Troubleshooting Failed Login Attempts in Windows Active Directory Server

On Event Viewer, we should look for the following information (filter Security log):

Security log, events 4625 and 4771 (format for filtering is: 4625,4771).

We need to filter for these two events since we don’t know if the user failed to authenticate using NTLM (4625) or Kerberos (4771).

References:

4625(F): An account failed to log on

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

4771(F): Kerberos pre-authentication failed

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771

With a view containing only events 4625 and 4771 we can then search (Find…) the user we are troubleshooting.

We should be looking for and see the following information on each of events.

4625:

You can refer to the article above for a full description on the Status and Sub-Status codes.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 5/21/2019 10:40:19 AM

Event ID: 4625

Task Category: Logon

Level: Information

Keywords: Audit Failure

User: N/A

Computer: DC2.contoso.local

Description:

An account failed to log on.

Subject:

Security ID: NULL SID

Account Name: –

Account Domain: –

Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: test2016 à This should be showing the account you are troubleshooting.

Account Domain: WIN2K16MEMBER

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xC000006D à These are the fields you should be looking also.

Sub Status : 0xC0000064 à We can have either 0xC0000064 or 0xC000006A

Process Information:

Caller Process ID: 0x0

Caller Process Name: –

Network Information:

Workstation Name: WIN2K16MEMBER à This might not show on this event but if it does this is where the bad password is coming from.

Source Network Address: 192.168.0.31 à This might not show on this event but if it does this is the IP where the bad password is coming from.

Source Port: 49735

Detailed Authentication Information:

Logon Process: NtLmSsp

Authentication Package: NTLM

Transited Services: –

Package Name (NTLM only): –

Key Length: 0

If the above event does not show the Network Information details, you will have to enable the Netlogon debug log to have more tracing and NTLM authentication information.

You can refer to the following article for the full instructions on how to enable and disable Netlogon

debugging:

Enabling debug logging for the Netlogon service

https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service

Although, enabling and disabling Netlogon debugging is quite easy but should only be enabled for troubleshooting purposes and disabled afterwards:

Enable Netlogon debug:

From an elevated command prompt (as administrator), run the following command:

nltest /dbflag:2080ffff

Disable Netlogon debug:

From an elevated command prompt (as administrator), run the following command:

nltest /dbflag:0x0

The netlogon debug log can then be found under C:\Windows\debug\netlogon.log

On the netlogon debug log we should look for (find…) the user we are troubleshooting and should be able to find information similar to the bellow:

08/15 16:38:22 [LOGON] [608] C ONTOSO: SamLogon: Generic logon of CONTOSO.LOCAL\test2016 from ( WIN2K16MEMBER ) (via JUMPSERVER) Returns 0xC000006A

This entry tells you where the bad password came from.

4771:

You can refer to the article above for a full description on the Failure Codes.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 7/26/2019 11:47:11 AM

Event ID: 4771

Task Category: Kerberos Authentication Service

Level: Information

Keywords: Audit Failure

User: N/A

Computer: DC2.contoso.local

Description:

Kerberos pre-authentication failed.

Account Information:

Security ID: CONTOSO\Administrator

Account Name: Administrator à This should be showing the account you are troubleshooting.

Service Information:

Service Name: krbtgt/CONTOSO

Network Information:

Client Address: ::ffff: 192.168.0.4 à This might not show on this event but if it does this is the IP where the bad password is coming from.

Client Port: 49908

Additional Information:

Ticket Options: 0x40810010

Failure Code : 0x18 à This is the Failure Code we should be looking for: The wrong password was provided.

Pre-Authentication Type: 2

Certificate Information:

Certificate Issuer Name:

Certificate Serial Number:

Certificate Thumbprint:

This was the easy part!

The hard part is often to troubleshoot from the client side as we don’t have any specific procedure to understand what is sending the bad passwords.

An application? A Scheduled Task? A script?

Can be either and/or all of them and for that reason we often need to revisit the client workstation to continue searching for the culprit(s).

Sometimes it is a middle device that connects the user to Exchange, SQL or any other resource and the same steps needs to be taken on each device in the middle that will bring us back to the originating source.

