How to get the last password change for a user in Active Directory

If you need to know when was the last password change made ​​by a user member of an Active Directory domain, you can simply use the following PowerShell instructions:

  • on a Windows 7 client or Windows 2008, Windows 2008R2 server which are member of the Active Directory domain that belong the user you want to analyze, open PowerShell Console and at the prompt write:

Import-Module ActiveDirectory
Get-ADUser ‘UserName’ -properties PasswordLastSet | Format-List

  • for example:

Import-Module ActiveDirectory
Get-ADUser ‘tani.alessandro’ -properties PasswordLastSet | Format-List

In the field PasswordLastSet you can find date of last password change.

OpenOffice, Come Impostare l’Area di Stampa in Calc

Per chi si trova ad operare per la prima volta col programma Calc della suite OpenOffice, non sempre è facile trovare il modo d’impostare l’area di stampa. Per coloro che non hanno ancora scoperto come impostare l’area di stampa in Calc, basta procedere come segue:

  • lavorando sul foglio di calcolo sul quale si desidera impostare l’area di stampa, selezionare, facendo uso del mouse, le celle corrispondenti all’area di stampa che si desidera impostare;
  • aprire il menù Formato, selezionare la voce Area di Stampa e cliccare sulla voce Definisci. A questo punto l’area di stampa risulta impostata.

Per aggiungere un area di stampa a quella già impostata, basta procedere come indicato:

  • lavorando sul foglio di calcolo sul quale è già impostata un area di stampa, selezionare, facendo uso del mouse, le celle corrispondenti alla nuova area di stampa che si desidera impostare;
  • aprire il menù Formato, selezionare la voce Area di Stampa e cliccare sulla voce Aggiungi. A questo punto la nuova area di stampa verrà aggiunta all’area di stampa precedentemente impostata.

Per rimuovere un area di stampa precedentemente impostata, basta seguire le seguenti indicazioni:

  • lavorando sul foglio di calcolo sul quale è impostata l’area di stampa da rimuovere, aprire il menù Formato, selezionare la voce Area di Stampa e cliccare sulla voce Rimuovi. A questo punto la nuova area di stampa verrà aggiunta all’area di stampa precedentemente impostata.

Se queste spiegazioni non vi sono chiare, abbiamo realizzato un video che vi può aiutare meglio a capire le operazioni da svolgere per impostare, aggiungere e rimuovere un area di stampa in Calc:

OpenOffice, Come Salvare un Documento in PDF

Con questo posto, vorrei aprire una sezione dedicata ad OpenOffice. Sempre più persone, nel mondo della pubblica amministrazione Italiana e non solo, stanno iniziando ad utilizzare OpenOffice sulle proprie postazioni di lavoro. Questa sezione dedicata ad OpenOffice, vorrebbe aiutare queste persone a prendere confidenza con questo strumento gratuito di produttività personale.

Questo primo post è dedicato ad una delle principali funzionalità di OpenOffice, ovvero la sua capacità di salvare un qualunque documento o foglio di calcolo, in formato PDF. Per salvare un documento o un foglio di calcolo è sufficiente seguire la procedura riportata di seguito (la procedura indicata va bene per tutti i componenti della suite OpenOffice, Writer, Calc, Impress e Draw):

  • aprire il menù File e selezionare la voce Esporta;
  • nella casella di testo Nome File inserire il nome del file PDF che si desidera creare;
  • selezionare, qualora lo si desiderasse, la cartelle in cui salvare il documento PDF che si sta creando;
  • una volta selezionata la cartella in cui salvare il documento PDF e una volta impostato il nome del documento PDF che si desidera creare si può premere il pulsante Salva per avviare il processo di creazione del documento PDF;
  • all’apertura della finestra dal titolo Opzioni PDF, selezionare le opzioni con cui si desidera salvare il documento in formato PDF (di norma il valori predefiniti vanno più che bene);
  • una volta impostate le opzioni desiderate, premere il pulsante Esporta per avviare la procedura di conversione del documento in formato PDF;
  • dopo qualche istante, il documento PDF sarà creato all’interno della cartella impostata.

