When Running the 0.3.x Script return error

[eliq91]

This occurs when executing the script found at the bottom of https://evotec.xyz/pswindocumentation-audit-active-directory-passwords/

I have thrown a couple powershell errors when running in verbose mode. Domain Trust infomration and Domain Group Members

VERBOSE: Getting domain information - domain.local DomainTrusts
Set-TrustAttributes : Cannot process argument transformation on parameter 'Value'. Cannot convert the
"System.Object[]" value of type "System.Object[]" to type "System.Int32".
At C:\Program Files\WindowsPowerShell\Modules\PSWinDocumentation\0.3.0\Public\Get-WinADDomainInformation.ps1:194
char:79
+ ... ibutes'           = Set-TrustAttributes -Value $Trust.TrustAttributes
+                                                    ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Set-TrustAttributes], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-TrustAttributes

VERBOSE: Getting domain information - domain.local DomainGroupsMembersRecursive
Get-ADGroupMember : An unspecified error has occurred
At C:\Program Files\WindowsPowerShell\Modules\PSWinDocumentation\0.3.0\Private\Get-WinGroupMembers.ps1:12 char:32
+ ... embership = Get-ADGroupMember -Server $Domain -Identity $Group.'Group ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (S-1-5-21-406467...354198304-11353:ADGroup) [Get-ADGroupMember], ADExcepti
   on
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember****

[PrzemyslawKlys]

For the first problem can you get me:

$Trust = Get-ADTrust -Server 'YourDomain.local' -Filter * -Properties *
$Trust | Select-Object *

Especially I would need to know $Trust.TrustAttributes if everything else is not possible as this is the place where it errors out. When you provide data please remove your domain name or anything that is critical. Simply replace with domain.local or so.

Second error is related to group sid S-1-5-21-406467...354198304-11353 - can you check for

$Group = get-adgroup -filter * | Select Name, SID | Where { $_.SID -like '*11353' }
$Group | Format-Table -A

And then you could do

$Members = Get-AdGroupMember -Server 'yourdomainname' -Identity $Group.SID -recursive
$Members | Ft -a

See what you get. Do you get any errors?

[eliq91]

PS C:\WINDOWS\system32> $Trust = Get-ADTrust -Server 'propharmagroup.local' -Filter -Properties PS C:\WINDOWS\system32> $Trust | Select-Object *

CanonicalName : propharmaGroup.local/System/prosar.msft CN : prosar.msft Created : 7/21/2015 3:15:13 PM createTimeStamp : 7/21/2015 3:15:13 PM Deleted : Description : Direction : BiDirectional DisallowTransivity : False DisplayName : DistinguishedName : CN=prosar.msft,CN=System,DC=propharmaGroup,DC=local dSCorePropagationData : {8/2/2017 10:39:33 AM, 8/1/2017 2:34:38 PM, 3/27/2017 9:26:04 AM, 3/4/2017 9:20:02 AM...} flatName : PROSAR ForestTransitive : False instanceType : 4 IntraForest : False isCriticalSystemObject : True isDeleted : IsTreeParent : False IsTreeRoot : False LastKnownParent : Modified : 9/25/2018 9:00:02 PM modifyTimeStamp : 9/25/2018 9:00:02 PM Name : prosar.msft nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=propharmaGroup,DC=local ObjectClass : trustedDomain ObjectGUID : 1b829b22-dcf4-43c9-8c06-fdb982747628 ProtectedFromAccidentalDeletion : False sDRightsEffective : 15 securityIdentifier : S-1-5-21-57989841-1409082233-839522115 SelectiveAuthentication : False showInAdvancedViewOnly : True SIDFilteringForestAware : False SIDFilteringQuarantined : False Source : DC=propharmaGroup,DC=local Target : prosar.msft TGTDelegation : False TrustAttributes : 0 trustDirection : 3 TrustedPolicy : TrustingPolicy : trustPartner : prosar.msft trustPosixOffset : -2147483648 TrustType : Uplevel UplevelOnly : False UsesAESKeys : False UsesRC4Encryption : False uSNChanged : 260712976 uSNCreated : 162998050 whenChanged : 9/25/2018 9:00:02 PM whenCreated : 7/21/2015 3:15:13 PM PropertyNames : {CanonicalName, CN, Created, createTimeStamp...} AddedProperties : {} RemovedProperties : {} ModifiedProperties : {} PropertyCount : 51

