Using Group Managed Services Account with Scheduled Tasks

In this post we will be going through the steps required to create and use group managed services account (gMSA) with a scheduled task.

gMSA are a managed domain account that provides automatic password management. These accounts provide a single identity to use on multiple servers.

By using a gMSA account, we can configure services / scheduled tasks with the gMSA principal and Active Directory handles the password management.

gMSAs where introduced since Windows Server 2012.

There are pre-requests to use gMSA that most domain should already meet, this is AD Schema of 52 (2012) and at least one 2012 DC.

Once we meet the minimum scheme the second part is that we have to create the Key Distribution Services Root Key.

This involves running a command in PowerShell, we can the below command to confirm that a kds root key doesn’t exist already.

Get-KdsRootKey

Get KDS Root Key

To create the KDS run

Add-KdsRootKey –EffectiveImmediately

Now when we check KDS again we can see the root key.

Now that we have the KDS root key we can create the gMSA

We can add the host either individually or using a security group, we will be using a group in this post as it will be easier to mange and just need to add any additional servers to the group to allow access.

I have create a group called tskgmsa_access to use and added some server computer accounts.

The below command is used to create the gMSA account (The DNS is required by the command but not needed for running scheduled task so you can use whatever name as it doesn’t need to be resolvable)

New-ADServiceAccount -name gMSAName -DNSHostName DNSName -PrincipalsAllowedToRetrieveManagedPassword "Group or Hosts"

Create gMSA Account

The accounts are create under the Managed Services Accounts OU.

We can add the account to a security group to give more rights, this could be used if the account needs admin right to do a specific tasks.

The Microsoft documentation says that you need to install RSAT tools and run Install-ADServiceAccount but I didn’t have to do this for scheduled task to run.

To allow the account to run a script we need to add the account to the logon as a batch job under user rights assignment. This can either be done using group policy or using secpol.msc.

I used secpol as i only have two servers to configure.

To test we will create a scheduled task that will out put text to a log file.

Below is the script file that will be run.

To use the gMSA account we have to create the task using PowerShell as the GUI can’t find the account.

Below is the command I used.

$arg = "-ExecutionPolicy Bypass -NoProfile -File C:\scriptpath\script.ps1"

$ta = New-ScheduledTaskAction -Execute C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  -Argument $arg

$tt = New-ScheduledTaskTrigger -At "Time to Run"

$ap = New-ScheduledTaskPrincipal -UserID Domain\gMSA_AccountName -LogonType Password

Register-ScheduledTask gMSA_Test_Task –Action $ta –Trigger $tt –Principal $ap

If you get incorrect users or password and only recently added the computer account to the security group, the server will need a reboot to pickup the membership.

Next we need to run the task and confirm data is written to the log. From the task events we can see the account used is gmsa_tsksch$.

We can also see the authentication on the domain controller.

When we check the logs folders we can see the text files are created.

This has been a overview of creating and using a Group Managed Service Account for running scheduled tasks.

Windows Server 2022 RDS HA Broker: Privilege not held

I have been building and setting up some new Windows Server 2022 RDS farms recently and ran in to an issue when adding a second RDS connect broker after configuring High Availability.

The server would install the broker role and then fail to configure. This would return the below error.

The list of joined nodes could not be retrieved on servername. Privilege not held.

I was also getting EventID 32814 and 4119 in the Microsoft-Windows-Rdms-UI/Admin event logs.

I enabled the debug logging also but this only returned the same error as where showing in the event logs.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/log-files-to-troubleshoot-rds-issues

To fix the issue I had to logon to the server I was trying to add as a secondary broker and remove the below registry value.

Make sure to backup the registry key before deleting any values.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tssdis\Parameters\DBConnString

After deleting, I had to remove the RDS broker roles from the server that failed to install and reboot.

Then I tried the install again and this time it completed without issue.

This seems to be a bug in Windows Server 2022.

Weekly Active Directory Audit Report PowerShell

Recently a request came in from our security team to audit recently create, deleted AD object, accounts due to expire (this is for third party users) and modified / created group policy objects so that they would be able to trace the changes happening in Active Directory.

I decided to write a PowerShell script that will export the required information and then send a the csv export to the user that require the information.

This could also be used to import the data to a dashboard by either using the CSV files or if the dashboard can use direct PowerShell script like PowerBI.

First there are some mandatory parameters. Exportpath and domain.

To allow the script to be run without emailing the csv I have left the smtpserver, to and from address as not mandatory parameters.

The script used two different modules

Group Policy:

ActiveDirectory:

To install these go on a Windows server go to add roles and features and select Group policy Management

and under RSAT enabled the Active Directory module.

