Dan's Notes

Get public IP from command line

Dan Anstis — Mon, 07 Jan 2019 07:10:02 GMT

To get your machines public IP from the command line, run the following command:

nslookup myip.opendns.com resolver1.opendns.com

Authenticate to Azure Active Directory using PowerShell

Dan Anstis — Thu, 08 Sep 2016 08:36:41 GMT

I recently had the need to authenticate as an Azure AD (AAD) application to the oAuth endpoint to return an oAuth token. As this procedure was to be performed by an Azure Automation Runbook, I needed a solution that was entirely PowerShell based.

In my case we needed to use this token to perform tasks under the context of the AAD application such as accessing an Azure API Management API, as well as sending requests to the Azure GraphAPI.

After having no luck finding anything online, I decided to post my solution here.

function Get-oAuthToken {  
    <#
    .SYNOPSIS
       Function to connect to the Microsoft login OAuth endpoint and return an OAuth token.
    .DESCRIPTION
       This Function connects to the Microsoft AAD OAuth endpoint and generates an OAuth token. 
       This token can then be used for authentication against the resource supplied In the parameters.
    .PARAMETER ClientID
        The ClientID of the application used for authentication against Azure AD.
    .PARAMETER ClientSecret
        The Key generated within the application used for authentication against Azure AD.
        This key should have rights to the resource supplied in the ResourceName parameter.
    .PARAMETER TenantId
        The TenantId of the Azure AD that you wish to authenticate against.
    .PARAMETER ResourceName
        The name of the resource that you want to generate a token for.
    .EXAMPLE
       C:\PS> Get-ApiToken -ClientID '12345678-9012-3456-7890-123456789012' -ClientSecret 'AfXooIr8rswX24yrFXMrO4SbBgutwTtojAZEpQOaaaa=' -TenantId 'abcdefff-d0bc-1234-854a-114710c94dbb' -Resource 'https://test.onmicrosoft.com/apitest'
       Returns the authentication context object generated by the endpoint.
    .NOTES
        Version 1.0
    #>
    [Cmdletbinding()]
    Param(
        [Parameter(Mandatory=$true)][string]$ClientID,
        [Parameter(Mandatory=$true)][string]$ClientSecret,
        [Parameter(Mandatory=$true)][string]$TenantId,
        [Parameter(Mandatory=$false)][string]$ResourceName = "https://graph.windows.net",
        [Parameter(Mandatory=$false)][switch]$ChinaAuth
    )

    #This script will require the Web Application and permissions configured in Azure Active Directory.
    if($ChinaAuth){
        $LoginURL  = 'https://login.chinacloudapi.cn'
    }else{
        $LoginURL  = 'https://login.windows.net'
    }

    #Get an Oauth 2 access token based on client id, secret and tenant id
    $Body = @{grant_type="client_credentials";resource=$ResourceName;client_id=$ClientID;client_secret=$ClientSecret}
    Return Invoke-RestMethod -Method Post -Uri $LoginURL/$TenantId/oauth2/token?api-version=1.0 -Body $Body
}

The code is fairly straightforward, however I will expand on a few points:

In my case I needed the ability to generate tokens against multiple Azure regions, including the Azure China region. To ensure the China authentication requests hit the correct endpoint, I have added a switch -ChinaAuth. If this is specified it will attempt to authenticate to https://login.chinacloudapi.cn.
The function will return an object containing:
- token_type
- expires_in
- ext_expires_in
- expires_on
- not_before
- resource
- access_token

Check AD ExtentionAttribute Usage with PowerShell

Dan Anstis — Fri, 29 Jan 2016 05:40:00 GMT

The following script will summarise the ExtentionAttributes in use within an Active Directory Domain.

This script uses the ActiveDirectory CMDlets included in the Active Directory Module for PowerShell, this is part of the Remote Server Administrative Tools (RSAT) pack available from Microsoft for client OSs.

Note that once RSAT has been installed, you will need to enable the Active Directory Module for PowerShell feature via Add and Remove Programs.