More information:
You can also check the bellow articles for more information on troubleshooting information and tips regarding account lockouts:

Active Directory: Bad Passwords and Account Lockout

https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx

Active Directory: Troubleshooting Frequent Account Lockout

https://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

Troubleshooting account lockout the PSS way

https://blogs.technet.microsoft.com/instan/2009/09/01/troubleshooting-account-lockout-the-pss-way/

how-to-disable-inactive-user-accounts-using-powershell

Inactive Active Directory (AD) user accounts can pose a security risk to organizations, in situations such as when former employees still have active accounts months after leaving the company because HR failed to inform IT, or accounts might be created for a particular purpose but never deleted after the event. Whatever the reason for the existence of such accounts, Active Directory can quickly get out of control, in turn making your systems harder to audit and less secure.

Active Directory Module for PowerShell

The PowerShell module for Active Directory allows system administrators to query Active Directory and generate reports using the resulting data. The AD module for PowerShell is installed by default on Windows Server 2012 domain controllers, or alternatively you can download the Remote Server Administration Tools (RSAT) for Windows 8.1 and install the module using the command below.

Log in as a local administrator, open a PowerShell prompt, type the code below and press ENTER to install the AD module for PowerShell:

Install-WindowsFeature RSAT-AD-PowerShell

Search Active Directory for Inactive Accounts

The Search-ADAccount cmdlet provides an easy way to query Active Directory for inactive user accounts:

Search-ADAccount –UsersOnly –AccountInactive

clip_image002Figure 1

The above command returns all inactive accounts. To narrow down the results to a specific time range, you can add the –TimeSpanparameter to Search-ADAccount. In the example below, a variable defines the value for the –TimeSpan parameter, using the New-Timespan cmdlet to simplify the input:

$timespan = New-Timespan –Days 90

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan

Alternatively, you can specify the –DateTime parameter to return accounts that have been inactive since a given date. In the command that follows, accounts not active since May 5th 2014 are returned:

Search-ADAccount –UsersOnly –AccountInactive -DateTime ‘5/20/2014’

To get more user-friendly information about the accounts, pipe the results to the Get-ADUser cmdlet and then choose the columns to display in the output using Select:

Search-ADAccount –UsersOnly –AccountInactive | Get-ADuser -Properties Department,Title | Select Name,Department,Title,DistinguishedName

clip_image004Figure 2

The results can also be sorted by a specified field, in this example by the LastLogOnDate attribute, which is derived from the LastLogonTimestamp and converted into a readable format:

Search-ADAccount –UsersOnly –AccountInactive | Get-ADuser -Properties Department,Title | Sort LastLogOnDate | Select Name,Department,Title,DistinguishedName

It’s worth noting that unlike the LastLogOn attribute, LastLogonTimestamp is synchronized between domain controllers, but can be 9 to 14 days out-of-date, so you should bear this in mind when processing your results.

Another way to simplify the output and count the number of inactive users is to pipe the results to the Measure cmdlet:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Measure

As with any other PowerShell cmdlets, the results can be piped to Out-GridView, or to a comma-delimited file so that the results can be imported into Excel.

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Out-GridView

Disable Inactive Accounts

Once you’ve got the set of results you’re looking for, all you need to do is pipe them to the Disable-ADAccount cmdlet as shown here to disable the accounts:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Disable-ADAccount

IPSEC Service fails to start in Windows 2003 Server with Error 2: The system cannot find the file specified

Upon rebooting a Terminal Server that had resource issues, we could not log back into the server through RDP.  We could log in through iLO, and it was apparent that the logins were working but they were very slow.  Upon examining the services, we could see that the IPSEC service was not started. 

Trying to manually start the service gave the following popup: “Could not start the IPSEC Services service on Local Computer.  Error 2: The system cannot find the file specified.”  The event logs also showed that TCP/IP was in blocking mode. 

Disabling the service and rebooting restored all network communication, but trying to start the service would drop all connectivity again and slow down the server.  I found another article that said that IPSEC may need to be rebuilt.  When I looked for the registry keys for IPSEC, they were not there.  After I ran the following commands, the registry keys were populated, and IPSEC was able to run properly.

