Archiv der Kategorie: Allgemein

ADFS 2012 R2 now supports Password Change (not reset) across all devices – samueld

Allgemein, Microsoft, Office 365, Powershell, Windows Management, , , ,

Enabling Change Password in ADFS

By default, this functionality is disabled in ADFS. Change password looks just like another endpoint in ADFS and all you need to do is enable the endpoint. You can use the MMC snapin to enable this.

You can also do this via PSH using the Set-AdfsEndpoint cmdlet.

Once enabled, users can always access the change password page via https://adfs.contoso.com/adfs/portal/updatepassword/. It would look like this

Quelle: ADFS 2012 R2 now supports Password Change (not reset) across all devices – samueld

Update Send Connector SSL Certificate for Hybrid Configuration – The TexMX Record

Allgemein
Recently had a customer with an Exchange 2013 Hybrid config require updating an expired SSL certificate.  When they imported the new certificate and assigned it SMTP services, mail flow from on-premises to Office 365 stopped.

This was because the on-premises send connector to Office 365 was still configured to look for that expired certificate (which had also been deleted already).

The fix was to perform the following:

  1. Open Exchange Management Shell on the on-premises Exchange server
  2. Run Get-ExchangeCertificate, and note the Thumbprint of the correct certificate to be used.
  3. Run $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>
  4. Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):
    $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
  5. Update the send connector with the new values
    Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert

After completing this, any queued mail destined for the Office 365 tenant should begin flowing

Quelle: Update Send Connector SSL Certificate for Hybrid Configuration – The TexMX Record

have i been pwned? Test all users of your domain

Allgemein, Powershell, Security, ,

Aus einem Powershell-Beispiel von „IT Pro blog“ weiterentwickelt
https://infracloud.wordpress.com/2015/10/29/have-you-been-pwned-use-powershell-to-find-out/
Get-Pwned.ps1

Import-Module „C:\adm\custom\BasicTools.psm1“
$Global:CheckURI = „https://haveibeenpwned.com/api/v2/breachedaccount“
$global:OutputPath = „C:\“
$global:results = @()
Function ValidateAddress($Emailaddress){
try{
$Request = Invoke-WebRequest -Uri „$global:CheckURI/$Emailaddress“
$Response = ConvertFrom-Json $Request
Return $Response
}
catch [exception]
{
Return $null
}
}
Function IsValidEMail($email){
    $EmailRegex = ‚^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$‘;
    return ($email -match $EmailRegex)
}
Function IsValidDomain($mailaddress){
$domain = $mailaddress.Substring($mailaddress.IndexOf(„@“)+1)
$obj = Get-AcceptedDomain -Identity $domain -ErrorAction SilentlyContinue
if ($obj -eq $null){
$result = $false
}else{
$result = $true
}

return $result
}
Function ConvertHaveibeenpwnedObject($obj,$mailaddress,$username){
Set-ToolsLogAddLine -LogTXT „Compromised account $username, $mailaddress“
$result = New-Object -TypeName PSObject
$result | Add-Member -MemberType NoteProperty -Name username -Value $username
$result | Add-Member -MemberType NoteProperty -Name mailaddress -Value $mailaddress
$result | Add-Member -MemberType NoteProperty -Name HIBPAddedDate -Value $obj.AddedDate
$result | Add-Member -MemberType NoteProperty -Name HIBPBreachDate -Value $obj.BreachDate
$result | Add-Member -MemberType NoteProperty -Name HIBPDataClasses -Value ([system.String]::Join(„;“,$obj.DataClasses))
$result | Add-Member -MemberType NoteProperty -Name HIBPDescription -Value $obj.Description
$result | Add-Member -MemberType NoteProperty -Name HIBPDomain -Value $obj.Domain
$result | Add-Member -MemberType NoteProperty -Name HIBPIsSensitive -Value $obj.IsSensitive
$result | Add-Member -MemberType NoteProperty -Name HIBPIsVerified -Value $obj.IsVerified
$result | Add-Member -MemberType NoteProperty -Name HIBPLogoType -Value $obj.LogoType
$result | Add-Member -MemberType NoteProperty -Name HIBPName -Value $obj.Name
$result | Add-Member -MemberType NoteProperty -Name HIBPPwnCount -Value $obj.PwnCount
$result | Add-Member -MemberType NoteProperty -Name HIBPTitle -Value $obj.Title
return $result
}
Function main{
Set-ToolsLogCreate -LogFilePath „C:\adm\custom\logs\“ -LogPrefix „CompromisedAccounts“
Remove-ToolsLog -olderThenDays 21
Set-ToolsLogAddLine -LogTXT „Collect accounts“

$users = Get-ADUser -LDAPFilter „(mail=*)“ -Properties mail, proxyaddresses -ResultSetSize $null

$i = ($users).Count
Set-ToolsLogAddLine -LogTXT „Test $i accounts“
$i = 0
foreach($user in $users){
$i ++
if($i/100 -is [int]){Set-ToolsLogAddLine -LogTXT „$i accounts tested“}
$proxymail = „“
$usermail = „“
$usermail = $user.mail.ToLower()
$output = „“
if (IsValidEMail($usermail)){
if (isValidDomain($usermail)){
$obj = ValidateAddress($usermail)
if ($obj -ne $null){
$global:results += ConvertHaveibeenpwnedObject -obj $obj -mailaddress $usermail -username $user.SamAccountName
}
}
}
Foreach($proxyAddress in $user.proxyaddresses){
$proxymail = $proxyAddress.ToLower()
if ($proxymail.StartsWith(„smtp:“)){
$proxymail = $proxymail.Substring($proxymail.IndexOf(„smtp:“)+5)
if (IsValidEMail($proxymail)){
if ($proxymail -ne $usermail){
if (isValidDomain($proxymail)){
$obj = ValidateAddress($proxymail)
if ($obj -ne $null){
$global:results += ConvertHaveibeenpwnedObject -obj $obj -mailaddress $usermail -username $user.SamAccountName
}
}
}
}
}
}
}
Set-ToolsLogAddLine -LogTXT „Finish“ -foregroundcolor „green“ -backgroundcolor „darkgray“
$global:results | Export-csv „$global:OutputPath\CompromisedAccounts.csv“
}

main