012 Server.
Requirement is to query to LDAP using Java.
I have tried this:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://55.22.44.22:53358");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
"CN=ecode,CN=Users,DC=ecode,DC=com");
env.put(Context.SECURITY_PRINCIPAL, "ecode#ecode.com");
env.put(Context.SECURITY_CREDENTIALS, "ddadadad");
DirContext context = new InitialDirContext(env);
I get the following error
Exception in thread "main" javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 2030, v2580�]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
I know code 49 is LDAP_INVALID_CREDENTIALS. I am not sure what to pass in
SECURITY_AUTHENTICATION parameter.
I have tried following as SECURITY_AUTHENTICATION in parameter:
CN=ecode,CN=Users,DC=ecode,DC=com
ecode#ecode.com
In Powershell when I try
dsquery user -name ecode
I get this output
CN=ecode,CN=Users,DC=ecode,DC=com
I'm not a Java developer (at least not recently) but according to the examples here, you should be doing something like this:
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "CN=ecode,CN=Users,DC=ecode,DC=com");
env.put(Context.SECURITY_CREDENTIALS, "ddadadad");
That's basically what I use successfully against Active Directory as well as a few pure LDAP servers -- the fifth line isn't right; but an unmatched parenthesis shouldn't compile so I'm assuming it's a copy/paste problem and the line is actually comment with another logon ID format that you've tried.
There are three options for the SECURITY_PRINCIPAL as Active Directory's LDAP implementation lets you bind with userPrincipalName (dsquery user -o upn -name ecode), sAMAccountName (domain\logonID but dsquery user -o samid -name ecode only returns just the logonID component of the sAMAccountName for some reason), or the fully qualified DN (dsquery user -o dn -name ecode).
If you've confirmed the ID you are using matches one of these, see if the bad password count is being incremented. Bad password count is not a replicated attribute; if you have more than one domain controller, target the one used in your LDAP connection. If the counter is incrementing, then you've got the proper security_principal and the password is being rejected (bad password or possibly a locked account)
dsquery * "Fully-Qualified-DN-Here" -scope base -attr badPwdCount -s DomainControllerUsedInLDAPBind

Active Directory reset password

Set-ADAccountPassword -Identity DistinguishedName -NewPassword $NewPassword -Reset
Set-aduser DistinguishedName -changepasswordatlogon $true
Unlock-ADAccount -Identity DistinguishedName
This is how a script resets a users password. It works as intended. The question is how to make it so the new password it is reset to, only lasts for 3 days.
Since there is no parameter to define an expiration time (or date) for a password to be changed after a reset is done I would create a Group Policy (GPO) to enforce an "expiration after reset policy" and then assign that GPO to a group named "ExpirationPass" for that purpose.
Finally would use Add-ADGroup​Member (Remove-ADGroup​Member) cmdlets in the script to move the users to my "ExpirationPass" group to enforce the policy
Good luck!

Locating a user by alternate email address in Azure AD

I currently use
(Get-MsolUser -UserPrincipalName $EmailAddress).ObjectID.Guid
to lookup a user by their PrincipalName in Azure AD and return their guid. However, there are times when a user has changed email addresses due to a name change and the address I have been given is not their PrincipalName but a secondary email address.
Is there a way to locate a user based upon an alternate email address? Perhaps a fuzzy search?
Depending on the number of 'user' accounts in your tenant, it could take a little while for each user account to be returned. Please see following:
Get-MsolUser -all | Where{$_.ProxyAddresses -like "smtp:<EMAIL ADDRESS>"}
(Get-MsolUser -all | Where{$_.ProxyAddresses -like "smtp:<EMAIL ADDRESS>"}).ObjectId.Guid
You can use follow PowerShell scripts to filter user with one Alternate Email Address:
Get-MsolUser | Where-Object{$_.AlternateEmailAddresses -contains "<the email ddress>"}
(Get-MsolUser | Where-Object{$_.AlternateEmailAddresses -contains "<the email dress>"}).ObjectId.Guid
Here is my test result:

Resources