La procedura indicata può venire ripetuta tutte le volte che lo si desidera. Per una migliore comprensione, ho provveduto a realizzare il seguente filmato sull’argomento:

Information about Windows 7 and Windows 2008 R2 Service Pack 1

On February 22, 2011 was released Service Pack 1 of Windows 7 and Windows 2008 R2. To download this Service Pack you must first pass the test Genuine Microsoft Software. To download the Service Pack 1 of Windows 7 and Windows 2008 R2 just go to the Microsoft Download Center and follow these steps:

  • press the button Continue;
  • run the program GenuineCheck.exe;
  • enter the Windows Genuine Advantage code in website proposal;
  • proceed with the download of the version of Service Pack required.

Since the web pages of the Microsoft Download Center does not help much on which version of Service Pack 1 of Windows 7 and Windows 2008 R2 you need to download, you can find a little more detail below:

  • Windows6.1-KB976932-X86.exe: this application installs SP1 to a 32-bit machine running Windows 7 (537,8MB);
  • Windows6.1-KB976932-X64.exe: this application installs Sp1 to a 64-bit machine running Windows 7 or Windows Server 2008 R2 (903,2MB);
  • Windows_Win7SP1.7601.17514.101119-1850.X86FRE.Symbols.msi: standalone debugging symbols (free) for 32-bit machines (330,6MB);
  • Windows_Win7SP1.7601.17514.101119-1850.X86CHK.Symbols.msi: standalone debugging symbols (checked) for 32-bit machines (294,5MB);
  • Windows_Win7SP1.7601.17514.101119-1850.AMD64FRE.Symbols.msi: standalone debugging symbols (free) for 64-bit machines. This contains debugging symbols for both Windows 7 SP1 and Windows Server 2008 R2 SP1 (287,8MB);
  • Windows_Win7SP1.7601.17514.101119-1850.AMD64CHK.Symbols.msi: standalone debugging symbols (checked) for 64-bit machines. This contains debugging symbols for both Windows 7 SP1 and Windows Server 2008 R2 SP1 (262,7MB);
  • 7601.17514.101119-1850_Update_Sp_Wave1-GRMSP1.1_DVD.iso: this DVD image contains standalone update for all architectures (1953,3MB).

To learn how to install the Service Pack 1 of Windows 7 and Windows 2008 R2, you can see the following two guides:

Thank you for your attention.

Finding Inactive or Unused Computers

Not always a computer is removed from Active Directory when it is decommissioned. The result is that after a while of time, the contents of Active Directory is no longer aligned with the state of company. To find inactive computers that are still present in Active Directory, you can use different techniques.

If the Active Directory functional level is set to Windows 2003 or higher, then you can use the command dsquery.exe This command is present on all Domain Controllers, or on all Windows 7 workstations.

The following query will locate all inactive computers in the current forest:

dsquery computer forestroot -inactive <NumWeeks>

Where <NumWeeks> indicates the number of weeks of inactivity (i.e 84 days = 12 weeks, 175 days = 25 weeks).

You can also use domainroot in combination with the -d option to query a specific domain:

dsquery computer domainroot -d <DomainName> -inactive <NumWeeks>

for example:

dsquery computer domainroot -d homeworks.it -inactive 25

You can target your query at a specific container (i.e. ou=MyComputers,dc=homeworks,dc=it):

dsquery computer ou=MyComputers,dc=homeworks,dc=it -inactive <NumWeeks>

All commands dsquery.exe cited, should be executed by Command Prompt of a workstation that is part of Active Directory domain. The user running the command must be part, at least, of the Domain Users group in Active Directory.

If the domain functional level of Active Directory is not set to Windows 2003 or higher, you can use the command OldCmp.exe written by Joeware. By default, the command OldCmp.exe research workstations that are not connected to an Active Directory domain for more than 90 days.

