Last Login Report both On Prem and Azure

We often receive request for collecting Last login report both on prem and Azure AD sign in login, we have build the script to collect this. 

Sharing interesting tiny script that make your life more easier :) 

# Verify your machine having proper firewall rules in place. 

# Test-NetConnection login.microsoftonline.com -Port 443

# Test-NetConnection autologon.microsoftazuread-sso.com -Port 443

# Enable Tls12 protocol

# [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

# Verify Microsoft Site

# Invoke-WebRequest -Uri "https://login.microsoftonline.com" -UseBasicParsing

# This report need some Microsoft Graph Command, hence we are installing the modules. 

# Install-Module Microsoft.Graph -Scope AllUsers -Force

# Install-Module Microsoft.Graph -Scope AllUsers -Force -AllowClobber

# Connect Microsoft Graph by using your Azure AD credentials. 

# Connect-MgGraph -Scopes "User.Read.All","Directory.Read.All"

# $Cred = Get-Credential

$listofusers = Get-content C:\temp\kumar\azuread1.txt

$Properties = @("Id","DisplayName","UserPrincipalName","SignInActivity")

foreach ($usr in $listofusers){

#$Users = Get-MgUser -All -Property $Properties | Select-Object -First 100

    $Users1 = get-aduser -filter {UserPrincipalName -eq $usr} -Properties * -Server Server1.test.com -Credential $Cred | Select-Object SamAccountName,LastLogonDate

    $Users = Get-MgUser -Filter "userPrincipalName eq '$usr'" -Property $Properties

    $Users | Select-Object DisplayName, UserPrincipalName, @{Name="LastLoginDate";Expression={$_.SignInActivity.LastSignInDateTime}}

         # Merge into one object

        $Combined = [PSCustomObject]@{

            AzureDisplayName       = $Users.DisplayName

            AzureUserPrincipalName = $Users.UserPrincipalName

            AzureLastLoginDate     = $Users.SignInActivity.LastSignInDateTime

            OnPremSamAccountName   = $Users1.SamAccountName

            OnPremLastLogonDate    = $Users1.LastLogonDate

        }

        # Output or export

        $Combined | Export-Csv "AzureAD_LastLogin.csv" -NoTypeInformation -Append

}

Domain Controller Jumped Time future Dates

 

 

Synopsis

            We recently had an issue with one of AD server, the server time jumping previous dates. After couple of hours the server returning with original time and it is following domain time hierarchy. So, the time drift is not consistent with forest PDC. Initially we had an issue with one server later it triggered such issues multiples domain controllers.

            Time drift that causes on domain controller, that lead potential issues to business few service below for reference.

Authentication and authorization,

Domain controller replication will break

Group Managed Service account must reconfigure.

 

 

Investigation

        We started analysis how / who initiating this time jump on domain controllers. we checked the below factors,

Ø                      Is there any network connection issue between PDC to Domain Controller, both have logically disconnected each other, we assumed possible network glitches but upon checking within same site and same subnet another domain controller we don’t see any time drift from PDC. hence network or fireall not a concern. 

Ø                  Verified once server back to original time are they taking time from PDC or local CMOS. Luckily the server taking time from PDC, not from local CMOS.

Ø                  The very first server we observed this issue, domain controller installed with physical server, the HP product team they documented the list of products affected this bug and they provided solution to follow.

The below link that will help you to check if your physical box falls under this category.

 

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c04557232

            We have checked our product version is not impacted and observed this issue also affecting Virtual domain controllers too. Hence hardware bug not an issue to us.

 

We finally give up with all basic troubleshooting and opened support case to Microsoft team,

Microsoft team captured the w32 debug logs and found some interesting issue about STS (secure time seeding) that causing this issue.

To collect debug logs we must run the below command with Administrator cmd.

Command to enable w32time debug logs:

w32tm /debug /enable /file:%SystemRoot%\temp\W32Time.log /size:10485760 /entries:0-1003 (we need to restart the time service in order for logs to be collected)

Commands to stop and start the time service:

net stop w32time - to stop the time service

net start w32time – to start the time service

 

Solution: -

        The issue is not consistent also we won’t be able to reproduce the issue to capture the logs, it took some time to capture it. Finally, we had an enough logs that prove it caused secure time seeding, hence Microsoft recommend turning off this STS feature.

Before implementing we captured what present registry value on each domain controller (Our domain controller hosted on windows server 2019) and found this feature is turned on all domain controllers.

Registry value

Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Value Name: UtilizeSslTimeData

Value Type: REG_DWORD

Value: 1 = enabled (default), 0 = Disabled

We implemented this registry disable though below group policy option to push all Domain Controller.

Group Policy and the corresponding registry to disable STS(reboot required):

Setting:

• Global Configuration Settings (Computer Configuration\ Administrative Templates\ System\ Windows Time Service)

Sub Setting:

• UtilizeSslTimeData

Explain Text

• This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an additional input for correcting the local clock.

ADMX File:

• W32Time.admx file.

Reboot Requirements

• Reboot required.

 

Note: Changes on the registry value requires reboot. Hence plan your implementation accordingly.

 

Reference Notes:

The below reference article that explains more about how this STS feature that causing this issue and why Microsoft made this feature default as turned on state.

My favorite articles are here.