CanonicalName : propharmaGroup.local/System/PIbiz.hub CN : PIbiz.hub Created : 10/20/2016 10:14:42 AM createTimeStamp : 10/20/2016 10:14:42 AM Deleted : Description : Direction : BiDirectional DisallowTransivity : False DisplayName : DistinguishedName : CN=PIbiz.hub,CN=System,DC=propharmaGroup,DC=local dSCorePropagationData : {8/2/2017 10:39:33 AM, 8/1/2017 2:34:38 PM, 3/27/2017 9:26:03 AM, 3/4/2017 9:20:02 AM...} flatName : PIBIZ ForestTransitive : True instanceType : 4 IntraForest : False isCriticalSystemObject : True isDeleted : IsTreeParent : False IsTreeRoot : False LastKnownParent : Modified : 9/24/2018 12:21:20 AM modifyTimeStamp : 9/24/2018 12:21:20 AM msDS-TrustForestTrustInfo : {1, 0, 0, 0...} Name : PIbiz.hub nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=propharmaGroup,DC=local ObjectClass : trustedDomain ObjectGUID : 88efa249-1bc0-46a0-a0e9-5bc860fbbb39 ProtectedFromAccidentalDeletion : False sDRightsEffective : 15 securityIdentifier : S-1-5-21-4020988959-2492276928-1497350118 SelectiveAuthentication : False showInAdvancedViewOnly : True SIDFilteringForestAware : False SIDFilteringQuarantined : False Source : DC=propharmaGroup,DC=local Target : PIbiz.hub TGTDelegation : False TrustAttributes : 8 trustDirection : 3 TrustedPolicy : TrustingPolicy : trustPartner : PIbiz.hub trustPosixOffset : 1073741824 TrustType : Uplevel UplevelOnly : False UsesAESKeys : False UsesRC4Encryption : False uSNChanged : 260577792 uSNCreated : 208645035 whenChanged : 9/24/2018 12:21:20 AM whenCreated : 10/20/2016 10:14:42 AM PropertyNames : {CanonicalName, CN, Created, createTimeStamp...} AddedProperties : {} RemovedProperties : {} ModifiedProperties : {} PropertyCount : 52

PS C:\WINDOWS\system32> $Group = get-adgroup -filter | Select Name, SID | Where { $_.SID -like '11353' } PS C:\WINDOWS\system32> $Group | Format-Table -A

Name SID

---

IT SQL S-1-5-21-4064676296-1551246387-1354198304-11353

PS C:\WINDOWS\system32> $Members = Get-AdGroupMember -Server 'propharmagroup.local' -Identity $Group.SID -recursive Get-AdGroupMember : An unspecified error has occurred At line:1 char:12

• $Members = Get-AdGroupMember -Server 'propharmagroup.local' -Identity ...

• 
  + CategoryInfo          : NotSpecified:
  (S-1-5-21-406467...354198304-11353:ADGroup) [Get-ADGroupMember], ADExcepti
  on
  + FullyQualifiedErrorId :
  ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

On Tue, Oct 9, 2018 at 12:00 PM Przemysław Kłys notifications@github.com wrote:

For the first problem can you get me:

$Trust = Get-ADTrust -Server 'YourDomain.local' -Filter -Properties $Trust | Select-Object *

Especially I would need to know $Trust.TrustAttributes if everything else is not possible as this is the place where it errors out. When you provide data please remove your domain name or anything that is critical. Simply replace with domain.local or so.

Second error is related to group sid S-1-5-21-406467...354198304-11353 - can you check for

$Group = get-adgroup -filter | Select Name, SID | Where { $_.SID -like '11353' } $Group | Format-Table -A

And then you could do

$Members = Get-AdGroupMember -Server 'yourdomainname' -Identity $Group.SID -recursive $Members | Ft -a

See what you get. Do you get any errors?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/EvotecIT/PSWinDocumentation/issues/8#issuecomment-428290253, or mute the thread https://github.com/notifications/unsubscribe-auth/ApbjjX92uOQO0CowR5av27esbpopBTelks5ujOQ0gaJpZM4XTpBK .