To get the list of workstations that do not connect to the domain for more than 90 days in HTML format, just run the command (the list is sorted by Computer Name):

oldcmp -report -sort cn

To get the same list in CSV format, you should run the command:

oldcmp -report -format csv -sort cn

To get list of workstations that do not connect to a domain for more than 180 days, just run the command:

oldcmp -report -age 180 -sort cn

All commands OldCmp.exe cited, should be executed  by Command Prompt of a station that is part of Active Directory domain. The user running the command must be part, at least, of the Domain Users group in Active Directory.

In Active Directory domains whose functional level is set to Windows 2003 or later, the attribute lastLogonTimestamp of Active Directory, is used to know when was the last process of authenticating of a computer. lastLogonTimestamp attribute is replicated among all Domain Controllers. To see if the attribute lastLogonTimestamp is aligned on all Domain Controllers in the domain, you can run the command:

repadmin /showattr * <Distinguish_Name_of_Active_Directory_Domain>
 /subtree /filter:"((&(lastLogontimeStamp=*)(objectClass=computer)))"
 /attrs:lastLogontimeStamp > lastLogontimeStamp.txt

For example:

repadmin /showattr * dc=homeworks,dc=it /subtree
 /filter:"((&(lastLogontimeStamp=*)(objectClass=computer)))"
 /attrs:lastLogontimeStamp > lastLogontimeStamp.txt

By editing the file LastLogontimeStamp.txt, you can see if the attribute lastLogonTimestamp is aligned on all Domain Controllers. In the file LastLogontimeStamp.txt, are listed the attributes lastLogonTimestamp of each computer that is recorded on each Domain Controller.

For more information, please read the post of NedPyle called “The LastLogonTimeStamp Attribute” – What it was designed for and how it works

To learn how to raise the functional level of an Active Directory domain, you can see the Microsoft Knowledge Base KB322692.

How to manage printers – Part I

The management of printers has always required a certain burden to system administrators. But with the advent of Windows 2000 and Active Directory, printer management has become a bit more comfortable. In this first part we take care of how to assign a name to a printer and how to assign a name to the Location field.

With the term network printer, we intend any printer that meet at least one of the following two statements:

  • the printer has a network adapter and the printer is assigned an IP address (possibly static or reserved via DHCP);
  • two or more workstations can print, more or less simultaneously, on the same printer.

During this post, we will consider only network printers and workstations that belong to an Active Directory domain. The first question we consider is this: what does name to give a network printer? I believe that when you have to give a name to a network printer, you should consider the following golden rules:

  • do not use names longer than eight characters;
  • use only alphanumeric characters;
  • not enter in the printer name, parts that can change over the time, eg acronyms of office, or numbers of room;
  • match the printer name with the shared name of the printer queue.

For example, for an HP Laserjet 2100DN, a good printer name could be: HPLJ01 Where the first two letters are an acronym of the manufacturer (Hewlett-Packard) printer, the second two are a acronym of the type of printer (LaserJet) and the last two digits are a numerical sequence (01). Following this rule, the HP Color LaserJet CP1815NI, will be called: HPLJ02.

Once you have chosen the name for a printer, is a good idea to put a label on the printer where you can find the printer name and if the printer is equipped with network card, his IP address.

The second issue I want to face is: where are my printers? This is an extremely important point! To learn how to fill in the Location field you should read what is written in the Microsoft document Best Practices for Deploying Printer Location with Active Directory. A name can be entered in the Location field could be the following: Italy/ReggioEmilia/ViaBrigataReggio/HQ/FirstFloor/Room112 Where Italy is the country where the printer is located, ReggioEmilia is the name of the city (Reggio Emilia), ViaBrigataReggio is the address of headquarters, HQ is the Headquarter where the printer is located, FirstFloor indicate that the printers is in a room at the first floor,  Room112 indicate that the printer is in the room with the number 112:

Printer Name and Location

Printer Name and Location

In the second part of these post series, I will explain how to use the Location field to improve the search for the printers in Active Directory.

Connecting to SMB share with an alias name (CNAME)

In the Microsoft Knowledge Base article number 281308 of the December 4, 2008 is written:

The registry key that is mentioned in the “Resolution” section is supported in Windows
Server 2008. However, it works only for Server Message Block (SMB) version 1. It does not work for SMB version 2, also known as CIFS (Common Internet File System). By default, CIFS is the file sharing protocol that is used on Windows-based computers. Windows includes an SMB client component (Client for Microsoft Windows) and an SMB server component (File and Printer Sharing for Microsoft Windows). Windows Server 2008 and Windows Vista support the new SMB 2.0.

At first reading it appears that the suggestion proposed in the KB281308 does not apply to Windows 2008/Vista/7 … In the same KB281308, but updated to September 28, 2009, we reads rather:

The registry key that is mentioned in the “Resolution” section is applicable only to SMB 1.0. To communicate over the SMB2.0 protocol, or CIFS (Common Internet File System), you do not have to set the registry key. SMB 2.0 allows for the functionality described in this article to work by default without additional configuration. Computers that run Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7 support both SMB 1.0 and SMB 2.0. Windows includes an SMB client component (Client for Microsoft Windows) and an SMB server component (File and Printer Sharing for Microsoft Windows). By default, SMB 2.0 is the file sharing protocol that is used when both client and server support it.

All other music … If you have a Windows server 2008 with hostname (NetBIOS Name) Galileo (galileo.homeworks.it as FQDN) and that server have a shared resource called Saturn and instead to use the UNC path \ \Galileo\Saturn you would like to use the UNC path \ \Newton\Saturn, where Newton (newton.homeworks.it) is an alias DNS (CNAME) for Galileo, then you need to follow the following recipe:

  • for clients with Windows 2008/Vista/7: creates the DNS alias (CANME) called Newton (newton.homeworks.it) associated to the server Galielo (galileo.homeworks.it);
  • for clients with Windows 2000/2003/XP:
    • creates the DNS alias (CANME) called Newton (newton.homeworks.it) associated to the server Galielo (galileo.homeworks.it);
    • connected to server Galileo with the credentials of a user with administrative rights on the server;
    • start Registry Editor (Regedt32.exe);
    • locate and click the following key in the registry: HKEY_LOCAL_MACHINE\System
      \CurrentControlSet\Services\LanmanServer\Parameters
    • on the Edit menu, click Add Value, and then add the following registry value:
      Value name: DisableStrictNameChecking
      Data type: REG_DWORD
      Radix: Decimal
      Value: 1
    • quit Registry Editor;
    • restart the server Galileo.

Once you restarted the server Galileo, execute from the Command Prompt of Galileo the following commands: setspn -a host/newton galileo and setspn -a host/newton.homeworks.it galileo Or more generally: setspn -a host/<CNAME_Server> <NetBIOS_Name_Server> and setspn -a host/<CNAME_FQDN_Server> <NetBIOS_Name_Server>

Now to access the shared resource (SMB share) Saturn you can use or the UNC path \ \Galileo\Saturn, or the UNC path \ \Newton\Saturn.

This recipe is good for Windows 2000/2003/2003R2 (Windows 2000 should have installed Service Pack 4) and Windows 2008/2008R2. Note that the command setspn.exe is not pre-installed on Windows 2003R2, but  is part of the Windows 2003 Support Tools.

How to use Symantec Endpoint Recovery Tool CdRom

In their article Anti-Stealth Fighters: RootKit Testing forDetection and Removal (VirusBulletin, April 2008), the authors Andreas Marx and Maik Morgenstern have written:

A step in the right direction could be to focus on providing
bootable rescue media, too: this might be the product
installation CD or a CD or disk that a user can create and
update himself. When the system is started from
this media, the rootkit cannot be activated on the system,
so a scanner would be able to see all fi les and registry
entries which would usually be hidden. This way, the
scanner could detect and delete all rootkit and malware
components as long as the signature database is up to date
and comprehensive.

The Symantec Endpoint Recovery Tool CdRom arises in the direction indicated by Andreas Marx and Maik Morgenstern in their article.

You can see Symantec Endpoint Recovery Tool CdRom in action in this video:

Unlike other boot cdrom for removing viruses and malware infections, Symantec Endpoint Recovery Tool CdRom give to you the chance to installs the latest virus definitions, even without an Internet connection active, making it possible to recover the definitions directly or from the hard disk of the computer infected or from an USB stick connected to the infected computer.

How to setup Microsoft Standalone Root CA

If you need to create a Microsoft Standalone Root CA, this short paper tries to help you. Before creating the Microsoft Standalone Root CA, you must provide to create a text file called CAPolicy.inf. At a minimum, a file CAPolicy.inf should be done with:

; File %SystemRoot%\CAPolicy.inf
;
; File di configurazione della HomeWorks Root CA (Windows 2003 R2 Standard Server, fa parte di Active Directory)

[Version]
Signature= “$Windows NT$”

[certsrv_server]
renewalkeylength = 2048
RenewalValidityPeriodUnits = 10
RenewalValidtyPeriod = Years
CRLPeriod = Years
CRLPeriodUnits = 1

[AuthorityInformationAccess]

[CRLDistributionPoint]

;Fine file

Once created the file CAPolicy.inf, copy it in the folder %SystemRoot% of your Windows system (in this paper we assume that you are working on a Windows 2008 Standard member of an Active Directory domain). To learn how to install a Microsoft Standalone Root CA you can watch this video:

If you only use the Standalone Root CA to provide your certificates, then it is good that you also install the Certification Authority Web Enrollment role.

Run a post-configuration scripts on Microsoft Standalone Root CA. A simple post-configuration script could be:

@echo off

rem Definiamo l’ambiente locale
setlocal enableextensions

rem Impostiamo le variabili
set Answer=

echo.
echo Questo script ha il compito di personalizzare la configurazione della Root CA.

:QUESTION
echo.
Set _T=%temp%\~tmp
echo Set oFS=CreateObject(“Scripting.FileSystemObject”)>%_T%.vbs
echo oFS.OpenTextFile(“CON”,2).Write “Vuoi proseguire con l’esecuzione dello script [si/no]: “>>%_T%.vbs
echo S=(Trim(oFS.OpenTextFile(“CON”,1).Readline))>>%_T%.vbs
echo Wscript.Echo “set Answer=”+CStr(S)>>%_T%.vbs
cscript.exe //nologo %_T%.vbs > %_T%.bat
for %%v in (%_T%.bat del) do call  %%v %_T%.???
set _T=
goto CONTINUE

:EXEC
rem Controlliamo l’esistenza della cartelle necessarie all’esecuzione dello script
if not exist %SystemDrive%\Logs md %SystemDrive%\Logs
set LOGFILE=%SystemDrive%\Logs\Root_CA_Post_Config.log

rem Intestiamo il file di log
echo FILE DI LOG DEL COMANDO ROOT_CA_POST_CONFIG.CMD  >> %LOGFILE%
echo. >> %LOGFILE%
echo Esecuzione del %DATE% alle %TIME% >> %LOGFILE%
echo. >> %LOGFILE%
echo.

rem Impostiamo le variabili per la gestione dei certificati delle Subordinate CA
set /p myADnamingcontext=”Inserisci il nome del dominio LDAP (ad es: DC=homeworks,DC=it): ”
echo Esempio: http://www.homeworks.it/ca/cert/HomeWorks_Root_CA_Public_Cert.crt
set /p myCACertURL=”Inserisci URL del Certificato della Root CA: ”
echo Esempio: http://www.homeworks.it/ca/crl/HomeWorks_Root_CA_Revocation_List.crl
set /p myCACRLURL=”Inserisci URL della Root CA CRL: ”
echo.