Ø  https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-clocks-based-on-random-data-is-wreaking-havoc/

Ø  https://techcommunity.microsoft.com/blog/askds/secure-time-seeding-on-dcs-a-note-from-the-field/4238810

 

 

 

 

 

 

 

 

 

 

Eventlog Report with powershell

Account Lockout Eventlog Search on AD server 

 We usually face challange to pull account lockout source on domain controller security eventlog, although we have nice friendly gui view in event logs, sometime that wont help us to analyze account lockout source. One of my user had account lockout issue every One Minute once.by using native powershell method i found this below query to identify the source of account lockout.

# Specify the log name and a filter for Event ID (if needed)

$LogName = "Security"

$EventID = 4771 # Example Event ID

# Retrieve and extract specific information (e.g., Client Address)

Get-WinEvent -FilterHashtable @{LogName = $LogName; Id = $EventID}|where {$_.message -match "Nameoftheaccount"} | ForEach-Object {

    # Extract "Client Address" from the message

    if ($_.Message -match "Client Address:\s+(\S+)") {

        [PSCustomObject]@{

            TimeCreated    = $_.TimeCreated

            EventID        = $_.Id

            ClientAddress  = $matches[1] # Extracted IP or address

        }

    }

}

#happy learning...

PKI Expired Certificate Cleanup Script

 # Date define our Certificate Retention period.

$FileName = (Get-date).ToString("dd-MM-yyyy")

 

$Date = (Get-Date).AddDays(-375).ToShortDateString()

# Store List of Certificate which need to take action.

# Disposition Values

# 20 certificate was issued

# 21 certificate is revoked

# 30 certificate request failed

# 31 certificate request is denied

$CollectRow = certutil.exe -view -restrict "Disposition=30,notbefore<=$Date" -out Requestid csv | findstr.exe /v "Issued Request ID"

foreach($DelCert in $CollectRow) {

    Certutil -deleterow $DelCert Request

    $CALog = "$DelCert Successfully Deleted"

    $CALog | Out-File "C:\CAClearLog\$FileName + CAResult-log.txt" -Append

}

PKI Certificate Cleanup from Issuing Authority

 <# 

.Description 

    The Script will help to delete certificate which we defined in the input file.  

#>

$ExpiredCertficates = Get-Content C:\temp\row1.txt

foreach($ExpiredCertficate in $ExpiredCertficates) {

    Certutil -deleterow $ExpiredCertficate Request

    Write-Host "Deleting Certificate $ExpiredCertficate"

}

PKI Certificate Report

<# 

.Description 

    The Script will help to fetch Certificate Expiration Date as we defined. 

#>

certutil.exe -view -restrict 'disposition=20,NotAfter<=12/1/2019' -out 'RequestID,RequesterName,NotBefore,NotAfter,Disposition,Request.RequestID,Issued Email Address' csv > C:\temp\Issued_Validation.csv

Introduce New Custom Active Directory Attribute

 

Introduce New Custom Attribute

Add Custom attribute, to store Service Account owner information.

Creating custom attribute in AD, we need schema dll need to be register first.

Once schema registered, open Schema snap-ins.

 

Select Attributes, and create attribute.

Then, the system will give a warning about schema object creation. Click OK to continue and the following screen will open:

New Attribute form look like below.

Common Name: This is the name of the object. You can only use letters, numbers, and hyphens for the common name (CN).

LDAP Display Name: When an object is referring to a script, program, or command-line utility, it needs to be called using the LDAP display name instead of the CN. When you define the CN, it will automatically create an LDAP Display Name.

Unique X500 Object ID: Each and every attribute in an AD schema has a unique object ID (OID) value. There is a script developed by Microsoft to generate these unique OID values. It can be found at https://gallery.technet.microsoft.com/scriptcenter/Generate-an-Object-4c9be66a#content.

 

It includes the following script, which will generate the OID:

#---

$Prefix="1.2.840.113556.1.8000.2554"

$GUID=[System.Guid]::NewGuid().ToString()

$Parts=@()

$Parts+=[UInt64]::Parse($guid.SubString(0,4), "AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(4,4), "AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(9,4),

"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(14,4), "AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(19,4), "AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(24,6), "AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(30,6),

"AllowHexSpecifier")

$OID=[String]::Format("{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}",

$prefix,$Parts[0],$Parts[1],$Parts[2],$Parts[3],$Parts[4],

$Parts[5],$Parts[6])

$oid

#---

Syntax: This defines the storage representation for the object. You are only allowed to use a syntax defined by Microsoft. One attribute can only associate with one syntax. In the following table, I have listed a few commonly used syntaxes:

Syntax	Description
Boolean	True or false
Unicode String	A large string
Numeric String	String of digits
Integer	32-bit numeric value
Large Integer	64-bit numeric value
SID	Security identifier value
Distinguished Name	String value to uniquely identify object in AD

With all the above notes, we will fill the below form.

        As the next step, we need to add it to the user class. In order to do that, go to the Classes container, double-click on the user class,

Click on the Attributes tab. In there, by clicking the Add button, we can browse and select the newly added attribute from the list:

Now when we open a user account, we can see the new attribute. Update owner employee id info,

Now all efforts are done, let see we can retrieve from PowerShell. 

**************************Happy Learning************************