PKI Expired Certificate Cleanup Script

 # Date define our Certificate Retention period.

$FileName = (Get-date).ToString("dd-MM-yyyy")

 

$Date = (Get-Date).AddDays(-375).ToShortDateString()

# Store List of Certificate which need to take action.

# Disposition Values

# 20 certificate was issued

# 21 certificate is revoked

# 30 certificate request failed

# 31 certificate request is denied

$CollectRow = certutil.exe -view -restrict "Disposition=30,notbefore<=$Date" -out Requestid csv | findstr.exe /v "Issued Request ID"

foreach($DelCert in $CollectRow) {

    Certutil -deleterow $DelCert Request

    $CALog = "$DelCert Successfully Deleted"

    $CALog | Out-File "C:\CAClearLog\$FileName + CAResult-log.txt" -Append

}

PKI Certificate Cleanup from Issuing Authority

 <# 

.Description 

    The Script will help to delete certificate which we defined in the input file.  

#>

$ExpiredCertficates = Get-Content C:\temp\row1.txt

foreach($ExpiredCertficate in $ExpiredCertficates) {

    Certutil -deleterow $ExpiredCertficate Request

    Write-Host "Deleting Certificate $ExpiredCertficate"

}

PKI Certificate Report

<# 

.Description 

    The Script will help to fetch Certificate Expiration Date as we defined. 

#>

certutil.exe -view -restrict 'disposition=20,NotAfter<=12/1/2019' -out 'RequestID,RequesterName,NotBefore,NotAfter,Disposition,Request.RequestID,Issued Email Address' csv > C:\temp\Issued_Validation.csv

Introduce New Custom Active Directory Attribute

 

Introduce New Custom Attribute

Add Custom attribute, to store Service Account owner information.

Creating custom attribute in AD, we need schema dll need to be register first.

Once schema registered, open Schema snap-ins.

 

Select Attributes, and create attribute.

Then, the system will give a warning about schema object creation. Click OK to continue and the following screen will open:

New Attribute form look like below.

Common Name: This is the name of the object. You can only use letters, numbers, and hyphens for the common name (CN).

LDAP Display Name: When an object is referring to a script, program, or command-line utility, it needs to be called using the LDAP display name instead of the CN. When you define the CN, it will automatically create an LDAP Display Name.

Unique X500 Object ID: Each and every attribute in an AD schema has a unique object ID (OID) value. There is a script developed by Microsoft to generate these unique OID values. It can be found at https://gallery.technet.microsoft.com/scriptcenter/Generate-an-Object-4c9be66a#content.

 

It includes the following script, which will generate the OID:

#---

$Prefix="1.2.840.113556.1.8000.2554"

$GUID=[System.Guid]::NewGuid().ToString()

$Parts=@()

$Parts+=[UInt64]::Parse($guid.SubString(0,4), "AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(4,4), "AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(9,4),

"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(14,4), "AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(19,4), "AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(24,6), "AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(30,6),

"AllowHexSpecifier")

$OID=[String]::Format("{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}",

$prefix,$Parts[0],$Parts[1],$Parts[2],$Parts[3],$Parts[4],

$Parts[5],$Parts[6])

$oid

#---

Syntax: This defines the storage representation for the object. You are only allowed to use a syntax defined by Microsoft. One attribute can only associate with one syntax. In the following table, I have listed a few commonly used syntaxes:

Syntax	Description
Boolean	True or false
Unicode String	A large string
Numeric String	String of digits
Integer	32-bit numeric value
Large Integer	64-bit numeric value
SID	Security identifier value
Distinguished Name	String value to uniquely identify object in AD

With all the above notes, we will fill the below form.

        As the next step, we need to add it to the user class. In order to do that, go to the Classes container, double-click on the user class,

Click on the Attributes tab. In there, by clicking the Add button, we can browse and select the newly added attribute from the list:

Now when we open a user account, we can see the new attribute. Update owner employee id info,

Now all efforts are done, let see we can retrieve from PowerShell. 

**************************Happy Learning************************ 

How to By-pass ADFS and Azure SSO

 Summary:

            Typically, when we implement AZURE AAD and ADFS, we would expert any federated URL’s would sign automatically. This is quite expected behavior’, if any corporate users are already signed on their computer not required sign on for all remaining resource. however, if you want to disallow some users from using Seamless SSO sign in on shared kiosks. The SSO should bypass for those users. Let see how to bypass.

Add the below URLs into Internet Explorer Restricted Zone, adding this URL for set of computers can be via GPO or GPO Preference for Shared Service Computers.

https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net

Once the URLs are present in Restricted Zone.

Run the KLIST Purge command on KIOSK Computers to refresh any new token.

Now when user attempted to access any new federated URL’s the URL, s would ask you to submit credentials.

Note: Seamless SSO Sometime not working appropriately when IE with IN Private Mode, so check the URLs in IE with Normal mode.

***********************Happy Learning*************************

 

Create Group which correspond to Server Name

 # This script create Group which correspond to Server Name. 

# Import Active Directory Module.

Import-Module ActiveDirectory

# Computer OU Container

$ParentOU="OU=Root,DC=test,DC=local"

# Locate the Group OU, in which script will create groups.

$GroupOU="OU=ServerGroup,OU=Root,DC=test,DC=local"

# The script will find computer object which is leass than specified in the customdate

$customdate=(Get-date).Adddays(-3)

$log=get-date

$ColComputers=get-adComputer -SearchBase $ParentOU -Filter {(Whencreated -ge $customdate)}

foreach ($Computer in $ColComputers)

{

$ComputerCN = (Get-ADComputer $Computer).name

# Verify the OU path before group creation process

$check = [ADSI]::Exists("LDAP://$($GroupOU)") 

if ($check -eq $True)

{ 

Try 

{ 

# Check Group Already exist in Directory Service

$GroupExists = Get-ADGroup -Identity $ComputerCN

# If Group Already exist, redirect the output to log file.

$Outmsg="Group $($ComputerCN) alread exists! Group creation skipped!$log" 

$Outmsg | Out-file -append ".\Result_Log1.txt"

}

Catch

{

# IF Group not exist in AD, create new group which is correspond to computername

$create = New-ADGroup -Name $ComputerCN -GroupScope: "Global" -Path: "$GroupOU" -SamAccountName:"$ComputerCN" -Description "Local Administrator Group for $ComputerCN"  -Server:"NATEST-DC1" 

$Outmsg= "Group $($ComputerCN) created!$log" 

$Outmsg | Out-file -append ".\Result_Log1.txt"

 

 } 

  } 

  Else 

  { 

    Write-Host "Target OU can't be found! Group creation skipped!" 

  } 

}

Active Directory Replication Report

 # Get today's date for the report 

$today = Get-Date 

 

# Setup email parameters 

$subject = "Replication REPORT - " + $today 

$priority = "Normal" 

$smtpServer = "SMTP.Server.com" 

$emailFrom = "from@email.com" 

$emailTo = "to@email.com" 

$log = "C:\temp\ReplicationSummary.txt"

repadmin /replsum * /bysrc /bydest /sort:delta > $log

#$ReplicationStatus = "Replication REPORT - " + $today 

$Result = Get-Content C:\temp\ReplicationSummary.txt -raw

# Send the report email 

Send-MailMessage -To $emailTo -Subject $subject -Body $Result -SmtpServer $smtpServer -From $emailFrom -Priority $priority