To rebuild IPSEC, follow these steps: [more]

  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\IPsec\Policy\Local.  (In my case, the server’s registry ended before IPsec.  If this is the case, skip to step 6.)
  3. On the Edit menu, click Delete.
  4. Click Yes to confirm that you want to delete the subkey
  5. Quit Registry Editor
  6. Click Start, click Run, type regsvr32 polstore.dll, and then click OK.

Remote Desktop CredSSP encryption Oracle remediation Registry fix

This is a quick credssp registry fix for the following error when trying to connect to a machine using RDP (Remote Desktop):

Image showing RDP CredSSP Authentication Error when connecting to a host with RDP

This is because the server you are connecting to is not patched up to date, and the machine you are connecting from is. Modify the registry to allow your machine to connect to it:

  1. Open Regedit.
  2. Navigate to the following registry key, or create it if it does not exist:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
  3. Create a new DWORD value called “AllowEncryptionOracle
  4. Set the new registry entry to have a value of 2:

Image showing AllowEncryptionOracle registry entry being set to a value of 2

    5. Connect to the server that you were unable to connect to before.

Run this from an elevated command prompt to achieve the same result:

  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters” /v AllowEncryptionOracle /t REG_DWORD /d 2

VSS writers and VSS writers Related Windows Services details

VSS writers and VSS writers Related Windows Services details are below:

VSS WriterService NameService Display Name
ADAM $instanceName WriterADAM_$instanceName$instanceName
ASR WriterVSSVolume Shadow Copy
BITS WriterBITSBackground Intelligent Transfer Service
Certificate AuthorityCertSvcActive Directory Certificate Services
COM+ REGDB WriterVSSVolume Shadow Copy
DFS Replication service writerDFSRDFS Replication
DHCP Jet WriterDHCPServerDHCP Server
FRS WriterNtFrsFile Replication
FSRM writersrmsvcFile Server Resource Manager
IIS Config WriterAppHostSvcApplication Host Helper Service
IIS Metabase WriterIISADMINIIS Admin Service
Microsoft Exchange Replica WriterMSExchangeReplMicrosoft Exchange Replication Service
Microsoft Exchange WriterMSExchangeISMicrosoft Exchange Information Store
Microsoft Hyper-V VSS WritervmmsHyper-V Virtual Machine Management
MSMQ Writer (MSMQ)MSMQMessage Queuing
MSSearch Service WriterWSearchWindows Search
NPS VSS WriterEventSystemCOM+ Event System
NTDSNTDSActive Directory Domain Services
OSearch VSS WriterOSearchOffice SharePoint Server Search
OSearch14 VSS WriterOSearch14SharePoint Server Search 14
OSearch15 VSS WriterOSearch15SharePoint Server Search 15
Registry WriterVSSVolume Shadow Copy
Shadow Copy Optimization WriterVSSVolume Shadow Copy
SharePoint Services WriterSPWriterWindows SharePoint Services VSS Writer
SMS WriterSMS_SITE_VSS_WRITERSMS_SITE_VSS_WRITER
SPSearch VSS WriterSPSearchWindows SharePoint Services Search
SPSearch4 VSS WriterSPSearch4SharePoint Foundation Search V4
SqlServerWriterSQLWriterSQL Server VSS Writer
System WriterCryptSvcCryptographic Services
TermServLicensingTermServLicensingRemote Desktop Licensing
WDS VSS WriterWDSServerWindows Deployment Services Server
WIDWriterWIDWriterWindows Internal Database VSS Writer
WINS Jet WriterWINSWindows Internet Name Service (WINS)
Windows Server Storage VSS WriterWseStorageSvcWindows Server Essentials Storage Service
WMI WriterWinmgmtWindows Management Instrumentation

Add members to O365 Security Groups using Azure AD Powershell Module

Step 1. Create a CSV file with a column “UserPrincipalName” and add all users under it who are to be added as a member of the group.


Step 2.  Run The below command to import the csv file and get the object IDs for members to be added to group

Import-Csv C:\temp\Members.csv csv  | Foreach {Get-Msoluser -UserPrincipalName $_.Userprincipalname | select Objectid } | Export-csv C:\temp\MembersWithObjectID.csv

This will convert the user’s identity to their unique guid details, and export it to the same CSV file.


Step 3. Collect the guid ID of the security group as well to which you want to add the mebers

The below command will help with the object ID of the Group.