-- Eli Webster

[PrzemyslawKlys]

Can you take a look at that IT SQL group and see what could possible be wrong with it? Does it have any members? Does it properly show up and so on?

[eliq91]

There you have it, the user group had one member from an old Domain Trust. I have deleted the group.

[PrzemyslawKlys]

well I would prefer to have it and simply we could add a "fix" so that it doesn't bug out ;)

[eliq91]

Unfortunately I do not have the recycle bin enabled to recover that deleted group.

[PrzemyslawKlys]

No worries, I'll give you new version soon. I found problem with Trusts. Testing fixes now. You should enable Recycle Bin thou ;)

[eliq91]

I will enable that now. One more question, The password section came back with no matching passwords found. Do I need to manually export my password hash database to get it to check the password stuff or should the powersehll command do that for me? (I did update the path locations from the script to DocumentAD = [ordered] @{ Enable = $true ExportWord = $true ExportExcel = $true ExportSql = $false FilePathWord = "$Env:USERPROFILE\Desktop\PSWinDocumentation-ADReportWithPasswords.docx" FilePathExcel = "$Env:USERPROFILE\Desktop\PSWinDocumentation-ADReportWithPasswords.xlsx" Configuration = [ordered] @{ PasswordTests = @{ Use = $false PasswordFilePathClearText = 'C:\Users\pklys\OneDrive - Evotec\Support\GitHub\PSWinDocumentation\Ignore\Passwords.txt'

Fair warning it will take ages if you use HaveIBeenPwned DB :-)

            UseHashDB                 = $false
            PasswordFilePathHash      = **'C:\Users\pklys\Downloads\pwned-passwords-ntlm-ordered-by-count\pwned-passwords-ntlm-ordered-by-count.txt'**

[PrzemyslawKlys]

No. You need to replace this 'C:\Users\pklys\OneDrive - Evotec\Support\GitHub\PSWinDocumentation\Ignore\Passwords.txt' with your file. Create new file, put in passwords you want to check against. You also need to enable it by using Use = $true just above it.

So just put in that file passwords like Passw0rd, YourCompany2018! or stuff like that. One password per line.

For HASH DB you need to download it from Troy's page but it's 16gb file and basically it will take hours or even more to compare. So start small with ClearText passwords.

In other words...:

1. Create file
2. Put passwords in it (1 password per line)
3. Put path into PasswordFilePathClearText
4. Rerun the tool just like always

No need to do any other stuff manually. You can create some temporary account with one of those passwords just to make sure it works properly.

Update-Module PSWinDocumentation

restart powershell and retry.

[PrzemyslawKlys]

I've fixed those 2 things you had. So rerun and let me know. Errors should not appear anymore after update.

[eliq91]

My concern is I know we have passwords for several service accounts and user accounts that are identical and the report returned that no passwords were identical and I know we have accounts set to have passwords not expire and it also returned 0 for that field.

I just updated and started the documentation again. I'll let you know what I get. Thanks for your help.

[PrzemyslawKlys]

If the use=false or path to file is wrong whole password sections will be ignored. There may of course be a bug there but if you want all password features just enable that option and add at least 1 password in that file. It should process rest. I guess i'll make some updates for it to return other stuff regardless if you give file or not

[PrzemyslawKlys]

Can we assume everything is ok now?

[eliq91]

Sorry it's been a crazy day. Yes it is working great.

On Wed, Oct 10, 2018, 1:12 PM Przemysław Kłys notifications@github.com wrote:

Can we assume everything is ok now?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/EvotecIT/PSWinDocumentation/issues/8#issuecomment-428696034, or mute the thread https://github.com/notifications/unsubscribe-auth/ApbjjTrHSTyTscQFOvnwHOPvRfRXdhpZks5ujkaCgaJpZM4XTpBK .