Import-Module ActiveDirectory

$attributeName = "SAMAccountName",
  "extensionattribute1",
  "extensionattribute2",
  "extensionattribute3",
  "extensionattribute4",
  "extensionattribute5",
  "extensionattribute6",
  "extensionattribute7",
  "extensionattribute8",
  "extensionattribute9",
  "extensionattribute10",
  "extensionattribute11",
  "extensionattribute12",
  "extensionattribute13",
  "extensionattribute14",
  "extensionattribute15"

$summary = "" | select $attributeName

foreach($attribute in $attributeName){  
    $summary.$attribute = (Get-ADuser -filter {$attribute -like "*"} -Properties $attribute).count
}
$summary | fl

Add PFX Certificate to NetScaler 10.5

Dan Anstis — Fri, 29 Jan 2016 04:54:00 GMT

Open Traffic Management -> SSL
Select Import PKCS#12
On the input form, enter the Output file name in the format: /nsconfig/ssl/.pem
Select the input PKCS#12 file (PFX file) by using the Browse button
Enter the password for the PFX file
Click the OK button
Go to Traffic Management -> SSL -> Certificates
Click the Install button
Enter the Certificate-key Pair name as the FQDN of the cert
For the Certificate File Name, browse and select the pem file that was installed earlier (note that newer files are listed last in the list)
For the Key File Name, browse and select the same pem file as above
Set the notification of expiry to an appropriate time, IE 60 days
Click Install
Right-click on the newly added certificate, and select Link.
Link the certificate to its intermediary CA certificate, in order for the NetScaler to supply the full chain to clients.

Execute Service Under its Own SVCHOST Process

Dan Anstis — Fri, 29 Jan 2016 04:39:00 GMT

In order to move a service from a shared SVCHOST process into its own SVCHOST process:

Check the current SVCHOST processes, and the services assigned:
tasklist /SVC /FI "IMAGENAME eq svchost.exe"

Change a service to its own SVCHOST processes:
sc config type= own

Change a service back to a shared SVCHOST process:
sc config type= share

PowerShell Function to export a user's thumbnail photo from AD

Dan Anstis — Fri, 29 Jan 2016 03:26:00 GMT

The following function is used to export a user's thumbnail photo from Active Directory (AD) to a JPG file on disk.
This function uses the ActiveDirectory CMDlets included in the Active Directory Module for PowerShell, this is part of the Remote Server Administrative Tools (RSAT) pack available from Microsoft for client OSs.

Note that once RSAT has been installed, you will need to enable the Active Directory Module for PowerShell feature via Add and Remove Programs.

function Get-UserPhoto(){  
    param(
        [string]$Username,
        [string]$Path = "C:\Temp\AD_Photos"
    )

    Import-Module ActiveDirectory
    $user = Get-ADUser $Username -properties thumbnailPhoto
    if(!(test-path $Path)){mkdir $Path}
    $user.thumbnailPhoto | Set-Content ("$Path\$($User.SamAccountName).jpg") -Encoding byte
}

Configure Domain NTP Sync

Dan Anstis — Thu, 28 Jan 2016 23:36:00 GMT

As we all know, time sync on domain joined computers is essential.
The following details configuration of the Domain Controllers to sync with a trusted time source via NTP.

I always recommend configuring the PDC Emulator to sync with a known good NTP source, then all other DCs be configured as Domain Heirs.
This configuration ensures that all of the DCs have the same time source, which in turn flows to all client PCs.

If the DC is configured with the Hyper-V time provider (as is the case with Azure VMs), this should be disabled before configuring NTP sync.
To disable the Hyper-V time provider, enter the following from an administrative command prompt:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

Configuration of NTP on the Domain Controllers:

Locate the PDC Emulator:
netdom query pdc
Open an administrative command prompt on the PDC Emulator.
Configure the peers for the PDC Emulator to sync with (in my case au.pool.ntp.org):
w32tm /config /manualpeerlist:"au.pool.ntp.org,0x1;1.au.pool.ntp.org,0x1" /syncfromflags:MANUAL
Flag this DC as a reliable time source:
w32tm /config /reliable:yes
Restart the w32time service, this should start the sync with the configured peers:
net stop w32time && net start w32time
Check the event logs for time sync events. Note that event ID 47 in the System log could represent a firewall blocking the connection on port 123.
On all other DCs, run the following commands:
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time

If required, here are some other helpful commands:

Force a full sync: w32tm /resync /nowait
List the NTP service status: w32tm /query /status
List the configured NTP peers: w32tm /query /peers
List the configured time Source: w32tm /query /source
Check the NTP configuration: w32tm /query /configuration