Once all the features are enable we can run the script.

I have set the default time to last 7 days but if you want to go back further then update the date value.

To run the script so that it just export local without email the reports use the below.

.\WeeklyAD_AuditReport_V1.ps1 -exportPath c:\Temp\AD_Audit\ -domains domian.local

To email the report use the below

.\WeeklyAD_AuditReport_V1.ps1 -SMTPServer mailserver.domain.local -toAddress administrator@domain.local -FromAddress ADreport@domain.local -exportPath c:\Temp\AD_Audit\ -domains domian.local

Once the script completes we can check that the csv files have been created.

If the SMTP server parameter is set, the script will send a email and add the csv as attachments.

Below is what the outputs should look like.

GPO:

Deleted Objects:

Account expire:

The full script can be downloaded from the below link to my GitHub.

Scripts/ActiveDirectory/WeeklyReport at master · TheSleepyAdmin/Scripts (github.com)

The script can then be set to run as a scheduled task to run on a weekly scheduled.

Checking LAPS Password Cross-Forest Using PowerShell

We have been using LAPS for the last year or so and for the most part it is a great tool for managing local admins password.

In our environment we have multiple forest with trusts relationships and the one main issue that we have is that the LAPS UI client can’t check the local admin password of devices in other domains, unless we logon as a user in that domain and run the LAPS UI as that user.

We can use PowerShell but this requires either the commands to be run from a devices in the domain with the LAPS PowerShell module or can be done using remote ps session but this is not something everyone on the service desk would know how to do or will have rights to do.

Enter-PSSession dc.domain.local
Get-AdmPwdPassword -ComputerName "computer" | Select-Object Password,ExpirationTimestamp

We could also get the AD attributes by using get-adcomputer comandlet but this requires the AD PowerShell module.

Get-ADComputer -Identity "computer" -Server "DC" -properties ms-mcs-admpwd,ms-mcs-admpwdexpirationtime | select-object ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

I wanted to try create a script that would allow them to check the other domains without the needing to know how to do PS remoting or having modules installed.

To get around using the AD module we will be using ADSI search instead as this a default part of PowerShell. I used the below blog to get started.

Use the PowerShell [adsiSearcher] Type Accelerator to Search Active Directory | Scripting Blog (microsoft.com)

Hey, Scripting Guy! How Can I Search Active Directory from Within Windows PowerShell? | Scripting Blog (microsoft.com)

To query the remote doamin using adsisearch we first need to have a way of converting the domain name to the format that adsisearch requires.

This can be done using DirectoryContect class

System.DirectoryServices.ActiveDirectory.DirectoryContext

System.DirectoryServices.ActiveDirectory.Domain

DirectoryContext Class (System.DirectoryServices.ActiveDirectory) | Microsoft Docs

The first part of the script gets the domain details and returns the objects back to the search variable.

Next part we will filter the results based on the client variable to return only the required computer details.

Once the script is working, I just needed to create some mandatory parameters and create a function called Check-LAPS so that it’s easier for people to use without having to hardcode anything in the script and has some help and examples.

Below is the link to the full script.

Scripts/ActiveDirectory/LAPS at master · TheSleepyAdmin/Scripts (github.com)

Below shows how the script is run and the results.

I used the above script with WPF to create a GUI that is now complied in to an exe. I though this would be a lot easier to pass on the service desk as all they need to do is run the exe.

This was compiled using ps2exe PowerShell module.

MScholtes/PS2EXE: Module to compile powershell scripts to executables (github.com)

All they need to do is put in the domain name and computer name.

This should then return the LAPS password.

I will do a different post on creating the GUI itself in as this was my first GUI and I would like to create a few other.

Export GPO assignments using PowerShell

Recently we wanted to do a review of all our Active Directory Group policy objects (GPO’s), we wanted to see what GPO’s where not assigned or what OU they where assigned, so that we could try to consolidate or remove unused GPO’s.

There was a couple of hundred in each domain, so I didn’t want to have to check each one manually.

There is a PowerShell command that you can run to list all GPO’s but it doesn’t show assignments

GPO1

To get more information on the GPO we can run the command Get-GPOReport which let’s you create either a HTML or XML report.

In this case I want to use an XML as I want to pull information from the xml report, the only issue is getting data directly from a XML report is a bit difficult.

