Get-GpoReport issue
Closed this issue ยท 7 comments
Found an issue where in a trusted domain, the Get-GpoReport gets the Max TGT LifeTime and Max Clock Skew as empty/Null. Which causes the second iteration of the script to reset the krbtgt password as the check for the last time password was set difference to currenttime succeeds and no warning is presented with "MAJOR Impact".
[2021-05-26 17:51:04] : Max TGT Lifetime (Hours)..............: ''
[2021-05-26 17:51:04] : Max Clock Skew (Minutes)..............: ''
[2021-05-26 17:51:04] : TGT Lifetime/Clock Skew Sourced From..: 'Default Domain GPO'
I was able to add an additional check to make sure the Max TGT LifeTime is not Null to ensure that is not missed and the second iteration just succeeds.
If ($targetedADdomainMaxTgtLifetimeHrs -eq $null)
{
Logging " --> Max TGT Lifetime (Hours)..............: 'This was determined to be null. Ensure to run the script from a computer joined to appropriate forest'" "WARNING"
Logging " --> EXITING SCRIPT "
Sleep 20
EXIT
}
...................
Interestingly later debugging, i was also able to see this peculiar behaviour with Get-GpoReport which seems to behave in a bad fashion.
the Fix was to use
[xml]$gpoObjXML = Get-GPOReport -Domain $targetedADdomainFQDN -Guid '{31B2F340-016D-11D2-945F-00C04FB984F9}' -ReportType Xml -Server $targetedADdomainFQDN
if i use a domain controller FQDN for the $targetedADdomainFQDN it seems to come up with empty for the MAXTgTLifetime and other values.
I also examined the XML and saw that it was coming as "BLOCKED" which was weird. Just wanted to apprise of this happening and i was able to add an additional roadblock if it reported as NULL.
Also joe says Hi, i work with him and i also follow your blogs :)
So weak @nara! Princess I told him to say.... FIX YER SHIT PRINCESS!!! :D He is way too nice.
one more observation i had was that the script was using Domain Host records in DNS to determine if the AD domain/forest was resolvable/responding. Like in our environments , we turn off some domain host records in DNS for some application compatibility and the script didnt work for that...
Not working code:
Test To See If The Forest FQDN Is Resolvable At All
Try {
[System.Net.Dns]::gethostentry($targetedADforestFQDN) | Out-Null
$adForestValidity = $true
} Catch {
$adForestValidity = $false
}
If ($targetedADforestFQDN -eq $currentADForestOfLocalComputer) {
$localADforest = $true
$remoteADforest = $false
$adForestLocation = "Local"
} Else {
$localADforest = $false
$remoteADforest = $true
$adForestLocation = "Remote"
}
Logging ""
Logging "Checking Resolvability of the specified $adForestLocation AD forest '$targetedADforestFQDN' through DNS..."
If ($adForestValidity -eq $true) {
# If The AD Forest Is Resolvable And Therefore Exists, Continue
Logging "" "SUCCESS"
Logging "The specified $adForestLocation AD forest '$targetedADforestFQDN' is resolvable through DNS!" "SUCCESS"
Logging "" "SUCCESS"
Logging "Continuing Script..." "SUCCESS"
Logging "" "SUCCESS"
} Else {
# If The AD Forest Is Not Resolvable And Therefore Does Not Exists, Abort
Logging "" "ERROR"
Logging "The specified $adForestLocation AD forest '$targetedADforestFQDN' IS NOT resolvable through DNS!" "ERROR"
Logging "" "ERROR"
Logging "Please re-run the script and provide the FQDN of an AD forest that is resolvable through DNS..." "ERROR"
Logging "" "ERROR"
Logging "Aborting Script..." "ERROR"
Logging "" "ERROR"
EXIT
}
Changed to for our environment
Test To See If The Forest FQDN Is Reachable via ROOTDSE
Try {
Get-adrootdse -Server $targetedADforestFQDN | Out-Null
$adForestValidity = $true
}
Catch {
$adForestValidity = $false
}
If ($targetedADforestFQDN -eq $currentADForestOfLocalComputer) {
$localADforest = $true
$remoteADforest = $false
$adForestLocation = "Local"
}
Else {
$localADforest = $false
$remoteADforest = $true
$adForestLocation = "Remote"
}
Logging ""
Logging "Checking Reachability of the specified $adForestLocation AD forest '$targetedADforestFQDN' through ROOTDSE..."
If ($adForestValidity -eq $true) {
# If The AD Forest Is Reachable And Therefore Exists, Continue
Logging "" "SUCCESS"
Logging "The specified $adForestLocation AD forest '$targetedADforestFQDN' is resolvable through ROOTDSE!" "SUCCESS"
Logging "" "SUCCESS"
Logging "Continuing Script..." "SUCCESS"
Logging "" "SUCCESS"
}
Else {
# If The AD Forest Is Not Reachable via ROOTDSE And Therefore Does Not Exists, Abort
Logging "" "ERROR"
Logging "The specified $adForestLocation AD forest '$targetedADforestFQDN' IS NOT reachable through ROOTDSE!" "ERROR"
Logging "" "ERROR"
Logging "Please re-run the script and provide the FQDN of an AD forest that is reachable through ROOTDSE..." "ERROR"
Logging "" "ERROR"
Logging "Aborting Script..." "ERROR"
Logging "" "ERROR"
EXIT
}
Hi @nannnu , thanks for this valuable feedback! I was working on a few small updates. I will look at these and as it looks I will very likely add this to the newest version of it. thanks!
By the way... who's joe? ;-)
This tool author joe ๐ ;-)
ahhh, that joe!. He's indeed a treat, ehhh I mean a threat! :-) Please say HI. Thanks again!
@jricha34 @nannnu you ladies want to test drive the latest version? :-) All the stuff you mentioned is in there and some other improvements/bug fixes
If yes, please send your mail addresses to scripts.gallery@iamtec.eu
v3.0, 2022-02-27, Jorge de Almeida Pinto [MVP-EMS]:
- Bug Fix: Changed variable from $pwd to $passwd
- Bug Fix: Variable used in single-quoted string. Wrapped in double-quote to fix
- Bug Fix: Fix missing conditions and eventually credentials when connecting to a remote untrusted AD forest
- Code Improvement: Minor improvements through scripts
- Code Improvement: Changed variable from $passwordNrChars to $passwdNrChars
- Code Improvement: Updated function confirmPasswordIsComplex
- Code Improvement: Instead of assuming the "Max Tgt Lifetime In Hours" And the "Max Clock Skew In Minutes" is configured in the Default Domain GPO policy (the default)
it now performs an RSoP to determine which GPO provides the authoritative values, and then uses the values from that GPO
- Improved User Experience: Specifically mentioned the requirement for the ADDS PoSH CMDlets and the GP PoSH CMDlets
- Improved User Experience: Checking AD forest existence through RootDse connection in addition to DNS resolution
Latest version contains fix to this