Local group policy toolset

Useful toolset from Microsoft for turning text into policy settings and applying local group policies:

local group policy toolset posted on the FDCC blog

network level authentication xp

Enabling Network Level Authentication on Windows XP Service Pack 3 for access to Server 2008 via Remote Desktop

"The remote computer requires Network Level Authentication, which your computer does not support."

To enable NLA on XP SP3, run regedit.exe:

1. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

2. Add tspkg to the Security Packages REG_MULTI_SZ

3. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

4. Add credssp.dll to the SecurityProviders REG_SZ (separated by commas)

5. Reboot

happys days

OpenDSObject in Windows 7 "a local error has occurred"

Someone pinged me with a bug in a script on Windows 7 with a permissioned bind to AD over LDAP using the DN of a user. They received the error message: 0x8007203B error ("a local error has occurred").

From this:
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_ENCRYPTION = 2
strPath = ldap://cn=machine,ou=Finance,dc=fabrikam,dc=com/
strUser = "cn=user,dc=fabrikam,dc=com"
strPassword = "4rTGh2#1"
Set objDSO = GetObject("LDAP:")
Set objThing = objDSO.OpenDSObject (strPath, strUser, strPassword, ADS_SECURE_AUTHENTICATION)

Apparently it worked under Windows XP...

The solution ... change strUser = "cn=user,dc=fabrikam,dc=com" to strUser = "fabrikam\user" or user@fabrikam.com Windows 7 does not like the user DN...

Windows 7 Kerberos updates and foreign realms

I bit the bullet, bought a new 500Gb Seagate drive for my laptop, VM’d my Vista install, swapped the drive and changed my main laptop to Windows 7 over the weekend, and apart from Sony PC Suite, which just sits in the system tray looking dead, everything is running better than ever… 4Gb of ram certainly helps things along but this is faster than XP Sp3 in my FITA (Finger In The Air) opinion and light years ahead of Vista aka Windows Me 2007 …
So I added the laptop to my AD domain e.g. lingpopo.net and then while at a client site mapped a drive to a server in their AD domain e.g. bank.corp.com, saved the credentials and all worked as expected… but later while I was debugging a kerberos issue with some users on XP I forgot I was on 7 and ran klist (now an OS standard tool at least in 7 RC1) and noticed something strange but very pleasing. Rather than just seeing a TGT from my domain e.g. me @ lingpopo.net I now saw TGTs for the me @ bank.corp.com and cifs TGS tickets for the server in bank.corp.com! Sweetness! I’m getting TGTs and tickets for resource from an untrusted realm / forest / domain, no more failover to NTLM outside the forest / trust boundary, brilliant! but how? I need to know…This did not happen in XP or Vista, so what have Microsoft done? I’ve only noticed this behaviour today and have started digging out details on Kerberos improvements in Windows 7 but thus far i’ve found zip, nada, nowt… once I do I’ll be sure to post…
Anyway random stuff and quite interesting, at least to me…
Got a response from Microsoft Response from MS which says the functionality was always there but imho it wasn't... but going to dig out an xp and vista vpc and retest just to be sure...
Update 7/1/09 :- I recompiled and used this old tool of mine http://www.brianhehir.com/ktickets.exe to try and validate the tickets under Windows 7 and Windows XP. Running this tool under Windows 7 gives totally different results to running KLIST.EXE under Windows 7 but the results from kticket.exe are consistent between Windows 7 and Windows XP. So is it just Klist.exe that is different between Windows 7 and Windows XP or is there some underlying fundamental difference with Kerberos in Windows 7... Only way to be sure is going to take a network trace and compare....
Update 9/26/09:- not forgotten this one, should be getting the traces this week...

The difference in TRUNCATE and DELETE in Sql Server - Raymond Lewallen - CodeBetter.Com - Stuff you need to Code Better!