rem Impostiamo la configurazione dei Certificati Digitali rilasciati dalla Root CA
echo Impostiamo la configurazione della Root CA …
echo Dominio LDAP: %myADnamingcontext%
certutil -setreg CA\DSConfigDN “CN=Configuration,%myADnamingcontext%” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:%myCACRLURL%\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CACertPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myCACertURL%\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPeriodUnits 1 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPeriod “Years” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLDeltaPeriodUnits 0 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLOverlapPeriod “Days” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLOverlapUnits 1 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\ValidityPeriodUnits 5 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\ValidityPeriod “Years” >> %LOGFILE%

rem Riavviamo il servizio Certification Authority (Active Directory Certificate Services)
echo Riavviamo il servizio Active Directory Certificate Services …
net stop certsvc & net start certsvc >> %LOGFILE%

rem Attiviamo la Root CA
echo Attiviamo la Root CA …
certutil -vroot >> %LOGFILE%

rem Pubblichiamo la CRL
echo Pubblichiamo la CRL della Root CA …
certutil -CRL >> %LOGFILE%

echo Fine esecuzione dello script ….
echo. >> %LOGFILE%
echo Fine del file di log >> %LOGFILE%

:END
endlocal
exit /b

:CONTINUE
if /i “%Answer%” equ “si” goto EXEC
if /i “%Answer%” equ “no” goto END
goto ERRATA

:ERRATA
echo.
echo La risposta che hai dato non e’ corretta !!!
echo Puoi rispondere solamente con un si o con un no.
goto QUESTION

Run the following commands to register the digital certificate of the Standalone Root CA and its CRL in Active Directory: certutil -f dspublish <CA_Cert_File_Name> RootCA and certutil – f -dspublish <CRL_File_Name>

The files <CA_Cert_File_Name> and <CRL_File_Name> are located in the folder %SystemRoot%\System32\CertSrv\CertEnroll

Assign a digital certificate for HTTPS connection to IIS to access the website where you require your digital certificates. To learn how to do this work, read the article (use the action Create Domain Certificate …Installing an SSL Certificate in Windows Server 2008 (IIS 7.0). Now you’re ready to drop your digital certificates.

For more information, please consult the following article: Designing and Implementing a PKI Part II

Unable on Windows 7 to connet to shared folder via UNC path

Few days ago I have come across a really strange problem. On a Windows 7 workstation (but the same problem can occur on Windows Vista), it was impossible to connect to any shared folder via UNC path. Although the error message suggested that it was a problem linked to name resolution, in reality the workstation was perfectly able to solve the FQDN, or NetBIOS name of each server. The same problem presented itself even if I used instead of the machine name, its IP address. Very strange …

Error Message

Error Message 0x800704CF

After a quick search on google I finally found a solution to the strange problem, reading the various posts in the Microsoft forum. The problem seems related to the presence of an abnormal number of network devices (such network devices there are not on my laptop with Windows 7). Opening the Device Manager and highlight the hidden devices (open View and then select Show Hidden Device), appeared about two hundred network cards calls Microsoft Device 6to4:

Microsoft Device 6to4

Microsoft Device 6to4

To solve the strange problem was simply delete all the network adapters called Microsoft Device 6to4. If you do not want to risk the carpal tunnel, I suggest you to use the Microsoft program called devcon.exe, that allows to run on Windows 2000/XP/Vista/7 the operations that usually take place with the Device Manager from the command line. For example, to delete all network adapters called Microsoft Device 6to4 you could use the command : devcon remove *6to4MP*

Instead to see all devices on your system, just use the command: devcon status *

Devcon.exe command does not work very well on workstations with Windows Vista/7  64bits. In these cases, it is not rare remove all network adapters Microsoft Device 6to4 by hand!


Categories: Guide, Tips, Windows 7 Tags: , , ,