Date Posted:
Product: TIBCO Spotfire®
Product: TIBCO Spotfire®
Problem:
How to get detailed information about service accounts from Active Directory
Solution:
Sometimes you may want to compare different Active Directory (AD) service accounts or examine their attributes. For example, to verify delegation settings for Spotfire Server, Node Manager service accounts when using Kerberos authentication. To retrieve the value of any attribute of an existing user account in AD, please follow following steps:
- On a Windows Server machine run Windows PowerShell
- Change the $FormatEnumerationLimit Windows PowerShell preference variable and display more data in the console. Set it to infinite:
$FormatEnumerationLimit=-1
- Get all properties for the service account formatted with long strings (replace ServiceAccount with desired account)
Get-AdUser ServiceAccount -Properties *,msDS-KeyVersionNumber,msDS-PrincipalName | out-string -width 4096
- If you don't have access to the AD module you need to run the following commands in a PowerShell running as Administrator before changing the list enumeration and listing the properties (the two lines above)
Import-Module ServerManager Add-WindowsFeature RSAT-AD-PowerShell import-module activedirectory
- An example of the command and a sample output:
PS C:\Windows\system32> Import-Module ServerManager PS C:\Windows\system32> Add-WindowsFeature RSAT-AD-PowerShell Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Remote Server Administration Tools, Activ... PS C:\Windows\system32> import-module activedirectory PS C:\Windows\system32> $FormatEnumerationLimit=-1 PS C:\Windows\system32> Get-AdUser ServiceAccount -Properties *,msDS-KeyVersionNumber,msDS-PrincipalName | out-string -wi dth 4096 AccountExpirationDate : accountExpires : 9223372036854775807 AccountLockoutTime : AccountNotDelegated : False AllowReversiblePasswordEncryption : False AuthenticationPolicy : {} AuthenticationPolicySilo : {} BadLogonCount : 0 badPasswordTime : 0 badPwdCount : 0 CannotChangePassword : False CanonicalName : sampledomain.local/foo/ServiceAccount Certificates : {} City : CN : ServiceAccount codePage : 0 Company : CompoundIdentitySupported : {} Country : countryCode : 0 Created : 7/4/2018 3:46:07 PM createTimeStamp : 7/4/2018 3:46:07 PM Deleted : Department : Description : DisplayName : ServiceAccount DistinguishedName : CN=ServiceAccount,OU=foo,DC=sampledomain,DC=local Division : DoesNotRequirePreAuth : False dSCorePropagationData : {9/5/2019 11:30:21 PM, 9/5/2019 9:56:29 PM, 8/30/2019 8:02:58 AM, 1/1/1601 1:04:1 7 AM} EmailAddress : EmployeeID : EmployeeNumber : Enabled : True Fax : GivenName : HomeDirectory : HomedirRequired : False HomeDrive : HomePage : HomePhone : Initials : instanceType : 4 isDeleted : KerberosEncryptionType : {} LastBadPasswordAttempt : LastKnownParent : lastLogoff : 0 lastLogon : 132133551308070193 LastLogonDate : 9/15/2019 1:52:09 AM lastLogonTimestamp : 132129787298475824 LockedOut : False logonCount : 39798 LogonWorkstations : Manager : MemberOf : {} MNSLogonAccount : False MobilePhone : Modified : 9/15/2019 1:52:09 AM modifyTimeStamp : 9/15/2019 1:52:09 AM msDS-AllowedToDelegateTo : {http/othermachine.sampledomain.local, http/OTHERMACHINE} msDS-KeyVersionNumber : 7 msDS-PrincipalName : SAMPLEDOMAIN\ServiceAccount msDS-User-Account-Control-Computed : 0 Name : ServiceAccount nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=sampledomain,DC=local ObjectClass : user ObjectGUID : ead579ac-5e5a-45f7-bf94-d0c5d0596c8b objectSid : S-1-5-21-4008232206-4678059366-3390115727-3625 Office : OfficePhone : Organization : OtherName : PasswordExpired : False PasswordLastSet : 9/13/2018 2:15:17 PM PasswordNeverExpires : True PasswordNotRequired : False POBox : PostalCode : PrimaryGroup : CN=Domain Users,CN=Users,DC=sampledomain,DC=local primaryGroupID : 513 PrincipalsAllowedToDelegateToAccount : {} ProfilePath : ProtectedFromAccidentalDeletion : False pwdLastSet : 131813145175461227 SamAccountName : ServiceAccount sAMAccountType : 805306368 ScriptPath : sDRightsEffective : 15 servicePrincipalName : {HTTP/mymachine.sampledomain.local, HTTP/mymachine} ServicePrincipalNames : {HTTP/mymachine.sampledomain.local, HTTP/mymachine} SID : S-1-5-21-4008232206-4678059366-3390115727-3625 SIDHistory : {} SmartcardLogonRequired : False State : StreetAddress : Surname : Title : TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False userAccountControl : 66048 userCertificate : {} UserPrincipalName : HTTP/mymachine.sampledomain.local@sampledomain.local uSNChanged : 9462562 uSNCreated : 6017631 whenChanged : 9/15/2019 1:52:09 AM whenCreated : 7/4/2018 3:46:07 PMSome of the attributes that could be interesting when troubleshooting Kerberos authentication are: delegation settings (msDS-AllowedToDelegateTo), when was the account modified (modifyTimeStamp), when was password changed the last time (PasswordLastSet), SPNs for the account (servicePrincipalName).
Comments
0 comments
Article is closed for comments.