Get-MsolGroup  “SecurityGroupName” | FL

I have my object ID as below.

ObjectId                  : XXXXXX-XXXX-XXXX-XXXXXXXXX


Step 4. Run the below command to Add members in the CSV to the Group.

$sub2 = Import-Csv C:\RAhul\sspruser.com.csv

Import-Csv C:\temp\MembersWithObjectID.csv | Foreach {Add-MsolGroupMember -groupObjectid ‘XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX’ -GroupMemberObjectId $_.ObjectId -GroupMemberType User}


Step 5. Verify the users from the Group just added.

Get-MsolGroupMember -all -groupObjectid ‘XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX’ | Select DisplayName,EmailAddress,GroupMemberType | Export-csv C:\temp\security-group-members.csv

How to take Azure DNS backup using Azure CLI script

I am also trying to find some easy way rather than complex methods to do via scripts. For Azure we have variety of methods to operate including powershell and CLI. Here we can use the CLI method to export the Azure DNs zone files to txt and we can import them again using very less effort in CLI to restore. For restring refer to the article How to import/export DNS zone file to Azure DNS using CLI here.

You can download the readymade script from the link Azure DNS Zone Imports Script.

cd\

#Login to Azure using CLI with Username and Password
az login -u <Put Username Here> -p <Put Password Here>

#Select Subscription
az account set -s <Put Subscription Name here>

#Set date format to create folder automatically with the date to export zone files
$date = Get-Date
$dateFormat = $date.ToString(“yyyy-MM-dd”)
New-Item -ItemType directory -Path “D\AzureDNSBackup\$dateFormat”

#Use below command to export the each zone file one at a time
az network dns zone export -g “Put Resource Group Name Here” -n “Put zone name here” -f “D:\AzureDNSBackup\$dateFormat\ZoneFileName.txt”

#Export the list of zone files from folder to a file
Get-ChildItem -Path “D:\AzureDNSBackup\$dateFormat\*.txt” | out-file “D:\AzureDNSBackup\$dateFormat\Zone_List.txt”

#Send the zone file list in email for the backup confirmation
$filename = “D:\AzureDNSBackup\$dateFormat\Zone_List.txt”
$smtpServer = “relay Server Name/IP”

$msg = new-object Net.Mail.MailMessage
$att = new-object Net.Mail.Attachment($filename)
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = “Sender Email Address here”
$msg.To.Add(“Put Recipeint Email Address Here”)
$msg.Subject = “Daily Azure DNS Zone Backup – $((Get-Date).ToShortDateString())”
$msg.Body = “Daily Azure DNS Zone Backup done to D drive AzureDNSBackup folder on server “ServerName”, Backup Zone List Attached”
$msg.Attachments.Add($att)
$msg.IsBodyHTML = $true
$smtp.Send($msg)

How to export user photos in O365 / Exchange Online using Exchange Online Powershell

Below small script can be use to export photos from O365 / Exchange Online using powershell.

First you need to connect to exchange online.

#############################################

get-mailbox -ResultSize Unlimited | % {Get-UserPhoto $_.identity} | % {Set-Content -path “C:\Photos\$($_.identity).jpg” -value $_.picturedata -Encoding byte}

####################################################

How to export thumbnail/photos from Active Directory using powershell

Below is smal powershell script to export photos from the Active Directory using AD powershell.

#########################################################

$list=GET-ADuser –filter * -properties thumbnailphoto

Foreach ($User in $list)

{

$Directory=’C:\Photos\’

If ($User.thumbnailphoto)

  {

  $Filename=$Directory+$User.samaccountname+’.jpg’

  [System.Io.File]::WriteAllBytes($Filename, $User.Thumbnailphoto)

  }

}

#########################################################

Changing your Domain Account password on a RDP session on Windows Server 2012 R2 and 2016 Servers

This procedure is the only one which worked for me on a Windows 2012 R2 and 2016 RDP session:

1. Click Start

2. Type osk (to bring up the on screen keyboard)

3. Hit enter

image

image

4. Once the on screen keyboard is open, hold ctrl+Alt on your physical keyboard, then click on the del key in the on screen keyboard.

image

5. Minimize the on screen Keyboard

6. Click Change a password.