Shamelessly stole this as I just found it very useful setting up some resiliency through replication on a DB...
The difference in TRUNCATE and DELETE in Sql Server - Raymond Lewallen - CodeBetter.Com - Stuff you need to Code Better!:
"The difference in TRUNCATE and DELETE in Sql Server
I’ve answered this question many times, and answered it again this weekend. What is the difference when doing a DELETE TableA instead of TRUNCATE TableA? A common misconception is that they do the same thing. Not so. In fact, there are many differences between the two.
DELETE is a logged operation on a per row basis. This means that the deletion of each row gets logged and physically deleted.
You can DELETE any row that will not violate a constraint, while leaving the foreign key or any other constraint in place.
TRUNCATE is also a logged operation, but in a different way. TRUNCATE logs the deallocation of the data pages in which the data exists. The deallocation of data pages means that your data rows still actually exist in the data pages, but the extents have been marked as empty for reuse. This is what makes TRUNCATE a faster operation to perform over DELETE.
You cannot TRUNCATE a table that has any foreign key constraints. You will have to remove the constraints, TRUNCATE the table, and reapply the constraints.
TRUNCATE will reset any identity columns to the default seed value. This means if you have a table with an identity column and you have 264 rows with a seed value of 1, your last record will have the value 264 (assuming you started with value 1) in its identity columns. After TRUNCATEing your table, when you insert a new record into the empty table, the identity column will have a value of 1. DELETE will not do this. In the same scenario, if you DELETEd your rows, when inserting a new row into the empty table, the identity column will have a value of 265."

SQL Authentication issues and MaxTokenSize

Saved my bacon yesterday so selflessly reposted the link below:

Problem
DBA's and web developers at our company are experiencing issues with connecting to SQL instances using SQL Server Management Studio and other SQL tools using Windows Integrated Authentication. Our company is large, with well over 70,000 users and groups in Active Directory. When we look in the NT event log on the SQL Server we see both MSSQL and Kerberos errors. What could be causing this?

Solution
The issue occurs when a user has membership in many Active Directory groups, usually over 100 (this number includes explicit membership as well as inherited membership from other groups). The default value for the MaxTokenSize is 12000 decimal, although there is no registry entry for the default value. In the great majority of organizations this size is more than adequate; however, in large organizations users' tokens may be larger than the default. Since Kerberos won't accept broken tokens, authentication fails. If you are encountering this issue you will see two errors indicating that the default MaxTokenSize is not sufficient:

NT error log entry from the Kerberos service

NT error log entry from the MSSQL service

Microsoft has a utility called TokenSZ that can be used to determine the MaxTokenSize for a user. There are a number of switches that can be used with the utility, but the general syntax to calculate the max token size is:

Sample TokenSZ Syntax

E:\>tokensz /compute_tokensize /user:Administrator /domain:CULLENSOLUTIONS.com /password:OU812

Results of executing TOKENSZ

At the top of the window above you can see that the default token size is 12000. The text outlined in red is the actual Max Token size for the Administrator of the domain...well below the MaxToken default. The company I am currently assigned to is encountering MaxTokenSizes between 12000 to 15000 so a modification was required.

A registry entry modification or addition is required to modify the default MaxTokenSize allowed by the server. The location of the registry change is in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters section. Note that the server on which TOKENSZ was executed does not have an entry for MaxTokenSize:

To create the registry entry, open Registry Editor by clicking Start -> Run, then typing regedit. Once Registry Editor is open navigate to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters section. Right-click the white area on the right side and choose New -> DWORD value:

Rename the entry to "MaxTokenSize", double-click to edit it, choose Decimal, and enter 65535:

Any server workstation or server that interacts with SQL Server will require the registry entry. Also, the machine will require a reboot for the change to take effect. Once the reboot has occurred you can execute TokenSZ again to see if the MaxTokenSize value has changed:

Who Owns Your Online Documents?

Very interesting read...

Who Owns Your Online Documents?

Enable Snapshots

Very useful to avoid lockouts with DBs being accessed and updated...:


ALTER DATABASE YourDatabase
SET SINGLE_USER WITH NOWAIT
GO
ALTER DATABASE YourDatabase
SET ALLOW_SNAPSHOT_ISOLATION ON
GO
ALTER DATABASE YourDatabase
SET READ_COMMITTED_SNAPSHOT ON
GO
ALTER DATABASE YourDatabase
SET MULTI_USER WITH NOWAIT
GO

--Report status on all databases
SELECT name,
CASE is_read_committed_snapshot_on
WHEN 1 THEN 'yes' ELSE 'no' END AS Read_Committed_Snapshot_Enabled
FROM sys.databases

Landshare USA?

I'm a big fan of the River Cottage series in the UK particularly Hugh's most recent addition, the Landshare program where people who want to grow their own food but don't have the space are put in contact with those that do and vice versa... brilliant! Anyone interested in starting something similar in the U.S.A.?

