joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

PSOMgr is done…. I think. :)

by @ 11:56 pm on 4/15/2007. Filed under tech

I finished V01.00.00 of PSOMgr yesterday. PSOMgr is a command line utility I built to help manage Fine Grain Password Policy Password Settings Objects that are present in Longhorn Server Active Directory. I also set it up to manage Domain Password Policy Settings as well.

If you didn’t read my previous info on FGPP then you can check that out here – http://blog.joeware.net/2007/03/18/828/

The goal was to have it ready for the Directory Experts Conference 2007 for release at the conference during the Longhorn Workshop on Sunday. The conference attendees will receive a special link to download the utility about a week before the general public can download it. That probably isn’t terribly enticing for many because Longhorn is still in beta and won’t be released until at least the end of this year, but don’t forget, PSOMgr can be used for displaying and modifying your domain password policy as well… But if you don’t go to DEC you have to wait a whole week more than you would have to wait if you were at DEC.

Here is sample output showing the current domain policy for both domains in my Longhorn test forest. Note that this will work on any Active Directory forest regardless of OS level of the Active Directory.

F:\Dev\BDSCPP\PSOMgr\Release_Build>psomgr /h lhb2-dc1 /view /dompol /alldoms

PSOMgr V01.00.00cpp Joe Richards (joe@joeware.net) April 2007

Using host: Default-First-Site-Name\LHB2-DC1.lhtest.loc
Retrieving Domain Policy...

Policy Listing
--------------
  Policy #1
    Type               : Domain Policy
    Domain             : lhchild.lhtest.loc
    Policy Precedence  : 2147483647
    DN                 : DC=lhchild,DC=lhtest,DC=loc
    Name               : lhchild
    Canonical Name     : lhchild.lhtest.loc/
    Display Name       : lhchild
    Lockout Threshold  : 0
    Lockout Duration   : 30
    Lockout Observation: 30
    Min Pwd Age        : 1
    Max Pwd Age        : 42
    Min Pwd Length     : 7
    Pwd History        : 24
    Pwd Complexity     : TRUE
    Pwd Reversible     : FALSE

  Policy #2
    Type               : Domain Policy
    Domain             : lhtest.loc
    Policy Precedence  : 2147483647
    DN                 : DC=lhtest,DC=loc
    Name               : lhtest
    Canonical Name     : lhtest.loc/
    Display Name       : lhtest
    Lockout Threshold  : 0
    Lockout Duration   : 30
    Lockout Observation: 30
    Min Pwd Age        : 0
    Max Pwd Age        : 91
    Min Pwd Length     : 7
    Pwd History        : 24
    Pwd Complexity     : TRUE
    Pwd Reversible     : FALSE


The command completed successfully.

 

Here is the usage info for the utility: 

 

PSOMgr V01.00.00cpp Joe Richards (joe@joeware.net) April 2007

-help         Help.
-?            Help.

Usage:
 PSOMgr [switches]

  Switches: (designated by - or /)

           [CONNECTION OPTIONS]
   -h host       Host to use. Defaults to default Domain Controller

           [ACTION OPTIONS]
   -view         View PSOs and/or Domain Policies.
   -rename xxx   Rename PSO to new name xxx. Select PSO to rename with
                 selection criteria below. Best to specify -pso PSO_DN
   -del          Delete PSO. Select PSO to delete with selection criteria
                 below. Best to specifify -pso PSO_DN
   -multidel     Delete multiple PSOs. Select PSOs to delete with selection
                 criteria below.
                   DELETE NOTES:
                     o By default you cannot delete a PSO that has a member
                       assigned to it. Use -override to override.
   -quickstart   Quickstart mode to create several base PSOs automatically.
                 Will generate a copy of the domain policy as a PSO, will
                 also generate a fixed list of additional common PSOs. If you
                 would like to generate copies of the domain policies for
                 every domain in the forest in the specified domain, use the
                 -alldoms switch. This could be useful for domain collapse.
   -effective xxx  Display effective policy information for user xxx. The
                   xxx value could be specified as SAM Name, UPN, or DN.
   -applyto xxx  Apply policy specified with criteria to object specified
                 in xxx, could be SAM Name, UPN, or DN.  
   -unapplyto xxx  Same as -applyto but unapplies.
   -clearapplied Clear all members from PSO assignment. Specify PSO with
                 with selection criteria.
   -applied      Show objects that the PSO is applied to. Specify PSO(s) with
                 selection criteria. Will only show members from the same domain
                 as they are the only ones that will be effective. Format of
                 output:
                    resultantflag[objecttype] DN (SamName | UPN)
                 The resultantflag field could be
                      empty for non-user type objects
                      + if resultant policy is the same as displayed policy.
                      - if resultant policy is different from displayed policy.
   -add xxx      Add PSO with selected attributes in xxx. Specify domain to
                 create PSO in with -domain switch.
                   ADD NOTES:
                     o  Format of xxx is specified below in ADD/MOD NOTES.
                     o  By default if you specify a PSO that matches the policy
                        settings of an existing PSO it will disallow the add
                        operation and let you know what that PSO's DN is.
   -mod xxx      Modify PSO with selected new attributes in xxx. Specify PSO
                 with selection criteria, preferably PSO DN.
                   MOD NOTES:
                     o  Format of xxx is specified below in ADD/MOD NOTES.
   -forreal      Really do any actions that make changes.

   ADD/MOD NOTES:
      The -add and -mod switches are probably the most complex in this
      utility because of the amount of information that can be specified.
      There are 12 pieces of information needed to create a PSO. To keep
      things consistent the same format is used for -mod. The fields are:
        name         - Required for add. Not req'd for mod, will rename PSO.
        displayname  - Not required for add nor mod. Defaults to name.
        precedence   - Precedence of policy, required for add. Lowest wins.
        maxpwdage    - Max password Age in days. Not required, default value.
        minlength    - Min password length. Not required, default value.
        history      - password history count. Not required, default value.
        lo_count     - Lockout Threshold. Not required, default value.
        lo_duration  - Lockout Duration in mins. Not required, default value.
        lo_observe   - Lockout Observation in mins. Not required, default value.
        minpwdage    - Min password Age in days. Not required, default value.
        complexity   - Password complexity (true/false). Not required, default value.
        reversible   - Password reversible (true/false). Not required, default value.

      The default format for specifying the info is a single colon delimited string:
        name:displayname:precedence:maxpwdage:minlength:history:lo_count:
                 lo_duration:lo_observe:minpwdage:complexity:reversible

      To make this simpler, not all values need to be specified this way,
      most of the fields have default values if you want to accept them. If
      you want to find out what the default values are, specify -add with
      the few required attributes but don't specify -forreal and PSOMgr will
      tell you all of the values. There are also 'override' switches to allow
      you to specify specific fields with additional switches. If these
      are used you just have to specify the first 4 fields for an add in
      colon delimited format.
        -lockout threshold:duration:observation
        -pwdage max:min
        -pwdlen minlength
        -pwdhist historycount
        -pwdcomplex (true|false)
        -pwdreverse (true|false)

           [SELECTION CRITERIA OPTIONS]
   -pso [xxx]    Specify a specific PSO with name/displayname xxx or with
                 no specified xxx to view all PSOs.
   -dompol       Specifies Domain Policy.
   -allpwdpols   Specifies both domain policy and PSOs.
   -alldoms      Look at all domains in forest.
   -domain xxx   Policy for Domain xxx.
   -used         Only PSOs that have members applied to them.
   -unused       Only PSOs that do not have members applied to them.

           [AUTHENTICATION OPTIONS]
   -u id         Userid authentication. AD simple bind supports All ID
                 formats and secure bind only supports ID formats 1 and 2.
                 No userid specified indicates anonymous authentication.
                     ID Formats
                     1. domain\userid
                     2. user@domain.com (userPrincipalName)
                     3. cn=user,ou=someou,dc=domain,dc=com (DN)
   -up pwd       Password for specified userid. * indicates to ask for password.
   -simple       Simple Bind

           [OUTPUT OPTIONS]
   -dn           Only display PSO DNs
   -dnprec       For view action, display PSO and precedence only.
   -v            Verbose output, give more info about what is going on.
   -sort xxx     Change sort order output.
                   xxx = precedence - Sort by domain + policy precedence.
                   default sort     - Sort by type + canonicalName.


Examples:

   View Examples

       psomgr /view /dompol
          View domain policy of default domain.

       psomgr /view /pso
          View PSOs in default domain.

       psomgr /view /pso /domain domx
          View PSOs in domain domx.

       psomgr /view /pso /used
          View used PSOs in default domain.

       psomgr /view /pso /unused
          View unused PSOs in default domain.

       psomgr /view /pso test
          View PSO with name,displayname, or admindisplayname of test
          in default domain.

       psomgr /view /allpwdpols
          View all password policies in default domain.

       psomgr /view /pso /alldoms
          View PSOs in all domains in forest.

       psomgr /view /dompol /alldoms
          View domain policies in all domains.

       psomgr /view /allpwdpols /alldoms
          View all password policies in all domains.

       psomgr /view /allpwdpols /alldoms /h serverx
          View all password policies in all domains, use serverx as
           a starting point.

       psomgr /view /allpwdpols /alldoms /h serverx /sort precedence
          View all password policies in all domains, use serverx as
          a starting point and sort by policy precedence.


   Add Examples

       psomgr /add newpso10::1 /lockout 99:99:99 /pwdage 100:100
                 /pwdcomplex TRUE /pwdreverse true /pwdlen 101
          Add PSO newpso10 with precedence of 1 and other specified values.
          Will NOT create since /forreal is not specified.

       psomgr /add newpso10::1 /lockout 99:99:99 /pwdage 100:100
                 /pwdcomplex TRUE /pwdreverse true /pwdlen 101 /forreal
          Add PSO newpso10 with precedence of 1 and other specified values.
          This will really create the PSO.

       psomgr /add testpso-1::1000
          Add PSO newpso-1 with precedence of 1, use defaults for the rest.
          Will NOT create since /forreal is not specified.

       psomgr /add testpso-1::1000 /forreal
          Add PSO newpso-1 with precedence of 1, use defaults for the rest.
          This will really create the PSO.

       psomgr /add testpso-1::1000:100:6:30:50:1:1:0:true:true
          Add PSO newpso-1 with specified values. Will not really create.

       psomgr /add testpso-1::1000:100:6:30:50:1:1:0:true:true /forreal
          Add PSO newpso-1 with specified values. Will create.


   Delete / MultiDelete Examples

       psomgr /del /pso pso-1
          Delete PSO pso-1 in default domain... But not really.

       psomgr /del /pso pso-1 /forreal
          Delete PSO pso-1 in default domain...

       psomgr /multidel /pso /forreal
          Delete all unused PSO's in default domain...

       psomgr /multidel /pso /forreal /override
          Delete all (used and unused) PSO's in default domain...

       psomgr /domain domx /multidel /pso test* /forreal
          Delete all unused PSOs that start with test in domain domx...

   Rename Examples

       psomgr /rename newname-1 /pso oldpsoname /forreal
          Rename oldpsoname to newname1.

   Modification Examples

       psomgr /dompol /mod :::42:7:24:0:30:30:1:true:false /forreal
          Modify domain policy with specified values.

       psomgr /mod /dompol /lockout 50:2:2 /pwdage 91:0 /pwdlen 10 /forreal
          Modify domain policy with specified values.

       psomgr /mod /pso testpol /lockout 50:2:2 /pwdage 91:0 /pwdlen 10 /forreal
          Modify PSO testpol with specified values.

   Quick Start Examples

       psomgr /quickstart
          Quick Start PSOs for default domain. But not for real, just see what
          it would do.

       psomgr /quickstart /forreal
          Quick Start PSOs for default domain.

       psomgr /quickstart /domain domx /forreal
          Quick Start PSOs for domain domx.

       psomgr /quickstart /alldoms /forreal
          Quick Start PSOs for default domain but create PSOs for the password
          policy from every domain.

   Applied Examples

       psomgr /applied /pso
          Show membership applied to every PSO in default domain.

       psomgr /applied /used /pso
          Show membership applied to every used PSO in default domain.

   Clear Applied Examples

       psomgr /clearapplied /pso mypso /forreal
          Clear all members of the PSO mypso.

   Apply To / Unapply To Examples

       psomgr /applyto myuser /pso somepso /forreal
          Add myuser to policy somepso.

       psomgr /unapplyto myuser /pso somepso /forreal
          Remove myuser from policy somepso.

   Effective Examples

       psomgr /effective joeuser
          Show applied policies and the effective policy of joeuser.


 This software is Freeware. Use at your own risk.

 I do not warrant this software to be fit for any purpose or use and
 I do not guarantee that it will not damage or destroy your system. Use of
 this utility signifies acceptance of this warranty and acceptance of all risk.

 See full Warranty documentation on www.joeware.net.

 You ARE licensed the right to use this software on your own systems.
 You explicitly ARE NOT licensed the right to distribute this software. If
 you have a need to license the right to distribute, please email me
 for licensing costs and guidelines.

 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at joe@joeware.net


Rating 3.00 out of 5

Comments are closed.

[joeware – never stop exploring… :) is proudly powered by WordPress.]