GPO2 To read an XML report in PowerShell you can use the typecast to XML by using [xml] in front of the variable which should make querying the content easier. GPO3 The only part of the XML that I really want currently is the LinksTo, as this shows where the GPO is assigned. GPO4 Once I had all this information I was then able to create the full script. I will put the script up on GitHub since it easier for people to copy the script file.

https://github.com/TheSleepyAdmin/Scripts/tree/master/ActiveDirectory/GPO

Below is the script running GPO5 This is what the export will look like. GPO6

Connect Windows Admin Center to Azure

In this post we will be going through connecting Windows Admin Center to Azure to allow management of Azure VM’s. To install WAC see previous post.

The Azure integration allows the management of Azure and on-prem servers from a single console.

First step is to register WAC with Azure, Open the WAC admin console and go to settings tab. AZ1

Go to the Azure in the gateway settings AZ2 Copy the code and click on the enter code hyperlink and enter the code AZ3 AZ4

Sign-in using an admin account on the Azure tenant. AZ5 AZ6

Now go back to WAC and click connect to finish the registration AZ7

Once WAC is registered it require admin application permission to be granted to the application registration in Azure AZ8

Now that the registration is completed we can now add Azure VM’s to WAC go to add and select Azure VM AZ9

Select the subscription (if there are multiple subscription in your tenant), resource group and VM that will be added. AZ10

Once the Azure VM is added, to allow management there will need to be management ports opened to allow a connection between WAC and the Azure VM. If you are using a site to site VPN you can just allow the ports over the VPN connection.

I have a public IP associated with my VM and I will be modifying my network security group to allow the ports from my public IP.

I wont be going through configuring an NSG as this was covered in a previous post. AZ15

On the VM itself you need to enable winrm and allow port 5985 through the windows firewall if enabled. This can be done by running the two command below from an admin PowerShell session.

winrm quickconfig
Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress Any

Once the NSG is configured we should then be able to connect to the VM. AZ12

Below shows the overview of the VM AZ14 We can also now connect to the VM using integrated RDP console in WAC AZ13

WAC also allows us to manage services, scheduled tasks, backups, check event logs and other admin task, along with connecting using remote PowerShell directly from WAC. AZ16

Windows Admin Centre 1910

I have previously looked at Window Admin centre (WAC) tech preview and wanted to configure the latest full release, to see what changes have been made and do a proof of concept to see if this will be useful if it is deployed to our production environment.

PowerShell version 5.1 is required on servers that will be added to WAC and will need Window Management Framework (WMF) 5.1 installed, some will require additional steps also. See list below for required pre-req before they can be managed in WAC.

https://www.microsoft.com/en-us/download/details.aspx?id=54616

Windows Admin Centre uses SMB for some file copying tasks, such as when importing a certificate on a remote servers.

Once all pre-req are confirmed, we can go ahead and download Windows Admin centre.

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-admin-centerhttps://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/overview#download-now

Once the MSI is downloaded run and following the installation Admin1 Accept the terms. Admin2 Admin3

I used the default settings but you can enable WinRM over https if you have certificates that have server authentication set. If you want to look at configuring WinRM over https see following link: https://support.microsoft.com/en-us/help/2019527/how-to-configure-winrm-for-https Admin4

I will use default port 443 and generate a self signed cert, if you have a certificate authority you can generate a cert that can be used for gateway. Admin5 Admin6 Admin7

Once the install is completed you can access the Windows Admin Centre URL using https://servername.

Admin8 To add a server click Add. Admin9 Admin10 Click search active directory and put in the server name. Admin11

Once the server is added it will show in the admin console. To connect click on the server and connect. Admin12 When connecting to servers, to allow single sign on there is an additional command that need’s to be run. If this is not done you will see the below warning when connecting.

Admin13

I updated the command to run on all servers in AD, as I didn’t want to have to run on each individually.

$Servers = Get-ADComputer -Filter “OperatingSystem -like ‘Windows Server*'”
$WAC = “LAB-WAC”
Foreach ($Server in $Servers){
Set-ADComputer -Identity $Server -PrincipalsAllowedToDelegateToAccount (Get-ADComputer $WAC)
}

Admin16 The above command adds the admin server to the below attribute. Once this has been done when you click connect it should now use SSO. Admin15

We can now manage the servers from a central console without having to logon individually to each server. In the next post we will go through the different options and settings in Windows Admin Centre.

Check Scheduled task for run as account PowerShell

Recently I needed to check for all scheduled task running on servers using a certain account as the password needed to be updated. To search for these scheduled task I used schtask.exe

https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks

I wanted to integrate this with PowerShell so that I could do some connection tests, loop through a list of devices and output the results to CSV. Below is the script I created it has three mandatory parameters for the computer list, run as account and export path.

The link to the script is below.

https://github.com/TheSleepyAdmin/Scripts/blob/master/General/Scheduled%20task/Check_RunAsAccount.ps1

To run the script supple the three parameter like below. I used Check_RunAsAccount as the scrip name.

.\Check_RunAsAccount.ps1 -CompList D:\Scripts\Task_Scheduler\Complist.txt -RunAsAccount test1 -ExportLocation D:\Scripts\Task_Scheduler\

SCk1 SCk4 Once the script has completed there will be a result csv and if there are any non responding devices there will be a second csv. SCk5 The export result will look like the below. SCk2

Remove WINS & Disable Netbios over Tcpip PowerShell

As part of a recent decommission / security audit, we needed to remove an old WINS server. For desktop client this is fairly easy as they are all assigned through DHCP so it was just a case of removing WINS from the DHCP scope options.

For the hundreds of servers it is set manually, which to remove one by one would take a long time and be pretty boring for the person tasked with it. So I decided the simplest option would be to use PowerShell.

First I wanted to check if servers had WINS enabled so I could reduce the amount of server I would need to run the disable script against.

I am going to use Get-WmiObject and the Win32_NetworkAdapterConfiguration class as this is the simplest way I found to do this in PowerShell.

We will use a text file with a list of server names and a variable called $WINSServer that will be used to filter only network interfaces that have WINS set.

Below is the script to check for WINS and output to PowerShell windows I am just getting all adapters that have WINSPriamryServer value set to the IP in the $WINSServer variable and then selecting the objects to be outputted.

If you wanted to export to a csv or text file just add a | after the WINSPrimaryServer at the end of the script and do either Out-file or Export-csv and the path to export too.

Below is the link to the script location on Github it called Check-Wins.ps1

https://github.com/TheSleepyAdmin/Scripts/tree/master/General/Remove%20Wins

WINS To remove the WINS IP and set NetBios option, we will use the set method in the WMI class.

Below is the link to the script location on Github it called Remove-Wins.ps1 :

https://github.com/TheSleepyAdmin/Scripts/tree/master/General/Remove%20Wins

WINS01 Once the script has run WINS should be removed and NetBios over Tcpip should be disabled this can be checked under the advanced properties on the NIC.

WINS02

Remove RDS Profile from AD PowerShell

I was having a issue with slow logon times and temporary profile when users where logging on to an Windows RDS 2012 farm. I had a look at the issue and it was down to the RDS profile path in AD being set to use an old decommissioned server. RDS1

Once I found the issue, I need to figure out how many users where affected so the easiest way I could do this was to use PowerShell.

Below is the report script that I used. The distinguished name used in Get-ADUser -searchbase will need to be update and the export path. (Test before running any script and also check the quotes and doubles quotes when copying)

## Get list of Users
$RDUsers = Get-aduser -SearchBase “OU=TestUsers,OU=Users,DC=Domain,DC=Local” -Filter *

## Set Results Array
$Results = @()

foreach ($user in $RDUsers){
$RD = [ADSI]”LDAP://$($user.DistinguishedName)”
if ($RD.Properties.Contains(“userParameters”)){

$profilepath = $RD.psbase.Invokeget(“terminalservicesprofilepath”)
$profileHome = $RD.psbase.Invokeget(“terminalServicesHomeDirectory”)
$props = @{
UserName = $user.SamAccountName
RDSProfile = $profilepath
RDSHome = $profileHome
DistinguishedName = $user.DistinguishedName
}

$Results += New-Object psobject -Property $props
}

else {
Write-Host “No UserParameters set on” $user.SamAccountName -ForegroundColor Green
}
}
$Results | Export-Csv C:\Temp\Logs\RDSProfile.csv -NoTypeInformation

RDS2

Once the script has completed the results will be export to a CSV with all user and there profile paths RDS3 Once we have the list we can either remove manually or the better option use the CSV and remove the profiles using the invokeset method.

Below is the script I used. The script could be run against all AD users but I prefer to limit the amount of object I have to run against. (This will replace values on users so should be fully tested before apply to large amount of users.)

$RDProfile = Import-Csv -Path C:\Temp\Logs\RDSProfile.csv
foreach ($RDU in $RDProfile){
Write-Warning “Removing Profile from $($RDU.UserName)”
$RD = [ADSI]”LDAP://$($RDU.DistinguishedName)”
$RD.psbase.Invokeset(“terminalservicesprofilepath”,”$null”)
$RD.psbase.Invokeset(“TerminalServicesHomeDirectory”,”$null”)
$RD.setinfo()
}

RDS4

After the script has run the profiles should now be cleared. RDS5