RSOP through WMI

I've noticed a lot of people with problems retrieving user Resultant Set Of Policy - RSOP information from WMI using root/RSOP... computer RSOP works fine:

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\rsop\computer")
Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO")
For Each objItem In colItems
Wscript.Echo "Name: " & objItem.Name
Wscript.Echo "GUID Name: " & objItem.GUIDNameWscript.Echo "ID: " & objItem.ID
Wscript.Echo "Access Denied: " & objItem.AccessDenied
Wscript.Echo "Enabled: " & objItem.Enabled
Wscript.Echo "File System path: " & objItem.FileSystemPath
Wscript.Echo "Filter Allowed: " & objItem.FilterAllowed
Wscript.Echo "Filter ID: " & objItem.FilterId
Wscript.Echo "Version: " & objItem.Version
Wscript.Echo
Next

Works without issue but root\rsop\user\%SID% does not retrieve anything... to fix you must replace the hyphens - in the SID with underscores _ !!

So:
S-1-5-21-1708537768-688789844-1994488-12833 should be S_1_5_21_1708537768_688789844_1994488_12833

so:

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get("Win32_UserAccount.Name='joeblow',Domain='YourDomain'")
Wscript.Echo objAccount.SID
strWMISID = replace (objAccount.SID,"-","_")
Set objWMIService = Nothing
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\rsop\user\" & strWMISID)
Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO")
For Each objItem In colItems
Wscript.Echo "Name: " & objItem.Name
Wscript.Echo "GUID Name: " & objItem.GUIDNameWscript.Echo "ID: " & objItem.ID
Wscript.Echo "Access Denied: " & objItem.AccessDenied
Wscript.Echo "Enabled: " & objItem.Enabled
Wscript.Echo "File System path: " & objItem.FileSystemPath
Wscript.Echo "Filter Allowed: " & objItem.FilterAllowed
Wscript.Echo "Filter ID: " & objItem.FilterId
Wscript.Echo "Version: " & objItem.Version
Wscript.Echo
Next

Voila! it now works...

FYI - Get the logged on user with:

Set colSessions = objWMI.ExecQuery("Select * from Win32_LogonSession Where LogonType = 2")
If colSessions.Count = 0 Then
Wscript.Echo "No interactive users found"
Else
For Each objSession in colSessions
Set colList = objWMI.ExecQuery("Associators of {Win32_LogonSession.LogonId=" & objSession.LogonId & "} Where AssocClass=Win32_LoggedOnUser Role=Dependent" )
For Each objItem in colList
WScript.Echo "Username: " & objItem.Name & " SID: " & objItem.SID
WScript.Echo "WMISID: " & replace(objItem.SID,"-","_")
Next
Next
End If

Consistency is a wonderful thing... maybe the WMI namespace adheres to some standard that prevents hyphens but allows underscores... who knows...

Old junk SSMS (SQL Server Management Studio) Crashes opening query with CROSS APPLY

How damn annoying SQL 2005 SP3 Management Studio crashes everytime when trying to open an existing query in the designer that has a CROSS APPLY in it! arggh!

No worries it's fixed in SQL 2008 Management Studio, well the error is trapped and it just says it can't display the query rather than crashing but it's better than nothing...

Forrester: IT spending will rebound in time for Windows 7 launch

This looks very promising both for Enterprise users and for those delivering those solutions to the Enterprise... Forrester: IT spending will rebound in time for Windows 7 launch

Windows 7 Kerberos updates and foreign realms

I bit the bullet, bought a new 500Gb Seagate drive for my laptop, VM’d my Vista install, swapped the drive and changed my main laptop to Windows 7 over the weekend, and apart from Sony PC Suite, which just sits in the system tray looking dead, everything is running better than ever… 4Gb of ram certainly helps things along but this is faster than XP Sp3 in my FITA (Finger In The Air) opinion and light years ahead of Vista aka Windows Me 2007 …

So I added the laptop to my AD domain e.g. lingpopo.net and then while at a client site mapped a drive to a server in their AD domain e.g. bank.corp.com, saved the credentials and all worked as expected… but later while I was debugging a kerberos issue with some users on XP I forgot I was on 7 and ran klist (now an OS standard tool at least in 7 RC1) and noticed something strange but very pleasing. Rather than just seeing a TGT from my domain e.g. me @ lingpopo.net I now saw TGTs for the me @ bank.corp.com and cifs TGS tickets for the server in bank.corp.com! Sweetness! I’m getting TGTs and tickets for resource from an untrusted realm / forest / domain, no more failover to NTLM outside the forest / trust boundary, brilliant! but how? I need to know…This did not happen in XP or Vista, so what have Microsoft done? I’ve only noticed this behaviour today and have started digging out details on Kerberos improvements in Windows 7 but thus far i’ve found zip, nada, nowt… once I do I’ll be sure to post…

Anyway random stuff and quite interesting, at least to me…

Got a response from Microsoft Response from MS which says the functionality was always there but imho it wasn't... but going to dig out an xp and vista vpc and retest just to be sure...

Update 7/1/09 :- I recompiled and used this old tool of mine http://www.brianhehir.com/ktickets.exe to try and validate the tickets under Windows 7 and Windows XP. Running this tool under Windows 7 gives totally different results to running KLIST.EXE under Windows 7 but the results from kticket.exe are consistent between Windows 7 and Windows XP. So is it just Klist.exe that is different between Windows 7 and Windows XP or is there some underlying fundamental difference with Kerberos in Windows 7... Only way to be sure is going to take a network trace and compare....

Show Wireless networks with details including strength

Useful for getting the strength and options of all available wireless networks for Vista, Windows 7 and Windows 2008:

netsh wlan show networks mode=bssid

Gives the following type of info:

SSID 20 : linksys_SES_35580

Network type : Infrastructure

Authentication : WPA2-Personal

Encryption : CCMP

BSSID 1 : 00:14:bf:79:41:c8

Signal : 15%

Radio type : 802.11g

Channel : 6

Basic rates (Mbps) : 1 2 5.5 11

Other rates (Mbps) : 6 9 12 18 24 36 48 54

SQL CLR & LDAP

Follow the link for an example of using Novell LDAP under SQL 2005 CLR, you'll need the Mono libraries installed, the certificate installed in the Mono certificate manager if using SSL, the db set to trustworthy or all the libraries re-compiled as signed etc. then create the novell assemblies then deploy this via VS...

but I don't like spam

Humanity has triumphed over the robots, spam is off the menu!

Spam, eggs, spam, spam and spam...

So the robots are calling me spam!

I received a notice that this blog had been classified as spam and I had to post a request for a human being to review and take me off the list... strange but I think I know why... I think it was because I posted the same information in two posts and then the About Me section while I was creating the site... why? well because I tried to import the blog from wordpress but the conversion program here http://wordpress2blogger.appspot.com/ just did not work no matter what I did.. so as there were only half a dozen posts I wanted anyway I manually updated them and voila balls'd it up...

but it's weird the robots caught that and classified it so quickly, less than an hour. They must scan the blogs on a much higher schedule than any other indexer, which is interesting, or I was just unlucky, which is a pain in the aris... anyway hopefully I'll be reclassified as non-spam pdq...

Windows 7 Shell:SendTo

Need to update the Send To list in Windows 7? Start – Run (Windows+R) Shell:SendTo brings up your SendTo list; just add what you need e.g. notepad.lnk.. easy!

To see all possible options hold down SHIFT and Right-click the item then navigate to SendTo… too many options…

Other useful Shell: commands:-

shell:Libraries
shell:DocumentsLibrary
shell:User Pinned
shell:UsersLibrariesFolder
shell:PicturesLibrary
shell:ImplicitAppShortcuts
shell:Ringtones
shell:MusicLibrary
shell:VideosLibrary
shell:OtherUsersFolder
shell:Device Metadata Store
shell:PublicSuggestedLocations
shell:CommonRingtones

Will post more when I find them

Directory Intelligence Services

Started working on a new product for BMA Data that easily allows you to import all your data from AD, Novell or other LDAP directory directly into mySQL or SQL 2005 / 2008 for offline heavy-duty data crunching. We’re going to call this Directory Intelligence Services and it should be available in some form within the next couple of months…. yes I know there are other products out there that do this (ILM / MIIS etc.) but these are all geared to Identity and Lifecycle Management and imho are a bit clunky and sometimes, ILM 2.0, require products you just don’t or may not have e.g. SQL 2005 / Exchange… plus there’s always room for competition… plus it’ll stop the brain from seizing… plus, well who cares it’s my life… so watch this space…

Create cached credentials without an interactive logon using runas or logonusera

Useful tidbit I used in a migration once upon a time…. you can create the cached credentials for a domain user by using runas.exe or coding with logonusera in some code then you’ll be able to logon interactively as that user from ctrl+alt+del without the domain being avaialble at logon. This works as long as the machine’s domain is not changed. Changing the domain can change the cert / hashing using to hash and store the credentials in the registry and also can force the OS to clear all cached credentials. I’ve found this useful when migrating users where the VPN solution is only available after logon and not at the logon screen. Obviously if you can see the domain at the logon screen then it doesn’t matter… also if you want to create an admin back door, for use when a user is roaming for remote debugging and support, using a domain account and not a local account you can send the code to create the cached credentials and not have to logon interactivel

Here’s a little collection that sets up some Event Consumers on bad logon events and will launch a script to take action on the event. It can be used to take action on logon attempts using cached credentials. If used with the Purge Tickets code it can clear a users kerberos tickets if an intruder logon attempt is detected while disconnected from a domain. Kinda overkill but it was an interesting exercise in understanding event consumers, kerberos tickets and logon providers….