At any time you can reset the w32time service configuration as follows:

Stop the w32time service:
net stop w32time
Unregister the w32time service:
w32tm /unregister
Re-register the w32time service:
w32tm /register
Start the w32time service:
net start w32time

Check returned SSL certificates from website using OpenSSL

Dan Anstis — Thu, 28 Jan 2016 06:35:00 GMT

The following command will return the certificate chain from a website using OpenSSL:
openssl.exe s_client -connect www.google.com:443 -prexit -showcerts

Remotely Enable PowerShell Remoting

Dan Anstis — Wed, 13 Jan 2016 22:58:00 GMT

In order to remotely enable PS remoting we can leverage PSEXEC (http://live.sysinternals.com.au/psexec.exe).

psexec \\[computer name] -u [admin account name] -p [admin account password] -h -d powershell.exe "enable-psremoting -force"

Find executable path from PID in Linux

Dan Anstis — Tue, 22 Sep 2015 22:46:00 GMT

To find the path to a running executable from a PID in Linux, run the following:
readlink -f /proc//exe

Connect to remote windows share with other user account

Dan Anstis — Tue, 22 Sep 2015 00:38:00 GMT

In order to connect to a remote Windows server via CIFS using a different user account, enter the following command in a Command Prompt (CMD) window:
net use \\\IPC$ /user:\ *

This will authenticate the supplied user to the remote server, ensuring that future CIFS connections use the authenticate user account.
Note that if existing connections have been made with another user account, they will need to be removed first. You can display a list of connections using net use. Connections can be removed using net use \\\ /delete

One this command has completed successfully, open a Windows Explorer window and connect to the desired path as per normal.

KeePass Autotype string for creating AD users

Dan Anstis — Tue, 22 Sep 2015 00:33:00 GMT

In order to create an Active Directory (AD) user from a KeePass entry:

Modify the KeePass group that contains the password entry
On the Autotype tab, enter the following (Replacing the Folder names if required):
{TAB}{TAB}{TAB}{Title}{TAB}{Title}{TAB}{TAB}{TAB}{TAB}{SPACE}{DELAY 1000}{Password}{TAB}{Password}{TAB}{SPACE}{TAB}{SPACE}{TAB}{SPACE}
Save the changes to the group
Open AD Users and computers, and create a new user in the appropriate OU
Wait for the form to load, then with the first fileld selected, switch to KeePass
Press CTRL + V

This will autotype the KeePass entry details into AD Users and Computers for you.

KeePass Autotype string for adding records to LastPass

Dan Anstis — Tue, 22 Sep 2015 00:27:00 GMT

In order to add a KeePass entry to LastPass:
1. Modify the KeePass group that contains the password entry 2. On the Autotype tab, enter the following (Replacing the Folder names if required): {URL}{TAB}{Title}{TAB}Folder1\Folder2{TAB}{UserName}{TAB}{Password}{TAB}{TAB}{TAB}{TAB}{TAB}{ENTER} 3. Save the changes to the group 4. Open LastPass Vault and select 'Add Site' 5. Wait for the browser to load, then with the first field selected (URL), switch to KeePass 6. Press CTRL + V

This will autotype the KeePass entry details into the LastPass browser window for you.

Using OpenSSL to convert a PFX Cert to PEM

Dan Anstis — Tue, 22 Sep 2015 00:21:00 GMT

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

To convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Troubleshoot SMTP with Telnet

Dan Anstis — Wed, 22 Jul 2015 00:23:00 GMT

Open a telnet session: From a command prompt, type telnet, and then press ENTER.
Type set local_echo on a computer running Microsoft Windows® 2000 Server or SET LOCALECHO on a computer running Windows Server™ 2003 or Windows XP, and then press ENTER. This command allows you to view the responses to the commands.
Type o 25,and then press ENTER.
Type EHLO , and then press ENTER.
Type MAIL FROM:, and then press ENTER. If the sender is not permitted to send mail, the SMTP server returns an error.
Type RCPT TO:,and then press ENTER.If the recipient is not a valid recipient or the server does not accept mail for this domain, the SMTP server returns an error.
Type DATA.
Type SUBJECT: .
If desired, type message text, press ENTER, type a period (.), and then press ENTER again.
If mail is working properly, you should see a response similar to the following indicating that mail is queued for delivery: