joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

30 Second Admin – Default Domain Password Policies for Entire Forest

by @ 6:16 pm on 3/19/2015. Tags: ,
Filed under tech

Your boss walks into your cube with a harried look on her face… Hey ADMIN dude or dudette… The Security people are asking for the Default Domain Password Policies for all of the domains in the forest for an audit and I need it in the next 30 seconds because I am already late…

Ok…

[Thu 03/12/2015 15:34:06.57]
C:\>for /f %i in (‘adfind -sc domainlist’) do @adfind -hh %i -sc dompol -dloid

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server1.americas.company.net:389
Directory: Windows Server 2012
Base DN: DC=americas,DC=company,DC=net

dn:DC=americas,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server2.asiapacific.company.net:389
Directory: Windows Server 2008 R2
Base DN: DC=asiapacific,DC=company,DC=net

dn:DC=asiapacific,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server0.company.net:389
Directory: Windows Server 2008 R2
Base DN: DC=company,DC=net

dn:DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server3.emea.company.net:389
Directory: Windows Server 2008 R2
Base DN: DC=emea,DC=company,DC=net

dn:DC=emea,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

[Thu 03/12/2015 15:34:21.62]

Highlight in command prompt window, copy, CTL-V paste into notepad. CTL-P ALT-P. Tell her to go to the printer.

If you have an LPT defined in the command prompt it is even faster.

[Thu 03/12/2015 15:35:53.67]
C:\>for /f %i in (‘adfind -sc domainlist’) do @adfind -hh %i -sc dompol > LPT1

[Thu 03/12/2015 15:36:08.56]

She wasn’t really thinking you could do it in 30 seconds, she was trying to give you a sense of urgency… But you were able to do it anyway. Great job! 🙂

If you have a single domain forest this can be reduced further to simply

[Thu 03/12/2015 15:37:04.26]
C:\>adfind -sc dompol -dloid

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server1.americas.company.net:389
Directory: Windows Server 2012
Base DN: DC=americas,DC=company,DC=net

dn:DC=americas,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

[Thu 03/12/2015 15:37:10.74]

You don’t need the -dloid switch but it does make it faster when you know for a fact that you don’t have to decode any special attributes. That switch disables a dynamic search of the Schema to find time/sid/guid type attributes for intelligent decoding. Since the attributes used for this are long time known attributes they are actually hard coded into some tables in AdFind for decoding.

    joe

P.S. All of these commands were run as a normal userid, not an admin ID. In most AD Forests much if not most information is readily available to normal users so if you are simply querying, you may only need to be a normal user. So yes, your manager could have gotten the information herself, not to mention those Security people could have gotten it as well…

Rating 4.25 out of 5

Comments are closed.

[joeware – never stop exploring… :) is proudly powered by WordPress.]