%SYSTEMROOT%\SYSTEM32\WBEM\MOFCOMP.EXE -N:root\default %SYSTEMROOT%\SYSTEM32\WBEM\scrcons.mof

%SYSTEMROOT%\SYSTEM32\WBEM\MOFCOMP.EXE “%HERE%\528SecEventTrig.mof”
%SYSTEMROOT%\SYSTEM32\WBEM\MOFCOMP.EXE “%HERE%\529SecEventTrig.mof”
%SYSTEMROOT%\SYSTEM32\WBEM\MOFCOMP.EXE “%HERE%\539SecEventTrig.mof”

529SecEventTrig.mof:

#pragma namespace (”\\\\.\\root\\subscription”)

instance of ActiveScriptEventConsumer as $Cons529
{
Name = “BadLogonConsumer”;
ScriptingEngine = “VBScript”;
ScriptFileName = “C:\\WINDOWS\\SYSTEM32\\DRIVERS\\HERACLES.VBS”;
KillTimeout = 1;
};

instance of __EventFilter as $Filt529
{
Name = “BadLogonFilter”;
Query = “SELECT * FROM __InstanceCreationEvent “
“WHERE TargetInstance ISA \”Win32_NTLogEvent\” “
“AND TargetInstance.LogFile = \”Security\” “
“AND TargetInstance.SourceName = \”Security\” “
“AND TargetInstance.EventCode = 529″;
QueryLanguage = “WQL”;
EventNamespace = “\\\\.\\root\\cimv2″;
};

instance of __FilterToConsumerBinding
{
Filter = $Filt529;
Consumer = $Cons529;
};

528SecEventtrig.mof:

#pragma namespace (”\\\\.\\root\\subscription”)

instance of ActiveScriptEventConsumer as $Cons539
{
Name = “AccountLockedConsumer”;
ScriptingEngine = “VBScript”;
ScriptFileName = “C:\\WINDOWS\\SYSTEM32\\DRIVERS\\HERACLES.VBS”;
KillTimeout = 1;
};

instance of __EventFilter as $Filt539
{
Name = “AccountLockedFilter”;
Query = “SELECT * FROM __InstanceCreationEvent “
“WHERE TargetInstance ISA \”Win32_NTLogEvent\” “
“AND TargetInstance.LogFile = \”Security\” “
“AND TargetInstance.SourceName = \”Security\” “
“AND TargetInstance.EventCode = 539″;
QueryLanguage = “WQL”;
EventNamespace = “\\\\.\\root\\cimv2″;
};

instance of __FilterToConsumerBinding
{
Filter = $Filt539;
Consumer = $Cons539;
};

539SecEventTrig.mof:

#pragma namespace (”\\\\.\\root\\subscription”)

instance of ActiveScriptEventConsumer as $Cons539
{
Name = “AccountLockedConsumer”;
ScriptingEngine = “VBScript”;
ScriptFileName = “C:\\WINDOWS\\SYSTEM32\\DRIVERS\\HERACLES.VBS”;
KillTimeout = 1;
};

instance of __EventFilter as $Filt539
{
Name = “AccountLockedFilter”;
Query = “SELECT * FROM __InstanceCreationEvent “
“WHERE TargetInstance ISA \”Win32_NTLogEvent\” “
“AND TargetInstance.LogFile = \”Security\” “
“AND TargetInstance.SourceName = \”Security\” “
“AND TargetInstance.EventCode = 539″;
QueryLanguage = “WQL”;
EventNamespace = “\\\\.\\root\\cimv2″;
};

instance of __FilterToConsumerBinding
{
Filter = $Filt539;
Consumer = $Cons539;
};

HERACLES.VBS:

‘
‘Check logon type from TargetEvent.TargetInstance.Message – 11 CachedInteractive, 7 Unlock,
‘Check the User name from TargetEvent.TargetInstance.Message against current interactive user
‘Get lockout count from RSOP
‘Increment consecutive failure count for user
‘On a good logon check the lockout counter for the user and launch chimaera.exe to purge tickets and lock account
‘ Constants:
Const strComputer = “.”
Const HKEY_LOCAL_MACHINE = &H80000002
Const path = “C:\WINDOWS\SYSTEM32\DRIVERS”
Dim strKeyPath : strKeyPath = “SYSTEM\CurrentControlSet\Control\MSReports”

‘Quit if run without the TargetEvent passed from the ActiveScriptEventConsumer
If (Not IsObject(TargetEvent)) Then WScript.Quit

‘Quit if Server
Dim objWMIService : Set objWMIService = GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\CIMV2″)
Dim colItem :Set colItems = objWMIService.ExecQuery(”Select * From Win32_OperatingSystem”)
Dim objItem
For each objItem in colItems
if (instr(UCase(objItem.Caption),”SERVER”) > 0) then Wscript.Quit
Next
Set colItem = Nothing
Set objWMIService = Nothing

Dim objReg : Set objReg=GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\default:StdRegProv”)

‘Run routine based on Event Code
Select Case TargetEvent.TargetInstance.EventCode
Case 528
Call GoodLogonEvent
Case 529
Call BadLogonEvent
Case 4201
Call TCPIPEvent
Case 539
Call AccountLockedEvent
End Select
Wscript.Quit

Sub GoodLogonEvent
On Error Resume Next
‘Quit if Network Service or SYSTEM
If InStr(UCase(TargetEvent.TargetInstance.Message),”NETWORK SERVICE”) > 0 Then WScript.Quit
If InStr(UCase(TargetEvent.TargetInstance.Message),”SYSTEM”) > 0 Then WScript.Quit

Dim arrMessage, arrUserName, objWMIService, objProcess, test
Dim strUserName, intLockout, errReturn, strValueName, strLogonGUID, arrLogonGUID

‘Parse message for required information
arrMessage = Split(TargetEvent.TargetInstance.Message,vbCrLf)

If IsArray(arrMessage) Then
arrUserName = Split(arrMessage(2),vbTab)
If IsArray(arrUserName) then
strUserName = arrUserName(2)
End If
arrLogonDomainName = Split(arrMessage(4),vbTab)
If IsArray(arrLogonDomainName) Then
strLogonDomainName = arrLogonDomainName(3)
End If
arrLogonComputerName = Split(arrMessage(14),vbTab)
If IsArray(arrLogonComputerName) Then
strLogonComputerName = arrLogonComputerName(UBound(arrLogonComputerName))
End If
arrLogonType = Split(arrMessage(8),vbTab)
If IsArray(arrLogonType) Then
intLogonType = arrLogonType(UBound(arrLogonType))
End If
arrLogonGUID = Split(arrMessage(16),vbTab)
If IsArray(arrLogonGUID) Then
strLogonGUID = arrLogonGUID(2)
End if
Else
WScript.Quit
End If

‘Set initial lockout counter
intLockout = &H0

‘Create user key, if not exist
strKeyPath = strKeyPath & “\” & strUserName
errReturn = objReg.CreateKey(HKEY_LOCAL_MACHINE,strKeyPath)
‘Read lockout trigger information
strValueName = strUserName & “-Lockout”
errReturn = objReg.GetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intLockout)
If errReturn <> 0 Then
‘Lockout trigger not set so delete user key
objReg.DeleteKey HKEY_LOCAL_MACHINE,strKeyPath ‘,strValueName
Else
‘Lockout trigger set so launch chimaera.exe if it is not already running
Set objWMIService = GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\CIMV2″)
Set objProcess = objWMIService.Get(”win32_Process”)
Set colProcesses = objWMIService.ExecQuery(”SELECT * FROM Win32_Process WHERE Name LIKE ‘%CHIMAERA.EXE%’”)
if colProcesses.Count = 0 then
‘errReturn = objProcess.Create(path & “\HYDRA.EXE /DOMAIN=” & strLogonDomainName & ” /USERID=” & strUserName, Null, Null, intProcessID)
‘Chimaera.exe not running so launch it to purge tickets and lock acocunt
errReturn = objProcess.Create(path & “\CHIMAERA.EXE /LOCK /DOMAIN=” & strLogonDomainName & ” /USERID=” & strUserName, Null, Null, intProcessID)
strValueName = strUserName & “-PurgeTktsErrReturn”
if errReturn = 1 then test = &H1 Else test = &H0
objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,test
End if
Set objWMIService = Nothing
Set objProcess = Nothing

End If
Set objReg = Nothing
WScript.quit
End Sub

Sub BadLogonEvent
On Error Resume Next
Dim objreg, arrMessage, arrUserName, objWMIService, objProcess, colItems, objItems, test
Dim strUserName, intLockout, errReturn, strValueName, intLockoutBadCount, intBadLogonCount
Dim arrLogonDomainName, strLogonDomainName, strComputerName, arrLogonType
Dim intLogonType, arrLogonComputerName, strLogonComputerName

IntLockoutBadCount = 5
strComputerName = TargetEvent.TargetInstance.ComputerName
‘Parse message for required information
strUserName = “ERROR”
arrMessage = Split(TargetEvent.TargetInstance.Message,vbCrLf)
If IsArray(arrMessage) Then
arrUserName = Split(arrMessage(4),vbTab)
If IsArray(arrUserName) then
strUserName = arrUserName(2)
End If
arrLogonDomainName = Split(arrMessage(6),vbTab)
If IsArray(arrLogonDomainName) Then
strLogonDomainName = arrLogonDomainName(3)
End If
arrLogonComputerName = Split(arrMessage(14),vbTab)
If IsArray(arrLogonComputerName) Then
strLogonComputerName = arrLogonComputerName(UBound(arrLogonComputerName))
End If
arrLogonType = Split(arrMessage(8),vbTab)
If IsArray(arrLogonType) Then
intLogonType = arrLogonType(UBound(arrLogonType))
End If
Else
WScript.Quit
End If

‘If local logon exit
If UCase(strLogonDomainName) = UCase(strComputerName) Then WScript.Quit
If UCase(strLogonComputerName) <> UCase(strComputerName) Then WScript.Quit

strKeyPath = strKeyPath & “\” & strUserName

Set objReg=GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\default:StdRegProv”)

‘Create user key if not exist and write data from message
errReturn = objReg.CreateKey(HKEY_LOCAL_MACHINE,strKeyPath)
errReturn = objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath,”strLogonComputerName”,strLogonComputerName)
errReturn = objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath,”strLogonDomainName”,strLogonDomainName)
errReturn = objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath,”strUserName”,strUserName)
errReturn = objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath,”strLogonType”,intLogonType)
errReturn = objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath,”strComputerName”,strComputerName)

‘ ‘XP records logontype 11 first even if on the network so if logontype is 2 the reduce the counter by 1
‘ If (intLogonType = 2) Then
‘ strValueName = strUserName & “-BadLogonCount”
‘ errReturn = objReg.GetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intBadLogonCount)
‘ If errReturn <> 0 Then
‘ intBadLogonCount = 0
‘ Else
‘ intBadLogonCount = intBadLogonCount – 1
‘ objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intBadLogonCount
‘ End If
‘ End if

‘ End if
‘Write and increment bad logon counter if unlock or cached
‘If not unlock or cached logon quit
If (intLogonType = 7) Or (intLogonType = 11) Then
strValueName = strUserName & “-BadLogonCount”
errReturn = objReg.GetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intBadLogonCount)
If errReturn <> 0 Then
intBadLogonCount = 1
Else
intBadLogonCount = intBadLogonCount + 1
End If
objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intBadLogonCount

‘Read Account lockout threshold from RSOP
Set objWMIRSOPService = GetObject(”winmgmts:\\” & strComputer & “\root\rsop\computer”)
Set colItems = objWMIRSOPService.ExecQuery(”Select * from RSOP_SecuritySettingNumeric”)
For Each objItem in colItems
If objItem.KeyName = “LockoutBadCount” Then
intLockoutBadCount = objItem.Setting
End If
Next
Set ColItems = Nothing
Set objWMIRSOPService = Nothing

‘Write trigger if bad logon counter higher than threshold and purge user’s ticket cache
If (intBadLogonCount => intLockoutBadCount) Then
intLockout = 1
strValueName = strUserName & “-Lockout”
objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intLockout

Set objWMIService = GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\CIMV2″)
Set objProcess = objWMIService.Get(”win32_Process”)
Set colProcesses = objWMIService.ExecQuery(”SELECT * FROM Win32_Process WHERE Name LIKE ‘%CHIMAERA.EXE%’”)
if colProcesses.Count = 0 then
‘errReturn = objProcess.Create(path & “\HYDRA.EXE /DOMAIN=” & strLogonDomainName & _
‘ ” /USERID=” & strUserName, Null, Null, intProcessID)
’strValueName = strUserName & “-PopupErrReturn”
‘if errReturn = 1 then test = &H1 Else test = &H0
‘objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,test

errReturn = objProcess.Create(path & “\CHIMAERA.EXE /DOMAIN=” & strLogonDomainName & ” /USERID=” & strUserName, Null, Null, intProcessID)
strValueName = strUserName & “-PurgeTktsErrReturn”
if errReturn = 1 then test = &H1 Else test = &H0
objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,test
End if
Set objWMIService = Nothing
Set objProcess = Nothing

End If
Set objReg = Nothing
End if
WScript.Quit
End Sub

Sub TCPIPEvent
WScript.quit
End Sub

Sub AccountLockedEvent
On Error Resume Next
If InStr(UCase(TargetEvent.TargetInstance.Message),”NETWORK SERVICE”) > 0 Then WScript.Quit
If InStr(UCase(TargetEvent.TargetInstance.Message),”SYSTEM”) > 0 Then WScript.Quit
Dim objreg, arrMessage, arrUserName, objWMIService, objProcess, test
Dim strUserName, intLockout, errReturn, strValueName
Dim objStartup, objConfig

‘Parse message for required information
arrMessage = Split(TargetEvent.TargetInstance.Message,vbCrLf)
If IsArray(arrMessage) Then
arrUserName = Split(arrMessage(4),vbTab)

If IsArray(arrUserName) then

strUserName = arrUserName(2)
‘As domain account is locked delete user’s counter key
strKeyPath = strKeyPath & “\” & strUserName
Set objReg=GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)
errReturn = objReg.DeleteKey(HKEY_LOCAL_MACHINE,strKeyPath)
Set objReg = Nothing

‘Launch CHIMAERA.EXE and purge user’s ticket cache
Set objWMIService = GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\CIMV2″)
Set objProcess = objWMIService.Get(”win32_Process”)
Set colProcesses = objWMIService.ExecQuery(”SELECT * FROM Win32_Process WHERE Name LIKE ‘%CHIMAERA.EXE%’”)
if colProcesses.Count = 0 then
errReturn = objProcess.Create(path & “\CHIMAERA.EXE /USERID=” & strUserName, Null, Null, intProcessID)
end if
Set objWMIService = Nothing
Set objProcess = Nothing

End If
Else
WScript.Quit
End If

Wscript.Quit

End Sub

‘ errReturn = objProcess.Create(”c:\windows\system32\rundll32.exe user32.dll, LockWorkStation”, Null, Null, intProcessID)
‘ strValueName = strUserName & “-LockErrReturn”
‘ if errReturn = 1 then test = &H1 Else test = &H0
‘ objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,test

‘Dim i
‘For i = 0 To UBound(arrMessage)’ thing In arrMessage
‘If arrMessage <> “” then errReturn = objReg.SetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,arrMessage(i),i)
‘errReturn = objReg.GetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intBadLogonCount)
‘Next

Brian Hehir – Technologist

Brian Hehir is the lead technologist and principal consultant at HHS International Ltd, part of the BMA Data group a full service IT Consulting company based in New York and Hoboken. Brian enables engineered competitive advantage through structured systems design while developing reusable patterns based system tools for deployment, management and migration; always beating SLAs through his proven skills in complex problem solving.

Brian Hehir has been developing and working with Information Technology and computing systems for over 30 years, from Micros, Minis, Unix, Xenix to Novell, Linux and Windows. Brian’s core skills include engineering reusable bespoke enterprise tools and solutions, as well as augmenting third-party solutions, for large scale organizations with many tens of thousands of global users in a mixed operating environment. Brian has a proven ability to diagnose, isolate and resolve complex application and network issues, down to the packet level, in mission critical real time applications.

With over 15 years proven industry experience, 12 of which consulting to the world’s largest Investment Banks there is no project too complex or business critical, no technology too sophisticated, environment too exacting or invoice too large for Brian Hehir’s unique abilities and comprehensive experience.

Please review Brian’s resume for details of his experience. Email Brian Hehir: websitecontact@brianhehir.com

“One machine can do the work of 50 ordinary men. No machine can do the work of one extraordinary man."— Elbert Hubbard

Brian Hehir – Resume

View My Resume

Brian Hehir - Technologist

Thought I’d start a blog and randomly doodle down some stuff I find interesting or tricky…